Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lz3EbiqoK4.exe

Overview

General Information

Sample name:lz3EbiqoK4.exe
renamed because original name is a hash value
Original sample name:33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe
Analysis ID:1571838
MD5:33c2adebfe2c3acedfb34ffff8151b7d
SHA1:8e93f7ecafa92017a7d528423574ab5cfeec754a
SHA256:773e13fffd0842e717ce55e2a678da37123c55186f9c92460c671261b1654ffd
Tags:exeQuasarRATRATuser-abuse_ch
Infos:

Detection

Quasar
Score:46
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Installation of TeamViewer Desktop
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious desktop.ini Action
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • lz3EbiqoK4.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\lz3EbiqoK4.exe" MD5: 33C2ADEBFE2C3ACEDFB34FFFF8151B7D)
    • Client-built.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Local\Temp\Client-built.exe" MD5: 181719B653C83D0463D89A625A7F5C3E)
    • TeamViewer_Setup_x64.exe (PID: 7856 cmdline: "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" MD5: D15511E4B90CC6729FEDAF86D080D1F6)
      • TeamViewer_.exe (PID: 7964 cmdline: "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" MD5: 8318FC63158C01368AADC6D4BE89FAD1)
        • schtasks.exe (PID: 8044 cmdline: C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 4464 cmdline: C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • TeamViewer_.exe (PID: 8092 cmdline: "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE MD5: 8318FC63158C01368AADC6D4BE89FAD1)
    • schtasks.exe (PID: 3524 cmdline: C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
{"Version": "1.4.1", "Host:Port": "167.71.56.116:22269;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "3470ac31-30aa-4cf6-ab0a-1ed0dd64656f", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "flgSE4SpXYfH0xcfLTe0iNrh2SeQBvNG44BtoMkxQ/T+DRAgnPzzPI13Eed+g9CiOhWxTcQ4rBGiEohyz5eQ1DvqWAcx7FHBiVlioCxa9o3s2Di7DtimucOXtlSh4LTyZq/qoQbOzkeXO7/0unghQ7pjMzNB1Xr/SNB2tIRVcTdEqpy74fYJ6cocilX8Eb2i3AuEpiYlPtpqujGq/1uutyvPCEGIJu28WT9i75GrAom6etZ++VpuHWw33I16MzKdxOjLZ4w5gHdhiybBfRenF2XXPqcEFMH78okk/Jmk3sUsueppieYz3jgjrXyqIfg9Ayqy89/lJW/B6sm5q5nbX2TzhmeI0bxRl02j2TOwPVJjgx3ySJevStEV8SJEFazuggWRFjbW7A/0TAbGRgBtDu378rLxwiqWCnedkKFuSJVEYLWb1rkRnymb8kWHRFZM+wi+cmaWTdNz+u8VvAwUxUAxlfQaLYamguJbJD+MZZzRhLNIHMJm1DcnJdECI6P3rtd6d6YJI2+TdyXRb8bNg+obsU+ppH+yxLw4NlWFbvXREBZB6trXaIf3fhI+f4FbA2+lb5IJ5euHGu5FabDFvABadac+bVMBFsmLTQEKOGWnEyX038mvTSpS5MLw+NfCXIlMW94wwokBZ/0I0mEhPAflB+p9xZVJUHd3qYbTnMs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAJq3Mj8c1rXwra3rDC0BgzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIwNDA5Mzc1OFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgDdz73u2oR4NOea2y1Gy+ejcDZB7rD3j8AcyTdfqU60MW8K4UCvWDATRHvg0Q+WxaHgJjvGGAOzSgmLJF/sKanAHM+Ejhya1aOTADACluOYW9YcZ4hhpmvAgq9IZKr3VXAH6AlDVb6EYlFvNUzQMRbMzZflnnYPpoKtj96/xEllcqnYYe5iiIF25objFBsOivILrD8r5zzl30bfwt6bcs7EZ77qOOajuTqF5VPneX/C1mgSqnK1KeE4MyI6vfJvaWAQ7sjNLWflauxXUMALmiEssTwcfJ1+GOhoXngcZ6TzTQqdzBGbaEmgWvsIvZSgGu/ddDnX01P26IKwLVHCFRdDY82m3FXkPv/WpK+P95yeUA3uzIIZlbFPXr+8pdylqs/E5+b7LNIAxQRhXI4NfwAhUfLq4MhYlLh844vRdBda+7g19pW6rrU+R5BObTIE5pry54Stz+rgS9I81k7Kaqzq2MbOMYoHBSQkfH/whUILDnSvm+J/7nAm1kYbamCUZQY27NYhcHWmBEBEwSDe4K2MlHzn2nEXY7H1GRTvdCtUnHoLbGGue4J64dnTA1mL4XYWgmKjNWUcemFuo3lkQD+M3GkW5nTPlEkP6X116nlzIH1tm3fp2PRQphJvowVrcA/Ch6Me4VYt7vEV4gUPn9o+tqu2QDvFBjS+iFx8YYXcCAwEAAaMyMDAwHQYDVR0OBBYEFM0CBviNX3UM6cXNdgOhJ1Q8+Tu5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBABtf3WU07+re45SWDknjH/SP021fFZEXLh9u7mE/zGyJw2C3vhs9+47GhCp6jNjZg7NntWJboiyj4VhNHRuLnqItAPF60JGo3Q3TuSRDdCcDg/9DSdbODMg2EcH/kk1yVQgE6+qDC7H+SbNn6JgTnFTH1KesnSHl/m/Y3Bg2+ZTiJuDwxBXsAfRjSuhjaMe/k2oCWE5PngTtcSSOLbhMQ7kAZMl3++MSFe3Q8vUnpyKq5gELt1RnACtyPInqCM2gXA1rRw407+6AoyjnUo5M5/jwYIicQEJVkkJSSO7opyR1t9SNh8nrjxEtJIgsitQRrGh0vJLQYeTJDCy4RGwR8o7sruyrJcfHZjX3D1QujdUl1C6mSTR9E/LW2pEq4EkaifcG4WOejyIsspkrCDSeyWyRXjMxq4FlVGgtbzVZbIQbPOpSbDMNIHr4QKgsp0Xa/cgb830U6g5TFUNX2C7ueZrDpV0nAvOUsm2OQ9SBPLSgds4hESjjSxh2I2/WwYJl1TB642zOPUPfOuYN2xvBm9D0sZWMZe7l8ou899vN3zogGQwX1wJTyVorX/IgpNljOZDNVYSL7YEAiQI6YM03H1pkjY9EgeboVCIpWbRBvx0bjk1GRHpRM2Hst3mDU7F7AOepmS8xBatuBKRIEHWJ00a55Pb6d7CoySAxY7aN0FT7"}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Client-built.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    C:\Users\user\AppData\Local\Temp\Client-built.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\Temp\Client-built.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x28ee9d:$x1: Quasar.Common.Messages
      • 0x29f1c6:$x1: Quasar.Common.Messages
      • 0x2ab83e:$x4: Uninstalling... good bye :-(
      • 0x2ad033:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      C:\Users\user\AppData\Local\Temp\Client-built.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2aadf0:$f1: FileZilla\recentservers.xml
      • 0x2aae30:$f2: FileZilla\sitemanager.xml
      • 0x2aae72:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ab0be:$b1: Chrome\User Data\
      • 0x2ab114:$b1: Chrome\User Data\
      SourceRuleDescriptionAuthorStrings
      00000001.00000000.1871811766.00000000012E0000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000001.00000002.3667738198.00000000036D6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000001.00000002.3667738198.0000000003581000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              Process Memory Space: Client-built.exe PID: 7612JoeSecurity_QuasarYara detected Quasar RATJoe Security
                SourceRuleDescriptionAuthorStrings
                1.0.Client-built.exe.fc0000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  1.0.Client-built.exe.fc0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    1.0.Client-built.exe.fc0000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                    • 0x28ee9d:$x1: Quasar.Common.Messages
                    • 0x29f1c6:$x1: Quasar.Common.Messages
                    • 0x2ab83e:$x4: Uninstalling... good bye :-(
                    • 0x2ad033:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                    1.0.Client-built.exe.fc0000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                    • 0x2aadf0:$f1: FileZilla\recentservers.xml
                    • 0x2aae30:$f2: FileZilla\sitemanager.xml
                    • 0x2aae72:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                    • 0x2ab0be:$b1: Chrome\User Data\
                    • 0x2ab114:$b1: Chrome\User Data\
                    • 0x2ab3ec:$b2: Mozilla\Firefox\Profiles
                    • 0x2ab4e8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                    • 0x2fd46c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                    • 0x2ab640:$b4: Opera Software\Opera Stable\Login Data
                    • 0x2ab6fa:$b5: YandexBrowser\User Data\
                    • 0x2ab768:$b5: YandexBrowser\User Data\
                    • 0x2ab43c:$s4: logins.json
                    • 0x2ab172:$a1: username_value
                    • 0x2ab190:$a2: password_value
                    • 0x2ab47c:$a3: encryptedUsername
                    • 0x2fd3b0:$a3: encryptedUsername
                    • 0x2ab4a0:$a4: encryptedPassword
                    • 0x2fd3ce:$a4: encryptedPassword
                    • 0x2fd34c:$a5: httpRealm
                    1.0.Client-built.exe.fc0000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                    • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                    • 0x2ab928:$s3: Process already elevated.
                    • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
                    • 0x278c58:$s5: GetKeyloggerLogsDirectory
                    • 0x29e925:$s5: GetKeyloggerLogsDirectory
                    • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
                    • 0x2fea9a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

                    System Summary

                    barindex
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe, ProcessId: 7964, TargetFilename: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F, CommandLine: C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe, ParentProcessId: 7964, ParentProcessName: TeamViewer_.exe, ProcessCommandLine: C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F, ProcessId: 8044, ProcessName: schtasks.exe
                    Source: File createdAuthor: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\lz3EbiqoK4.exe, ProcessId: 7484, TargetFilename: C:\Windows\assembly\Desktop.ini
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-09T18:52:47.774466+010020355951Domain Observed Used for C2 Detected167.71.56.11622269192.168.2.449731TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-09T18:52:47.774466+010020276191Domain Observed Used for C2 Detected167.71.56.11622269192.168.2.449731TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 1.0.Client-built.exe.fc0000.0.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "167.71.56.116:22269;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "3470ac31-30aa-4cf6-ab0a-1ed0dd64656f", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "flgSE4SpXYfH0xcfLTe0iNrh2SeQBvNG44BtoMkxQ/T+DRAgnPzzPI13Eed+g9CiOhWxTcQ4rBGiEohyz5eQ1DvqWAcx7FHBiVlioCxa9o3s2Di7DtimucOXtlSh4LTyZq/qoQbOzkeXO7/0unghQ7pjMzNB1Xr/SNB2tIRVcTdEqpy74fYJ6cocilX8Eb2i3AuEpiYlPtpqujGq/1uutyvPCEGIJu28WT9i75GrAom6etZ++VpuHWw33I16MzKdxOjLZ4w5gHdhiybBfRenF2XXPqcEFMH78okk/Jmk3sUsueppieYz3jgjrXyqIfg9Ayqy89/lJW/B6sm5q5nbX2TzhmeI0bxRl02j2TOwPVJjgx3ySJevStEV8SJEFazuggWRFjbW7A/0TAbGRgBtDu378rLxwiqWCnedkKFuSJVEYLWb1rkRnymb8kWHRFZM+wi+cmaWTdNz+u8VvAwUxUAxlfQaLYamguJbJD+MZZzRhLNIHMJm1DcnJdECI6P3rtd6d6YJI2+TdyXRb8bNg+obsU+ppH+yxLw4NlWFbvXREBZB6trXaIf3fhI+f4FbA2+lb5IJ5euHGu5FabDFvABadac+bVMBFsmLTQEKOGWnEyX038mvTSpS5MLw+NfCXIlMW94wwokBZ/0I0mEhPAflB+p9xZVJUHd3qYbTnMs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAJq3Mj8c1rXwra3rDC0BgzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIwNDA5Mzc1OFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgDdz73u2oR4NOea2y1Gy+ejcDZB7rD3j8AcyTdfqU60MW8K4UCvWDATRHvg0Q+WxaHgJjvGGAOzSgmLJF/sKanAHM+Ejhya1aOTADACluOYW9YcZ4hhpmvAgq9IZKr3VXAH6AlDVb6EYlFvNUzQMRbMzZflnnYPpoKtj96/xEllcqnYYe5iiIF25objFBsOivILrD8r5zzl30bfwt6bcs7EZ77qOOajuTqF5VPneX/C1mgSqnK1KeE4MyI6vfJvaWAQ7sjNLWflauxXUMALmiEssTwcfJ1+GOhoXngcZ6TzTQqdzBGbaEmgWvsIvZSgGu/ddDnX01P26IKwLVHCFRdDY82m3FXkPv/WpK+P95yeUA3uzIIZlbFPXr+8pdylqs/E5+b7LNIAxQRhXI4NfwAhUfLq4MhYlLh844vRdBda+7g19pW6rrU+R5BObTIE5pry54Stz+rgS9I81k7Kaqzq2MbOMYoHBSQkfH/whUILDnSvm+J/7nAm1kYbamCUZQY27NYhcHWmBEBEwSDe4K2MlHzn2nEXY7H1GRTvdCtUnHoLbGGue4J64dnTA1mL4XYWgmKjNWUcemFuo3lkQD+M3GkW5nTPlEkP6X116nlzIH1tm3fp2PRQphJvowVrcA/Ch6Me4VYt7vEV4gUPn9o+tqu2QDvFBjS+iFx8YYXcCAwEAAaMyMDAwHQYDVR0OBBYEFM0CBviNX3UM6cXNdgOhJ1Q8+Tu5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBABtf3WU07+re45SWDknjH/SP021fFZEXLh9u7mE/zGyJw2C3vhs9+47GhCp6jNjZg7NntWJboiyj4VhNHRuLnqItAPF60JGo3Q3TuSRDdCcDg/9DSdbODMg2EcH/kk1yVQgE6+qDC7H+SbNn6JgTnFTH1KesnSHl/m/Y3Bg2+ZTiJuDwxBXsAfRjSuhjaMe/k2oCWE5PngTtcSSOLbhMQ7kAZMl3++MSFe3Q8vUnpyKq5gELt1RnACtyPInqCM2gXA1rRw407+6AoyjnUo5M5/jwYIicQEJVkkJSSO7opyR1t9SNh8nrjxEtJIgsitQRrGh0vJLQYeTJDCy4RGwR8o7sruyrJcfHZjX3D1QujdUl1C6mSTR9E/LW2pEq4EkaifcG4WOejyIsspkrCDSeyWyRXjMxq4FlVGgtbzVZbIQbPOpSbDMNIHr4QKgsp0Xa/cgb830U6g5TFUNX2C7ueZrDpV0nAvOUsm2OQ9SBPLSgds4hESjjSxh2I2/WwYJl1TB642zOPUPfOuYN2xvBm9D0sZWMZe7l8ou899vN3zogGQwX1wJTyVorX/IgpNljOZDNVYSL7YEAiQI6YM03H1pkjY9EgeboVCIpWbRBvx0bjk1GRHpRM2Hst3mDU7F7AOepmS8xBatuBKRIEHWJ00a55Pb6d7CoySAxY7aN0FT7"}
                    Source: Yara matchFile source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.1871811766.00000000012E0000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3667738198.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3667738198.0000000003581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7612, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Client-built.exe, type: DROPPED
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.1% probability
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_06f1787b-1
                    Source: lz3EbiqoK4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeWindow detected: Accept - next Welcome to TeamViewerRemote Support unattended access meetings and presentationsLicense Agreement: By continuing you agree to the terms of the license agreement.License Agreement:Default installationInstall and set up unattended access to this deviceRun only (one time use)Show advanced settingsHow do you want to proceed?
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\RollbackTempJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTempJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tvfiles.7zJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer.icoJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\CopyrightFULL.txtJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\crashpad_handler.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\utilsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\utils\MicrosoftEdgeWebview2Setup.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Note.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Service.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\uninstall.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\WriteDump.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlookJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\ManagedAggregator.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddIn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim64.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_bg.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_da.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_de.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_el.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_en.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_es.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_he.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_hr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_hu.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_id.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_it.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ja.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ko.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_lt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_nl.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_no.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pl.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ro.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ru.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sk.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_th.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_tr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_uk.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_vi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhTW.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_StaticRes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TVWebRTC.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\utilsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlookJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tvfilesx64.7zJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\teamviewervpn.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\teamviewervpn.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\tvmonitor.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVVirtualMonitorDriver.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewerVPN.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\TeamViewerVPN.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVVirtualMonitorDriver.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\teamviewervpn.sy_Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\teamviewervpn.sy_Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVVirtualMonitorDriver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tvfiles_printer_WithPDFSupport_x64.7zJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\PrinterJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter-PipelineConfig.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter-manifest.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\teamviewer_xpsdriverfilter.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter.gpdJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\x64Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\x64\TeamViewer_XPSDriverFilter.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\RollbackTemp\TV15Install.logJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TV15Install.logJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\RollbackTemp\TV15Install.logJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                    Source: Binary string: E:\WS\tv_prel_dcr\ApplicationPlugins\Win\OutlookAddIn\BuildTarget\Release\TeamViewerMeetingAddinShim.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\DriverBuild\Drivers\Win\VirtualMonitor\bin\x64\Release\TVVirtualMonitorDriver.pdb source: TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_x64dll.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\ApplicationPlugins\Win\OutlookAddIn\ManagedAggregator\obj\Release\ManagedAggregator.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win64\Release\TVWebRTC.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000B4AA000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\TVWorkspace\teamviewer\Installer\plugins\CustomerData\Release_Unicode\CustomerTools.pdb{ source: TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_w32exe.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\Sources\teamviewer_2\Installer\plugins\TvGetVersion\Release_Unicode\TvGetVersion.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_x64exe.pdbV source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\ApplicationPlugins\Win\OutlookAddIn\BuildTarget\Release\TeamViewerMeetingAddinShim64.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\TVWorkspace\teamviewer\Installer\plugins\CustomerData\Release_Unicode\CustomerTools.pdb source: TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_x64exe.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\DriverBuild\Drivers\RemotePrintingDriver\Win\XPSDriverFilter\Build\XPSFilter\x64\Release\TeamViewer_XPSDriverFilter.pdb source: TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\Sources\teamviewer_2\Installer\plugins\TvGetVersion\Release\TvGetVersion.pdb source: TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win64\Release\WriteDump.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\DriverBuild\Drivers\Win\DeviceRedirection\bin\x64\Release\TeamViewer_VirtualDeviceDriver.pdb source: TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win64\Release\WriteDump.pdb_ source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: c:\openvpn-2.1_rc4\tap-win32\amd64\teamviewervpn.pdb source: TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: c:\teamviewer_tvmonitordriver\drivers\win\monitor\objfre_win7_amd64\amd64\TVMonitor.pdb source: TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win64\FULL\Release\TeamViewer_Service.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_w32exe.pdbX source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\Documents\Programming\OpenSourceProjects\tap-windows6\src\x64\Hlk\teamviewervpn.pdb source: TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_w32dll.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_00405FFD FindFirstFileA,FindClose,5_2_00405FFD
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,5_2_0040559B
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_00402688 FindFirstFileA,5_2_00402688
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeCode function: 6_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_0040596F
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeCode function: 6_2_004064C1 FindFirstFileW,FindClose,6_2_004064C1
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeCode function: 6_2_004027FB FindFirstFileW,6_2_004027FB
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeCode function: 9_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_0040596F
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeCode function: 9_2_004064C1 FindFirstFileW,FindClose,9_2_004064C1
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeCode function: 9_2_004027FB FindFirstFileW,9_2_004027FB
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 167.71.56.116:22269 -> 192.168.2.4:49731
                    Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 167.71.56.116:22269 -> 192.168.2.4:49731
                    Source: Malware configuration extractorURLs: 167.71.56.116
                    Source: Yara matchFile source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Client-built.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 167.71.56.116:22269
                    Source: Joe Sandbox ViewIP Address: 167.71.56.116 167.71.56.116
                    Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
                    Source: TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://client.teamviewer.com/shutdown/index.aspx?lng=en
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://connect.teamviewer.com/v15Hhttp://www.teamviewer.com/download/version_15x/TeamViewer_Host_Set
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0/
                    Source: Client-built.exe, 00000001.00000002.3695571535.000000001C0B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: Client-built.exe, 00000001.00000002.3695571535.000000001C1DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                    Source: Client-built.exe, 00000001.00000002.3695571535.000000001C1DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: Client-built.exe, 00000001.00000002.3695571535.000000001C12B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?181a5260ae
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dojofoundation.org/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/jquery/jqueryui.com
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jquery.com/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jquery.org/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://knockoutjs.com/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
                    Source: TeamViewer_Setup_x64.exe, TeamViewer_Setup_x64.exe, 00000005.00000000.1931898193.0000000000409000.00000008.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000000.1931898193.0000000000409000.00000008.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_.exe, 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000000.1972346777.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000000.2051228247.000000000040A000.00000008.00000001.01000000.00000015.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://ocsp.digicert.com0I
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: Client-built.exe, 00000001.00000002.3667738198.0000000003581000.00000004.00000800.00020000.00000000.sdmp, Client-built.exe, 00000001.00000002.3667738198.00000000036D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://scripts.sil.org/OFL
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tanyabrassie.com/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://underscorejs.org/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.boost.org/users/license.html).
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.opensource.org/licenses/mit-license.php
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/)
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2312085882.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301300487.0000000007100000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/download/version_15x/TeamViewerQJ.exe
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/download/version_15x/TeamViewer_Setup.exe
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/favicon.ico
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=103286
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=130291
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=141508
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=144319
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=148325
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=181342
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=190014
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=233248
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000002.2373504628.0000000002757000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2256496709.000000000155A000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=271351
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=271351#Th
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=271351$Pridae
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=271351&Adicionar
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=301635
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=301635#
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=301635$
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=301635F
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=301635POm
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=301635SAko
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=301635TAk
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=301635_
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=301635aDac
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=301635c
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=301635g
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=301635lSe
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=301635sN
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=308980
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=362946
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=364893
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=413309
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=441415
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_bg.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=456463
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=456463#~b
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=456463OKh
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=456463YD
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=456463mScript-urile
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=456463mSkript
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=456463p
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=456463qSkripte
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=456463r
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=456463xScripts
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=475051
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=517756
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=522447
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=526914
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=539523
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=539523%
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_bg.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=539523)
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=539523)Installation
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=5395230Configura
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=5395239
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=539523?
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=563890
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=591924
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=613217
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=632515
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=632515.
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=632515/Op
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=6325150Alternativ
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=6325150TeamViewer
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=6325155
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=6325156Ca
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=6325157
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=632515:Opc
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=633113
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=649250
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=649250M
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=649250U
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=649250f
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_bg.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=649250y
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=659842
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=666256
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=696517
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=696517$E-Mail
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=703800
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=720679
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=720679aInloggningen
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=720679aLogin
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=720679gPrihl
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=720679hPrijavljivanje
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=720679n
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=720679p
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=720679t
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=720679yLog
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=720679yOturum
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=740465
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=801210
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=801210#
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=801210Q
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=801210YFj
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=801210c
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=801210eO
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=801210gVo
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=801210jMa
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=801210jUdaljeni
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=801210kUzak
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=801210xComputerul
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=861823
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=861823?
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=861823NDu
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=861823P
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=861823Q
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=861823R
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=861823SOtomatik
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=861823XTrebuie
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=861823gAby
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=866109
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=874259
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=891850
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=891850&Bezpe
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=891850)
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=891850/O
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=8918502Codul
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=8918503Sigurnosna
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=899369
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=907878
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=922587
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=934954
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=9349542Sua
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=9349547
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=934954=
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=934954=Tiden
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=934954=Zahtev
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=934954F
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=934954J
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=934954MSolicitarea
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=942683
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=954698
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=964412
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: http://www.teamviewer.com/link/?url=999999
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=999999tS
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=999999wFil
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teamviewer.com/link/?url=999999~
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://%1%.teamviewer.com/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://%1%.teamviewer.com/%2%
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%1%.teamviewer.com/%2%)Introducec
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://%1%.teamviewer.com/0
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%1%.teamviewer.com/5
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%1%.teamviewer.com/z
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/fabric-assets-license
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/fluentui-assets-license
                    Source: Client-built.exe, 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/chromium/src/third_party/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/libyuv/libyuv/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cla.developers.google.com/clas
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://client.teamviewer.com/blizzintro/?language=%1%&os=%2%&client=%3%
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://client.teamviewer.com/intro/index.aspx?lng=%1%&version=%2%&os=%3%&tab=%4%DSorry.
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://client.teamviewer.com/whatsnew/index.aspx?lng=%1%&version=%2%&os=%3%&tab=%4%&insiderbuild=%5
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://community.teamviewer.com/kb/articles/106782-managed-devices-general-information
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.teamviewer.com/kb/articles/106782-managed-devices-general-information(Zobrazovae
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.teamviewer.com/kb/articles/106782-managed-devices-general-information3
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: https://community.teamviewer.com/t5/Meeting-EN/ct-p/Blizz
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.teamviewer.com/t5/Meeting-EN/ct-p/Blizz$Radnja
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.teamviewer.com/t5/Meeting-EN/ct-p/Blizz)Platnose
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.teamviewer.com/t5/Meeting-EN/ct-p/Blizz0Tidsgr
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.teamviewer.com/t5/Meeting-EN/ct-p/Blizz2Acc
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.teamviewer.com/t5/Meeting-EN/ct-p/Blizz30
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://community.teamviewer.com/t5/Meeting-EN/ct-p/Blizz3Thao
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.teamviewer.com/t5/Meeting-EN/ct-p/Blizz6
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://creativecommons.org/licenses/by-sa/4.0/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://creativecommons.org/licenses/by/4.0/)
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://dev-trunk.teamviewer.com/CommentSession/CommentAfterSession?token=%1%&lng=%2%&version=%3%&os
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: https://dev-trunk.teamviewer.com/CommentSession/CommentDuringSession?token=%1%&lng=%2%&version=%3%&o
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://feedbackservice-test.teamviewer.com
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://feedbackservice.teamviewer.com
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://feedbackservice.teamviewer.com/upload/index8https://feedbackservice-test.teamviewer.com/uplo
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fontawesome.com/license/free.
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://get.teamviewer.com/v15/%1%vYou
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://get.teamviewer.com/v15/%2%
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://getassistar.teamviewer.com/%1%
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://getassistar.teamviewer.com/%1%C%1%
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://getassistar.teamviewer.com/%1%K%1%
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://getassistar.teamviewer.com/%2%
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://getassistar.teamviewer.com/%2%8
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://getassistar.teamviewer.com/%2%9
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://git.coolaj86.com/coolaj86/atob.js.git
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://git.tukaani.org/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/101arrowz/fflate
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/DefinitelyTyped/DefinitelyTyped
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/FortAwesome/Font-Awesome
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/FortAwesome/react-fontawesome
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Gamote/lottie-react
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JedWatson/classnames
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/MrRio/jsPDF
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Popmotion/hey-listen
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Popmotion/popmotion
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Qix-/color-convert
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Raynos/duplexer
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Raynos/function-bind
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/RebeccaStevens/deepmerge-ts
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ReneNyffenegger/cpp-base64
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/SamVerschueren/decode-uri-component
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/SergiusTheBest/exceptxx
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ShiqiYu/libfacedetection
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/adobe/react-spectrum
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/airbnb/lottie-web
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/alexindigo/asynckit
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/axios/axios
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/babel/babel
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/benjamn/reify
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/boostorg/boost
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/browserslist/browserslist
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/browserslist/caniuse-lite
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/canvg/canvg
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/caolan/async
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/ansi-regex
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/ansi-styles
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/chalk
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/chartjs/Chart.js
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/cisco/libsrtp
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/colorjs/color-name
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/component/escape-html
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/cure53/DOMPurify
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/curl/curl
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/date-fns/date-fns
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/emotion-js/emotion/tree/main/packages/hash
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/emotion-js/emotion/tree/master/packages/is-prop-valid
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/emotion-js/emotion/tree/master/packages/memoize
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/epoberezkin/fast-deep-equal
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ericf/css-mediaquery
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/farzher/fuzzysort
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/felixge/node-combined-stream
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/felixge/node-delayed-stream
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/fengyuanchen/cropperjs
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/follow-redirects/follow-redirects
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/form-data/form-data
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/framer/motion
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/frenic/csstype
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/glennrp/libpng
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/boringssl/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/farmhash
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/googlefonts/dm-fonts/tree/main/Sans
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/henrikjoreteg/html-parse-stringify
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/i18next/i18next
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/i18next/i18next-browser-languageDetector
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/i18next/i18next-http-backend
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/i18next/i18next-resources-to-backend
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/immerjs/immer
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/infusion/Fraction.js
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/functions-have-names
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/has-property-descriptors
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/has-symbols
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/has-tostringtag
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/is-arguments
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/is-date-object
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/inspect-js/is-regex
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/fs.realpath
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/inherits
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/node-glob
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jakejs/jake
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jaredLunde/react-hook
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jhchen/fast-diff
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/joyent/libuv
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jquense/react-common-hooks
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jquery-validation/jquery-validation
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jquery/jquery
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jquery/jqueryui.com
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jshttp/cookie
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/juggle/resize-observer
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/juliangruber/balanced-match
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/juliangruber/brace-expansion
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/justmoon/node-extend
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/kilian/electron-to-chromium
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/knockout/knockout
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/libjpeg-turbo/libjpeg-turbo
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/libuv/libuv
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/libuv/libuv/tree/master/src
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ljharb/call-bind
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ljharb/define-properties
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ljharb/get-intrinsic
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/lodash/lodash
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/lquixada/cross-fetch
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/lukeed/clsx
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/lukeed/dequal
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/lukeed/escalade
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/lydell/js-tokens
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/lz4/lz4
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mantinedev/mantine
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mathiasbynens/emoji-regex
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mde/ejs
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mde/filelist
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/fluentui
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/fluentui-system-icons
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/griffel
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/rushstack
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/missive/emoji-mart
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS).
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/moment/luxon
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mridgway/hoist-non-react-statics
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/niklasvh/base64-arraybuffer
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/niklasvh/css-line-break
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/niklasvh/html2canvas
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nolimits4web/dom7
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/inflight
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/open-cli-tools/concurrently
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/open-source-parsers/jsoncpp
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/popperjs/popper-core
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/postcss/autoprefixer
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pradel/esbuild-node-externals
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/primus/eventemitter3
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pvorb/node-clone
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/reach/observe-rect
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/react-bootstrap/dom-helpers
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/react-dropzone/attr-accept
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/react-dropzone/file-selector
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/react-native-async-storage/async-storage
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/react-restart/ui
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/reduxjs/redux-toolkit
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/remix-run/react-router
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rexxars/hyphenate-style-name
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rochal/jQuery-slimScroll
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/simonbengtsson/jsPDF-AutoTable
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/simonbengtsson/jspdf-autotable
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/filter-obj
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/find-up
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/gzip-size
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/has-flag
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/is-docker
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/is-fullwidth-code-point
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/is-plain-obj
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/is-wsl
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/locate-path
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/query-string
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/standard-things/esm
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/stefanpenner/get-caller-file
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/substack/node-deep-equal
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/suren-atoyan/monaco-loader
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/suren-atoyan/monaco-react
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/swc-project/swc
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tanstack/react-virtual
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tanstack/table
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tarruda/has
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/thlorenz/convert-source-map
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/twbs/bootstrap
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/weidai11/cryptopp
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/wojtekmaj/date-utils
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/wojtekmaj/get-user-locale
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/yargs/cliui
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/zertosh/invariant
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/zertosh/loose-envify
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/zloirock/core-js
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://go.teamviewer.com/v15
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://go.teamviewer.com/v15/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://go.teamviewer.com/v15b
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.teamviewer.com/v15c
                    Source: Client-built.exe, 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://ipwho.is/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jquery.org/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kossnocorp.mit-license.org
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://login.teamviewer.com/nav/license-activation-guidance
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mathiasbynens.be/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://meeting.teamviewer.com/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.drString found in binary or memory: https://meeting.teamviewer.com/._Please
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://meeting.teamviewer.com/join/-https://www.teamviewer.com/meeting/telephone/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://meeting.teamviewer.com/join/-https://www.teamviewer.com/meeting/telephone/Y
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meeting.teamviewer.com/join/-https://www.teamviewer.com/meeting/telephone/Z:N
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://npm.runkit.com/concat-map
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsis.sourceforge.io/Base64_plug-in
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsis.sourceforge.io/DialogsEx_plug-in
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsis.sourceforge.io/Invoke_Shell_Verb_plugin
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nsis.sourceforge.io/Linker_plug-in
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://openjsf.org/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://opensource.org/licenses/MIT)
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://opensource.org/licenses/Zlib)
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://quicksupport.me/s%1%
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://scripts.sil.org/OFL)
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sindresorhus.com)
                    Source: Client-built.exe, 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: Client-built.exe, 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmp, Client-built.exe, 00000001.00000002.3667738198.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, Client-built.exe, 00000001.00000002.3667738198.00000000035C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: Client-built.exe, 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tukaani.org/xz/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webrtc.googlesource.com/src/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.npmjs.com/package/
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.npmjs.com/package/btoa
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://www.teamviewer.cn/cn/lo-assist-ar/YUsers
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/en/gdpr/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/en/gdpr/#
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/en/gdpr/)
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/en/lo-assist-ar/YUsers
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=116574
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=125377
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=165388
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=165388#Tyv
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=1653880R
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=1653883Ne
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=1653885=
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=1653888
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=180010
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=261802
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=279064
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=279064$(WK
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=279064NKh
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=279064UY
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=279064VScripts
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=279064YSkript
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=279064ZD
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=279064b
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=279064lScript-urile
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=279064oSkripte
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=279064rOs
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=290947
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=290947#
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_bg.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=290947$
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=290947%Dezactiva
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=290947%Donan1
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=293922
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=300792
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_ar.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=364272
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=364272&
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=364272)Naozaj
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=3642722Doric
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=3642724Da
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=3642728Ba#
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=3642728Devam
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=378443
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=382377
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=382377dPristajem
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=382377g/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=382377lAutorizo
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=382377lJag
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=382377nT
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=382377p/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=382377sS
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=382377tConsimt
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=382377wKi_
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=418720
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=461825ZYour
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=462409
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=462409IMQ
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=462409JMQ9
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=514937
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=572005
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=572005S
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=572005T
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=601593
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=601593C
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=737863
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=773631
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=780538
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=790045
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=7900459/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=790045s/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=850268&utm_source=mainwindow&utm_medium=client&utm_content=wind
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=879333
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=879333~Tento
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=881911
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/link/?url=940942
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/link/?url=9409420Experimente
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/meeting
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/meeting/telephone/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/ru/lo-assist-ar/YUsers
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/teamviewer-tensor/single-sign-on/
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drString found in binary or memory: https://www.teamviewer.com/teamviewer-tensor/single-sign-on/1
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.teamviewer.com/teamviewer-tensor/single-sign-on/6
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drString found in binary or memory: https://www.teamviewer.com/ticket
                    Source: TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.yworks.com/
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_00405050 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00405050

                    E-Banking Fraud

                    barindex
                    Source: Yara matchFile source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.1871811766.00000000012E0000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3667738198.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3667738198.0000000003581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7612, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Client-built.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVVirtualMonitorDriver.catJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\tvmonitor.catJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\teamviewervpn.catJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\teamviewervpn.catJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.catJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\teamviewer_xpsdriverfilter.catJump to dropped file

                    System Summary

                    barindex
                    Source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_004030D9
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeCode function: 6_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,6_2_004033B6
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeCode function: 9_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,9_2_004033B6
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeFile created: C:\Windows\assembly\Desktop.iniJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\CachesJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeFile deleted: C:\Windows\Temp\nsw8A6C.tmpJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeCode function: 0_2_06B900CD0_2_06B900CD
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeCode function: 1_2_00007FFD9BD35BE11_2_00007FFD9BD35BE1
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeCode function: 1_2_00007FFD9BD393C11_2_00007FFD9BD393C1
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeCode function: 1_2_00007FFD9BD34DC61_2_00007FFD9BD34DC6
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeCode function: 1_2_00007FFD9BD3A7CD1_2_00007FFD9BD3A7CD
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeCode function: 1_2_00007FFD9BD38A611_2_00007FFD9BD38A61
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeCode function: 1_2_00007FFD9BD310D11_2_00007FFD9BD310D1
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_004063445_2_00406344
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_0040488F5_2_0040488F
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeCode function: 6_2_004068466_2_00406846
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeCode function: 6_2_00404C596_2_00404C59
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeCode function: 9_2_004068469_2_00406846
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeCode function: 9_2_00404C599_2_00404C59
                    Source: TeamViewer_Resource_ar.dll.6.drStatic PE information: Resource name: RT_STRING type: PDP-11 separate I&D executable not stripped
                    Source: TeamViewer_Resource_cs.dll.6.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                    Source: TeamViewer_Resource_de.dll.6.drStatic PE information: Resource name: RT_STRING type: MIPSEB-LE ECOFF executable not stripped - version 0.101
                    Source: TeamViewer_Resource_el.dll.6.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                    Source: TeamViewer_Resource_es.dll.6.drStatic PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.100
                    Source: TeamViewer_Resource_it.dll.6.drStatic PE information: Resource name: RT_STRING type: 370 XA sysV executable not stripped
                    Source: TeamViewer_Resource_it.dll.6.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                    Source: TeamViewer_Resource_nl.dll.6.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                    Source: TeamViewer_Desktop.exe.6.drStatic PE information: Number of sections : 13 > 10
                    Source: TeamViewer.exe.6.drStatic PE information: Number of sections : 12 > 10
                    Source: TeamViewer_Resource_ja.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_cs.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_it.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_hu.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_hr.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_ar.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_ko.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_lt.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_en.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_nl.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_he.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_fr.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_fi.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_es.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_id.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_el.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_bg.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_da.dll.6.drStatic PE information: No import functions for PE file found
                    Source: TeamViewer_Resource_de.dll.6.drStatic PE information: No import functions for PE file found
                    Source: lz3EbiqoK4.exe, 00000000.00000002.1937736155.0000000004C2A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVenomless.exe0 vs lz3EbiqoK4.exe
                    Source: lz3EbiqoK4.exe, 00000000.00000002.1941549710.0000000004EEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs lz3EbiqoK4.exe
                    Source: lz3EbiqoK4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: classification engineClassification label: mal46.troj.evad.winEXE@17/109@0/1
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeCode function: 0_2_0689AA8E AdjustTokenPrivileges,0_2_0689AA8E
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeCode function: 0_2_0689AA57 AdjustTokenPrivileges,0_2_0689AA57
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_004030D9
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeCode function: 6_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,6_2_004033B6
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeCode function: 9_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,9_2_004033B6
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_0040431C GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,5_2_0040431C
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_0040205E CoCreateInstance,MultiByteToWideChar,5_2_0040205E
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewerJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lz3EbiqoK4.exe.logJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeMutant created: \Sessions\1\BaseNamedObjects\TeamViewer_Win32_Instance_Mutex
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2172:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeMutant created: \Sessions\1\BaseNamedObjects\Local\3470ac31-30aa-4cf6-ab0a-1ed0dd64656f
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeFile created: C:\Users\user\AppData\Local\Temp\Client-built.exeJump to behavior
                    Source: lz3EbiqoK4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: unknownProcess created: C:\Users\user\Desktop\lz3EbiqoK4.exe "C:\Users\user\Desktop\lz3EbiqoK4.exe"
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess created: C:\Users\user\AppData\Local\Temp\Client-built.exe "C:\Users\user\AppData\Local\Temp\Client-built.exe"
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess created: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe"
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeProcess created: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe"
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess created: C:\Users\user\AppData\Local\Temp\Client-built.exe "C:\Users\user\AppData\Local\Temp\Client-built.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess created: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeProcess created: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /FJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /FJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /FJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: mrmcorer.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: thumbcache.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: cryptnet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeFile written: C:\Windows\assembly\Desktop.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeAutomated click: Accept - next
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeAutomated click: OK
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeWindow detected: Accept - next Welcome to TeamViewerRemote Support unattended access meetings and presentationsLicense Agreement: By continuing you agree to the terms of the license agreement.License Agreement:Default installationInstall and set up unattended access to this deviceRun only (one time use)Show advanced settingsHow do you want to proceed?
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\24.0\OutlookJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\RollbackTempJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTempJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tvfiles.7zJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer.icoJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\CopyrightFULL.txtJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\crashpad_handler.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\utilsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\utils\MicrosoftEdgeWebview2Setup.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Note.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Service.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\uninstall.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\WriteDump.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlookJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\ManagedAggregator.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddIn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim64.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_bg.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_da.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_de.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_el.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_en.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_es.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_he.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_hr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_hu.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_id.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_it.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ja.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ko.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_lt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_nl.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_no.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pl.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ro.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ru.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sk.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_th.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_tr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_uk.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_vi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhTW.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_StaticRes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\TVWebRTC.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\utilsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\outlookJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tvfilesx64.7zJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\teamviewervpn.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\teamviewervpn.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\tvmonitor.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVVirtualMonitorDriver.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewerVPN.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\TeamViewerVPN.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVVirtualMonitorDriver.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\teamviewervpn.sy_Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\teamviewervpn.sy_Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVVirtualMonitorDriver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\tvfiles_printer_WithPDFSupport_x64.7zJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\PrinterJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter-PipelineConfig.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter-manifest.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\teamviewer_xpsdriverfilter.catJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter.gpdJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter.infJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\x64Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\x64\TeamViewer_XPSDriverFilter.dllJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeDirectory created: C:\Program Files\TeamViewer\RollbackTemp\TV15Install.logJump to behavior
                    Source: lz3EbiqoK4.exeStatic file information: File size 75655168 > 1048576
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                    Source: lz3EbiqoK4.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x4804800
                    Source: lz3EbiqoK4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: E:\WS\tv_prel_dcr\ApplicationPlugins\Win\OutlookAddIn\BuildTarget\Release\TeamViewerMeetingAddinShim.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\DriverBuild\Drivers\Win\VirtualMonitor\bin\x64\Release\TVVirtualMonitorDriver.pdb source: TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2306927283.0000000007100000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_x64dll.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\ApplicationPlugins\Win\OutlookAddIn\ManagedAggregator\obj\Release\ManagedAggregator.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win64\Release\TVWebRTC.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000B4AA000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\TVWorkspace\teamviewer\Installer\plugins\CustomerData\Release_Unicode\CustomerTools.pdb{ source: TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_w32exe.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\Sources\teamviewer_2\Installer\plugins\TvGetVersion\Release_Unicode\TvGetVersion.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_x64exe.pdbV source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\ApplicationPlugins\Win\OutlookAddIn\BuildTarget\Release\TeamViewerMeetingAddinShim64.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\TVWorkspace\teamviewer\Installer\plugins\CustomerData\Release_Unicode\CustomerTools.pdb source: TeamViewer_.exe, 00000009.00000002.2256775334.00000000017C4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_x64exe.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\DriverBuild\Drivers\RemotePrintingDriver\Win\XPSDriverFilter\Build\XPSFilter\x64\Release\TeamViewer_XPSDriverFilter.pdb source: TeamViewer_.exe, 00000006.00000003.2312212372.00000000091D0000.00000004.00001000.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2311975542.0000000008CB7000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\Sources\teamviewer_2\Installer\plugins\TvGetVersion\Release\TvGetVersion.pdb source: TeamViewer_Setup_x64.exe, 00000005.00000002.2381220145.000000000292D000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win64\Release\WriteDump.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\DriverBuild\Drivers\Win\DeviceRedirection\bin\x64\Release\TeamViewer_VirtualDeviceDriver.pdb source: TeamViewer_.exe, 00000006.00000003.2305866692.0000000008C59000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2307146959.00000000091F0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win64\Release\WriteDump.pdb_ source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: c:\openvpn-2.1_rc4\tap-win32\amd64\teamviewervpn.pdb source: TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: c:\teamviewer_tvmonitordriver\drivers\win\monitor\objfre_win7_amd64\amd64\TVMonitor.pdb source: TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win64\FULL\Release\TeamViewer_Service.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_w32exe.pdbX source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\Documents\Programming\OpenSourceProjects\tap-windows6\src\x64\Hlk\teamviewervpn.pdb source: TeamViewer_.exe, 00000006.00000003.2303691049.000000000869E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\WS\tv_prel_dcr\build_cmake_win_HOOKS\Release\tv_w32dll.pdb source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp
                    Source: TVWebRTC.dll.6.drStatic PE information: section name: _RDATA
                    Source: tv_w32.dll.6.drStatic PE information: section name: .shared
                    Source: TeamViewer_XPSDriverFilter.dll.6.drStatic PE information: section name: _RDATA
                    Source: tv_x64.dll.6.drStatic PE information: section name: _RDATA
                    Source: tv_x64.dll.6.drStatic PE information: section name: .shared
                    Source: crashpad_handler.exe.6.drStatic PE information: section name: _RDATA
                    Source: crashpad_handler.exe.6.drStatic PE information: section name: CPADinfo
                    Source: MicrosoftEdgeWebview2Setup.exe.6.drStatic PE information: section name: .didat
                    Source: TeamViewer.exe.6.drStatic PE information: section name: IPPCODE
                    Source: TeamViewer.exe.6.drStatic PE information: section name: .didat
                    Source: TeamViewer.exe.6.drStatic PE information: section name: .rodata
                    Source: TeamViewer.exe.6.drStatic PE information: section name: IPPDATA
                    Source: TeamViewer.exe.6.drStatic PE information: section name: _RDATA
                    Source: TeamViewer.exe.6.drStatic PE information: section name: CPADinfo
                    Source: TeamViewer_Desktop.exe.6.drStatic PE information: section name: .orpc
                    Source: TeamViewer_Desktop.exe.6.drStatic PE information: section name: IPPCODE
                    Source: TeamViewer_Desktop.exe.6.drStatic PE information: section name: .didat
                    Source: TeamViewer_Desktop.exe.6.drStatic PE information: section name: .rodata
                    Source: TeamViewer_Desktop.exe.6.drStatic PE information: section name: IPPDATA
                    Source: TeamViewer_Desktop.exe.6.drStatic PE information: section name: _RDATA
                    Source: TeamViewer_Desktop.exe.6.drStatic PE information: section name: CPADinfo
                    Source: TeamViewer_Note.exe.6.drStatic PE information: section name: .didat
                    Source: TeamViewer_Note.exe.6.drStatic PE information: section name: _RDATA
                    Source: TeamViewer_Service.exe.6.drStatic PE information: section name: IPPCODE
                    Source: TeamViewer_Service.exe.6.drStatic PE information: section name: .didat
                    Source: TeamViewer_Service.exe.6.drStatic PE information: section name: IPPDATA
                    Source: TeamViewer_Service.exe.6.drStatic PE information: section name: _RDATA
                    Source: tv_w32.exe.6.drStatic PE information: section name: .didat
                    Source: tv_x64.exe.6.drStatic PE information: section name: .didat
                    Source: tv_x64.exe.6.drStatic PE information: section name: _RDATA
                    Source: WriteDump.exe.6.drStatic PE information: section name: _RDATA
                    Source: TeamViewerMeetingAddinShim64.dll.6.drStatic PE information: section name: _RDATA
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeCode function: 0_2_068C089F push es; ret 0_2_068C08D0
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeCode function: 0_2_068C091F push es; retf 0_2_068C092C
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeCode function: 0_2_068C08D3 push es; ret 0_2_068C0950
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeCode function: 0_2_06B93BD4 push ecx; retf 0_2_06B93BEC
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeCode function: 1_2_00007FFD9BACE32C push ss; ret 1_2_00007FFD9BACE35A
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeCode function: 1_2_00007FFD9BACE194 push cs; ret 1_2_00007FFD9BACE19C
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeCode function: 1_2_00007FFD9BAC7569 push ebx; iretd 1_2_00007FFD9BAC756A
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeCode function: 1_2_00007FFD9BAC8163 push ebx; ret 1_2_00007FFD9BAC816A
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\TvGetVersion.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sv.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Service.exeJump to dropped file
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeFile created: C:\Windows\Temp\nseC5E0.tmp\nsArray.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\linker.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sk.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_hu.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ko.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\teamviewervpn.sy_Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_StaticRes.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ro.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\nsis7z.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\UAC.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\UserInfo.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_nl.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_uk.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_th.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TVWebRTC.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_da.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_en.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\utils\MicrosoftEdgeWebview2Setup.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dllJump to dropped file
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeFile created: C:\Users\user\AppData\Local\Temp\Client-built.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVVirtualMonitorDriver.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\ManagedAggregator.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\nsExec.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Note.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhTW.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\nsArray.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pt.dllJump to dropped file
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeFile created: C:\Windows\Temp\nseC5E0.tmp\nsExec.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\Printer\x64\TeamViewer_XPSDriverFilter.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_he.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\InstallOptions.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pl.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fi.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_id.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_no.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_el.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddIn.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_bg.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ja.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_es.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fr.dllJump to dropped file
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeFile created: C:\Windows\Temp\nseC5E0.tmp\System.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_hr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ru.dllJump to dropped file
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeFile created: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim64.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\System.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_de.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_lt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_tr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_vi.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\uninstall.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\TvGetVersion.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_it.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\crashpad_handler.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\WriteDump.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\teamviewervpn.sy_Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.dllJump to dropped file
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeFile created: C:\Windows\Temp\nseC5E0.tmp\nsArray.dllJump to dropped file
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeFile created: C:\Windows\Temp\nseC5E0.tmp\System.dllJump to dropped file
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeFile created: C:\Windows\Temp\nseC5E0.tmp\nsExec.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\teamviewervpn.sy_Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\teamviewervpn.sy_Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile created: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TV15Install.logJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeFile created: C:\Program Files\TeamViewer\RollbackTemp\TV15Install.logJump to behavior

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\AppData\Local\Temp\Client-built.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeMemory allocated: 6970000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeMemory allocated: 120C0000 memory commit | memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeMemory allocated: 1BA90000 memory commit | memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeMemory allocated: 25160000 memory commit | memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeMemory allocated: 29FF0000 memory commit | memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeMemory allocated: 3FD10000 memory commit | memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeMemory allocated: 1760000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeMemory allocated: 1B580000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sv.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Service.exeJump to dropped file
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeDropped PE file which has not been started: C:\Windows\Temp\nseC5E0.tmp\nsArray.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\linker.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sk.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_hu.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\teamviewervpn.sy_Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_StaticRes.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ko.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ro.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\nsis7z.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\UAC.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\UserInfo.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_nl.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_uk.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_th.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TVWebRTC.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_da.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_en.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\utils\MicrosoftEdgeWebview2Setup.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\x64\TVVirtualMonitorDriver.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\outlook\ManagedAggregator.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\nsExec.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Note.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhTW.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\nsArray.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pt.dllJump to dropped file
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeDropped PE file which has not been started: C:\Windows\Temp\nseC5E0.tmp\nsExec.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\Printer\x64\TeamViewer_XPSDriverFilter.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_he.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\InstallOptions.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pl.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_id.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fi.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_no.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_el.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_bg.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ja.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddIn.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_es.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fr.dllJump to dropped file
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeDropped PE file which has not been started: C:\Windows\Temp\nseC5E0.tmp\System.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ru.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_hr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim64.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\System.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_de.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_lt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_tr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_vi.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\uninstall.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_it.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\crashpad_handler.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\x64\teamviewervpn.sy_Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\WriteDump.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeDropped PE file which has not been started: C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exe TID: 7572Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exe TID: 7680Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_00405FFD FindFirstFileA,FindClose,5_2_00405FFD
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,5_2_0040559B
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_00402688 FindFirstFileA,5_2_00402688
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeCode function: 6_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_0040596F
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeCode function: 6_2_004064C1 FindFirstFileW,FindClose,6_2_004064C1
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeCode function: 6_2_004027FB FindFirstFileW,6_2_004027FB
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeCode function: 9_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_0040596F
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeCode function: 9_2_004064C1 FindFirstFileW,FindClose,9_2_004064C1
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeCode function: 9_2_004027FB FindFirstFileW,9_2_004027FB
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: TeamViewer_Setup_x64.exe, 00000005.00000002.2380880462.00000000006C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630X'8
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000B4AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMnet
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000B4AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %loethwlanv4-wlanipsectunutuntapWebRTC-SignalNetworkPreferenceChangeany../../f57cf8/1/webrtc/src/rtc_base/network.ccToo many network interfaces to handle!WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameNetwork change was observedVMnetrtc::BasicNetworkManager::StartUpdatingSocket creation failedConnect failed with rtc::BasicNetworkManager::UpdateNetworksContinuallyNetworkManager detected , active ? , IgnoredWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=rtc::BasicNetworkManager::set_vpn_list
                    Source: Client-built.exe, 00000001.00000002.3693688639.000000001BF7F000.00000004.00000020.00020000.00000000.sdmp, Client-built.exe, 00000001.00000002.3695571535.000000001C23B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Client-built.exe, 00000001.00000002.3695571535.000000001C103000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW.windowsupdate.commsdownloadupdatev3statictrustedrenauthrootstl.cab8
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeAPI call chain: ExitProcess graph end nodegraph_5-3279
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeAPI call chain: ExitProcess graph end nodegraph_6-3624
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeAPI call chain: ExitProcess graph end nodegraph_9-3561
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess created: C:\Users\user\AppData\Local\Temp\Client-built.exe "C:\Users\user\AppData\Local\Temp\Client-built.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeProcess created: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /FJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /FJump to behavior
                    Source: C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /FJump to behavior
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BA32000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2301476020.000000000D0C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SharedMem_SetLogLevel: %u -> %u******* assertion failed: 'release', line %i, err %i******* assertion failed: 'setev', line %i, err %i******* assertion failed: '(type == State_x64) || (type == State_w32)', line %i, err %iSetDirectXHookStatus %u -> %uStarting Single Window******* assertion failed: 'hwnd', line %i, err %iStopping Single Window******* assertion failed: 'unhooksc', line %i, err %iStarting Update HookProgmanSHELLDLL_DefViewSysListView32Stopping Update Hook******* assertion failed: 'hdc', line %i, err %i******* assertion failed: 'ctos1 && ctos2', line %i, err %i******* assertion failed: 'wrect', line %i, err %i
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                    Source: TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;PEmptyAction%Y-%m-%dT%H:%M:%S, window title "Changed focus to ", PID processIDwindowTitlefileDescriptionapplicationNameCheckbox "" was toggled Spinner "" value changedText field "" changedPassword field "" changed.newValueautomationIDelementName to ""." was changed" to toggle it toggleStatebuttoncontrolType "Collector was stopped.Collector was started.resumepausestartCollector operation: Collector was resumed.Collector was paused.command" entered in shell , prompt "shellpromptExternal: message" with URL " on link "urlKey combination pressed: " pressed on ": "Special key with value " on columncolumnValuecolumnName of Menu "" opened.Clicked on radio button "" in group "groupNamedoubleRightdoublemiddlerightleftDouble right clickedDouble clickedMiddle clickedRight clickedClickedWMIHelper::Query(): ExecQuery failed %1%WQLSELECT Name, Version, BuildNumber FROM Win32_OperatingSystemWMIHelper::CreateWMIService(): Set proxy blanket failed: %1%WMIHelper::CreateWMIService(): Failed to connect to wmi namespace %1%: %2%WMIHelper::CreateWMIService(): Failed to create locator instance %1%'WMIHelper::GetStringProperty(): Property %1% not string (type: %2%)WMIHelper::GetStringProperty(): Get failed for prop %1%: %2%WMIHelper::Query(): Next returned no resultsWMIHelper::Query(): Next failed %1%WM_MBUTTONUPWM_MBUTTONDOWNWM_RBUTTONUPWM_RBUTTONDOWNWM_LBUTTONUPWM_LBUTTONDOWNChromeProgmanSysListView32tvuicollector::LLMouseHookHandler::GetUIAutomationElementAtFailed to get UIA element from position, hr = 0x%1$xtvuicollector::LLMouseHookHandler::GetAccessibleElementAtFailed to call AccessibleObjectFromPoint, hr = %1$xdesktop icondesktopregedit.exeScintillatvuicollector::LLMouseHookHandler::HandleMouseEventMouse hook function took %1% ms for action %2%.tvuicollector::LLMouseHookHandler::StartLLHooksFailed to start mouse hooks.tvuicollector::LLMouseHookHandler::CreateCacheRequestFailed to create cache request for mouse hooks, hr = 0x%1$x#32769
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Client-built.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Client-built.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exeCode function: 5_2_00405D1B GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,5_2_00405D1B
                    Source: C:\Users\user\Desktop\lz3EbiqoK4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.1871811766.00000000012E0000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3667738198.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3667738198.0000000003581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7612, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Client-built.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 1.0.Client-built.exe.fc0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.1871811766.00000000012E0000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3667738198.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3667738198.0000000003581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7612, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Client-built.exe, type: DROPPED
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job
                    1
                    Scheduled Task/Job
                    1
                    Access Token Manipulation
                    33
                    Masquerading
                    OS Credential Dumping1
                    Query Registry
                    Remote Services11
                    Archive Collected Data
                    1
                    Encrypted Channel
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading
                    12
                    Process Injection
                    1
                    Disable or Modify Tools
                    LSASS Memory1
                    Security Software Discovery
                    Remote Desktop Protocol1
                    Clipboard Data
                    1
                    Non-Standard Port
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job
                    31
                    Virtualization/Sandbox Evasion
                    Security Account Manager2
                    Process Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading
                    1
                    Access Token Manipulation
                    NTDS31
                    Virtualization/Sandbox Evasion
                    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                    Process Injection
                    LSA Secrets4
                    File and Directory Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Hidden Files and Directories
                    Cached Domain Credentials16
                    System Information Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Obfuscated Files or Information
                    DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Software Packing
                    Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    DLL Side-Loading
                    /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    File Deletion
                    Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1571838 Sample: lz3EbiqoK4.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 46 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 4 other signatures 2->67 9 lz3EbiqoK4.exe 8 2->9         started        12 TeamViewer_.exe 1 18 2->12         started        process3 file4 45 C:\Users\user\AppData\...\Client-built.exe, PE32 9->45 dropped 47 C:\Users\user\...\TeamViewer_Setup_x64.exe, PE32 9->47 dropped 14 TeamViewer_Setup_x64.exe 21 9->14         started        17 Client-built.exe 8 9->17         started        49 C:\Windows\Temp\nseC5E0.tmp\nsExec.dll, PE32 12->49 dropped 51 C:\Windows\Temp\nseC5E0.tmp\nsArray.dll, PE32 12->51 dropped 53 C:\Windows\Temp\nseC5E0.tmp\System.dll, PE32 12->53 dropped 21 schtasks.exe 1 12->21         started        process5 dnsIp6 55 C:\Users\user\AppData\...\TeamViewer_.exe, PE32 14->55 dropped 57 C:\Users\user\AppData\...\TvGetVersion.dll, PE32 14->57 dropped 23 TeamViewer_.exe 5 161 14->23         started        59 167.71.56.116, 22269, 49731, 49737 DIGITALOCEAN-ASNUS United States 17->59 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->69 27 conhost.exe 21->27         started        file7 signatures8 process9 file10 37 C:\Program Files\...\TeamViewer_.exe, PE32 23->37 dropped 39 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 23->39 dropped 41 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 23->41 dropped 43 64 other files (none is malicious) 23->43 dropped 71 Uses schtasks.exe or at.exe to add and modify task schedules 23->71 29 schtasks.exe 1 23->29         started        31 schtasks.exe 23->31         started        signatures11 process12 process13 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started       

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    lz3EbiqoK4.exe3%ReversingLabs
                    SourceDetectionScannerLabelLink
                    C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\Printer\x64\TeamViewer_XPSDriverFilter.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TVWebRTC.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Note.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_bg.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_da.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_de.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_el.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_en.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_es.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fi.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fr.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_he.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_hr.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_hu.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_id.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_it.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ja.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ko.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_lt.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_nl.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_no.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pl.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pt.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ro.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ru.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sk.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sr.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sv.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_th.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_tr.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_uk.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_vi.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhTW.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Service.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_StaticRes.dll4%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\WriteDump.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\crashpad_handler.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\outlook\ManagedAggregator.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddIn.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim64.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\tv_w32.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.dll0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\uninstall.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\utils\MicrosoftEdgeWebview2Setup.exe0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_0%ReversingLabs
                    C:\Program Files\TeamViewer\TVExtractTemp\x64\TVVirtualMonitorDriver.dll0%ReversingLabs
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://%1%.teamviewer.com/50%Avira URL Cloudsafe
                    https://%1%.teamviewer.com/00%Avira URL Cloudsafe
                    https://%1%.teamviewer.com/0%Avira URL Cloudsafe
                    https://%1%.teamviewer.com/%2%)Introducec0%Avira URL Cloudsafe
                    https://getassistar.teamviewer.com/%1%C%1%0%Avira URL Cloudsafe
                    https://getassistar.teamviewer.com/%2%80%Avira URL Cloudsafe
                    https://getassistar.teamviewer.com/%2%90%Avira URL Cloudsafe
                    https://nsis.sourceforge.io/Base64_plug-in0%Avira URL Cloudsafe
                    https://scripts.sil.org/OFL)0%Avira URL Cloudsafe
                    https://dev-trunk.teamviewer.com/CommentSession/CommentAfterSession?token=%1%&lng=%2%&version=%3%&os0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bg.microsoft.map.fastly.net
                    199.232.214.172
                    truefalse
                      high
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.teamviewer.com/link/?url=456463mScript-urileTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://github.com/standard-things/esmTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          https://www.teamviewer.com/link/?url=1653885=TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            https://github.com/browserslist/browserslistTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://getassistar.teamviewer.com/%1%C%1%TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://github.com/SamVerschueren/decode-uri-componentTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://github.com/immerjs/immerTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  http://www.teamviewer.com/link/?url=271351$PridaeTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://www.teamviewer.com/link/?url=633113TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                      high
                                      https://get.teamviewer.com/v15/%1%vYouTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                        high
                                        http://www.teamviewer.com/link/?url=301635lSeTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://github.com/inspect-js/is-regexTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            http://www.teamviewer.com/link/?url=861823?TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drfalse
                                              high
                                              http://www.teamviewer.com/link/?url=954698TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                high
                                                https://www.teamviewer.com/link/?url=418720TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                  high
                                                  http://www.opensource.org/licenses/mit-license.phpTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://creativecommons.org/licenses/by/4.0/)TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      https://%1%.teamviewer.com/5TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.teamviewer.com/link/?url=456463mSkriptTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://github.com/popperjs/popper-coreTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://nsis.sourceforge.io/Base64_plug-inTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://www.teamviewer.com/link/?url=290947$TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_bg.dll.6.drfalse
                                                            high
                                                            https://www.teamviewer.com/link/?url=773631TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                              high
                                                              https://%1%.teamviewer.com/0TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://www.teamviewer.com/link/?url=290947#TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                https://www.teamviewer.com/link/?url=364272)NaozajTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://github.com/DefinitelyTyped/DefinitelyTypedTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://github.com/ShiqiYu/libfacedetectionTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://www.teamviewer.com/link/?url=3642722DoricTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://www.teamviewer.com/link/?url=382377tConsimtTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://github.com/chartjs/Chart.jsTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://github.com/mde/filelistTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://openjsf.org/TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://client.teamviewer.com/intro/index.aspx?lng=%1%&version=%2%&os=%3%&tab=%4%DSorry.TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                  high
                                                                                  https://github.com/babel/babelTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://github.com/i18next/i18nextTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://www.teamviewer.com/link/?url=362946TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                        high
                                                                                        http://www.teamviewer.com/link/?url=934954TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drfalse
                                                                                          high
                                                                                          https://stackoverflow.com/q/14436606/23354Client-built.exe, 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmp, Client-built.exe, 00000001.00000002.3667738198.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, Client-built.exe, 00000001.00000002.3667738198.00000000035C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://github.com/react-dropzone/attr-acceptTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://www.teamviewer.com/link/?url=116574TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                high
                                                                                                https://www.teamviewer.com/link/?url=279064oSkripteTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://github.com/airbnb/lottie-webTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://www.teamviewer.com/link/?url=7900459/TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://github.com/form-data/form-dataTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://github.com/sindresorhus/is-fullwidth-code-pointTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          http://www.teamviewer.com/link/?url=861823RTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://scripts.sil.org/OFL)TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            unknown
                                                                                                            https://login.teamviewer.com/nav/license-activation-guidanceTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                              high
                                                                                                              http://www.teamviewer.com/link/?url=861823QTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://www.teamviewer.com/link/?url=461825ZYourTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                  high
                                                                                                                  http://www.teamviewer.com/link/?url=861823PTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://www.teamviewer.com/link/?url=462409TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                      high
                                                                                                                      http://www.teamviewer.com/link/?url=666256TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                        high
                                                                                                                        https://github.com/i18next/i18next-resources-to-backendTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://www.teamviewer.com/link/?url=279064NKhTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                            high
                                                                                                                            http://www.teamviewer.com/link/?url=301635sNTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                              high
                                                                                                                              https://github.com/sindresorhus/gzip-sizeTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                https://community.teamviewer.com/t5/Meeting-EN/ct-p/Blizz2AccTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://github.com/googlefonts/dm-fonts/tree/main/SansTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    https://github.com/libuv/libuvTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      high
                                                                                                                                      http://nsis.sf.net/NSIS_ErrorTeamViewer_Setup_x64.exe, TeamViewer_Setup_x64.exe, 00000005.00000000.1931898193.0000000000409000.00000008.00000001.01000000.00000009.sdmp, TeamViewer_Setup_x64.exe, 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpfalse
                                                                                                                                        high
                                                                                                                                        https://github.com/sindresorhus/query-stringTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          high
                                                                                                                                          https://github.com/thlorenz/convert-source-mapTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            high
                                                                                                                                            http://www.teamviewer.com/link/?url=659842TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                              high
                                                                                                                                              https://github.com/i18next/i18next-browser-languageDetectorTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                high
                                                                                                                                                https://getassistar.teamviewer.com/%2%8TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                unknown
                                                                                                                                                https://getassistar.teamviewer.com/%2%9TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_zhTW.dll.6.drfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                unknown
                                                                                                                                                https://github.com/lz4/lz4TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  https://github.com/axios/axiosTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    http://www.teamviewer.com/download/version_15x/TeamViewerQJ.exeTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://%1%.teamviewer.com/%2%)IntroducecTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      unknown
                                                                                                                                                      https://github.com/farzher/fuzzysortTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        https://github.com/nolimits4web/dom7TeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          https://github.com/open-source-parsers/jsoncppTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            http://www.teamviewer.com/link/?url=456463qSkripteTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              http://www.teamviewer.com/link/?url=801210xComputerulTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                https://www.teamviewer.com/link/?url=293922TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                                  high
                                                                                                                                                                  http://www.teamviewer.com/link/?url=801210cTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    high
                                                                                                                                                                    https://github.com/juliangruber/balanced-matchTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      high
                                                                                                                                                                      https://www.teamviewer.com/link/?url=261802TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                                        high
                                                                                                                                                                        https://%1%.teamviewer.com/TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        unknown
                                                                                                                                                                        https://client.teamviewer.com/whatsnew/index.aspx?lng=%1%&version=%2%&os=%3%&tab=%4%&insiderbuild=%5TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                                          high
                                                                                                                                                                          https://github.com/react-dropzone/file-selectorTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            high
                                                                                                                                                                            https://www.teamviewer.com/link/?url=300792TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                                              high
                                                                                                                                                                              https://www.teamviewer.com/link/?url=737863TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                                                high
                                                                                                                                                                                https://github.com/simonbengtsson/jsPDF-AutoTableTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  high
                                                                                                                                                                                  https://github.com/Gamote/lottie-reactTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    high
                                                                                                                                                                                    https://github.com/emotion-js/emotion/tree/master/packages/is-prop-validTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      high
                                                                                                                                                                                      http://www.teamviewer.com/link/?url=301635TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                                                        high
                                                                                                                                                                                        https://github.com/FortAwesome/Font-AwesomeTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          high
                                                                                                                                                                                          https://client.teamviewer.com/blizzintro/?language=%1%&os=%2%&client=%3%TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                                                            high
                                                                                                                                                                                            https://api.ipify.org/Client-built.exe, 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmpfalse
                                                                                                                                                                                              high
                                                                                                                                                                                              https://dev-trunk.teamviewer.com/CommentSession/CommentAfterSession?token=%1%&lng=%2%&version=%3%&osTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000C6D2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_.exe, 00000006.00000003.2296291885.000000000BCD2000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_pl.dll.6.dr, TeamViewer_Resource_zhTW.dll.6.dr, TeamViewer_Resource_bg.dll.6.dr, TeamViewer_Resource_ar.dll.6.dr, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                                              unknown
                                                                                                                                                                                              http://www.teamviewer.com/link/?url=801210jUdaljeniTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                high
                                                                                                                                                                                                http://www.teamviewer.com/link/?url=632515:OpcTeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  high
                                                                                                                                                                                                  https://github.com/Qix-/color-convertTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    high
                                                                                                                                                                                                    https://www.teamviewer.com/link/?url=3642728Ba#TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmp, TeamViewer_Resource_vi.dll.6.drfalse
                                                                                                                                                                                                      high
                                                                                                                                                                                                      http://www.teamviewer.com/link/?url=9349547TeamViewer_.exe, 00000006.00000003.2296291885.0000000008C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        high
                                                                                                                                                                                                        https://github.com/isaacs/fs.realpathTeamViewer_.exe, 00000006.00000003.2164143577.00000000087F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          high
                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                          • 75% < No. of IPs
                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                          167.71.56.116
                                                                                                                                                                                                          unknownUnited States
                                                                                                                                                                                                          14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                          Analysis ID:1571838
                                                                                                                                                                                                          Start date and time:2024-12-09 18:51:30 +01:00
                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                          Overall analysis duration:0h 10m 18s
                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                          Run name:Run with higher sleep bypass
                                                                                                                                                                                                          Number of analysed new started processes analysed:15
                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                          Sample name:lz3EbiqoK4.exe
                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                          Original Sample Name:33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe
                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                          Classification:mal46.troj.evad.winEXE@17/109@0/1
                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                          • Successful, ratio: 97%
                                                                                                                                                                                                          • Number of executed functions: 251
                                                                                                                                                                                                          • Number of non-executed functions: 70
                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 199.232.214.172, 4.175.87.197, 13.107.246.63
                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                          • VT rate limit hit for: lz3EbiqoK4.exe
                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                          17:52:59Task SchedulerRun new task: TVInstallRestore path: "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" s>/RESTORE
                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          167.71.56.116SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                              X.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  WinScanGuard_v.2.1.batGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                    Shadow-Stealer.batGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                      OvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                        zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                                                                                                                                                                                                          SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            bg.microsoft.map.fastly.netList of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                                                                                            • 199.232.210.172
                                                                                                                                                                                                                            xMaSQ3Bn10.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 199.232.214.172
                                                                                                                                                                                                                            lLNOwu1HG4.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                            • 199.232.214.172
                                                                                                                                                                                                                            XUTLbT1Wd1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 199.232.210.172
                                                                                                                                                                                                                            XUTLbT1Wd1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 199.232.210.172
                                                                                                                                                                                                                            Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                            • 199.232.210.172
                                                                                                                                                                                                                            tQoSuhQIdC.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 199.232.210.172
                                                                                                                                                                                                                            W-2Updated.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                                                                                                                                            • 199.232.214.172
                                                                                                                                                                                                                            BL COAU7249606620-pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                            • 199.232.214.172
                                                                                                                                                                                                                            https://reader.egress.com/remote.aspx/s/storage.phe.gov.uk/email/e0599f812894d1904a8fe3cf7f605bcbGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 199.232.210.172
                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            DIGITALOCEAN-ASNUSdeeffrot.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 165.227.215.208
                                                                                                                                                                                                                            https://sendgb.com/vdRYC6Nal34?utm_medium=HlyZfLISdD8Bj1iGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.14.184.154
                                                                                                                                                                                                                            xxx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 165.227.215.208
                                                                                                                                                                                                                            Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 165.227.215.208
                                                                                                                                                                                                                            RUCkZvoDjG.htmGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                                                                                            • 68.183.112.81
                                                                                                                                                                                                                            jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 45.55.200.184
                                                                                                                                                                                                                            https://assets-gbr.mkt.dynamics.com/cc57758b-ada1-ef11-8a64-000d3a872ba0/digitalassets/standaloneforms/7608c709-85a2-ef11-8a69-7c1e5279b2ddGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 134.209.143.125
                                                                                                                                                                                                                            https://villageforddearborn-my.sharepoint.com/:b:/g/personal/robert_wheat_villageford_net/EaAilHqK5PhBneaYfVtjii0ByKmI10BU9zhQ73pqIHj-uQ?e=FnQ6KLGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 188.166.2.160
                                                                                                                                                                                                                            mips.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                                                                                                                                                                            • 209.97.160.137
                                                                                                                                                                                                                            No context
                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            C:\Program Files\TeamViewer\TVExtractTemp\Printer\x64\TeamViewer_XPSDriverFilter.dllteamviewer_Px-yDq1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              teamviewer_Px-yDq1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                Process:C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1187
                                                                                                                                                                                                                                Entropy (8bit):5.069834218498263
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:law+zzDkwlaTDn+Ula4+BlaD+Ila/Me/MIf19rjMqjMvjMzG6jM34K:R+zcwWnbraK9mfB8
                                                                                                                                                                                                                                MD5:5DD349777F08062514C16D30AF84A705
                                                                                                                                                                                                                                SHA1:315253AE32A17B3D54BFC3D481A97148A038D0F8
                                                                                                                                                                                                                                SHA-256:911E27A8E969EDC7D44133389DEF95420C01D9C54C2EFD05962A974F33E3350E
                                                                                                                                                                                                                                SHA-512:6735012E87DF79C17E61AD561E3A90D79CB3ED649679BE6F2D7B636C8C39AA90B758848C676CB0382BBCE0C0438BF3BA4BF36566ED87D72DCC9761D74B5204A0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:2024-12-09-12-53-19 ..2024-12-09-12-53-19 TVRollbackInstallation(): Rollback installation.....2024-12-09-12-53-19 ..2024-12-09-12-53-19 RollbackDrvChanges(): Rollback all driver changes.....2024-12-09-12-53-19 RollbackDrvChanges(): No driver entries to restore...2024-12-09-12-53-19 ..2024-12-09-12-53-19 RollbackRegChanges(): Rollback all registry changes.....2024-12-09-12-53-19 RollbackRegChanges(): No registry entries to restore...2024-12-09-12-53-19 ..2024-12-09-12-53-19 RollbackFileChanges(): Rollback all file changes.....2024-12-09-12-53-19 RollbackFileChanges(): No file entries to restore...2024-12-09-12-53-19 ..2024-12-09-12-53-19 CleanUp(): Clean up.....2024-12-09-12-53-19 CleanUp(): Unload previously loaded user registry profiles.....2024-12-09-12-53-20 CleanUp(): Install restore task successful removed...2024-12-09-12-53-20 CleanUp(): Warning! Backup key could not be removed...2024-12-09-12-53-20 CleanUp(): Backup directory C:\Program Files\TeamViewer\Rollback
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):71272344
                                                                                                                                                                                                                                Entropy (8bit):7.999987306679704
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:1572864:re9Md8ir5RcKqhxdJjHKO56/nMgt5LhZx5oZiJG2Ol40hi7id:C2NdRTqhXJDLenHhZx+ZiJcl4m
                                                                                                                                                                                                                                MD5:8318FC63158C01368AADC6D4BE89FAD1
                                                                                                                                                                                                                                SHA1:88F4AEFCBDD5A748EC21469A565D9C57B7F6CB46
                                                                                                                                                                                                                                SHA-256:B64A8F72105117FF71ECA4692DF030B6E60C4ABA2631E0FE01411086BB42B1DC
                                                                                                                                                                                                                                SHA-512:DB7601C5A1AD25CF3F076C8C504EB885D3EBE6358A6490492DEE967C7FF5AC72319AAF75EDBFFD7FB0F7102473A2C16830408C7762283C67A374535EF8420076
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@.................................0k@...@..........................................`..............hX?.0/...........................................................................................text...]a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...................................rsrc........`......................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):665954
                                                                                                                                                                                                                                Entropy (8bit):5.152510122622251
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:/Um3jjLBanosurgrN7pF2YSz9xSnwET9XSXWOyiMilFLBuvSamXe4O7m:r9bx
                                                                                                                                                                                                                                MD5:BEE0CF8EB0E6B5FE2B216EBA63DE763C
                                                                                                                                                                                                                                SHA1:7B83B00CAB5529232A1B3A14253901B4E5762B97
                                                                                                                                                                                                                                SHA-256:4161254F13B5A5326456E71B67B3179203DF162279183F929C8678A6FDC91B49
                                                                                                                                                                                                                                SHA-512:1A56DDB9AD5D6464A88634824D4225593600D4DFFA26ABCDC5AC9D8D7B575C931A49ECA68F8AB4687B5DB8D0E9072D51AF3698B4628360C5C02B1CE0BA557BFB
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:##########....@babel/runtime....https://github.com/babel/babel....License type: MIT....MIT License....Copyright (c) 2014-present Sebastian McKenzie and other contributors....Permission is hereby granted, free of charge, to any person obtaining..a copy of this software and associated documentation files (the.."Software"), to deal in the Software without restriction, including..without limitation the rights to use, copy, modify, merge, publish,..distribute, sublicense, and/or sell copies of the Software, and to..permit persons to whom the Software is furnished to do so, subject to..the following conditions:....The above copyright notice and this permission notice shall be..included in all copies or substantial portions of the Software.....THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,..EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF..MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND..NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDE
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1310
                                                                                                                                                                                                                                Entropy (8bit):4.963079132684424
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:nRLN+HfIPXHfMuubDUHeLNIWfpInUH2LpjLFAON+HfIPXHfROubDUHV5yn:C/IPX/ib2CISABm/IPX/RXb26
                                                                                                                                                                                                                                MD5:E5121693356198A36982BABB96272404
                                                                                                                                                                                                                                SHA1:EFF3A59DE3B562BED53FD08C5C91FAE739109D4A
                                                                                                                                                                                                                                SHA-256:8E24B8D8D0305962542DBB21492ACA797F20D624ED4B0194105FBFE52E1CDBEB
                                                                                                                                                                                                                                SHA-512:A862949D782607961882AAA62D1CA03BF86C61E8DD902E92AE7BF784E9B225F99613D843B16AE94EBDDA2E30B5568E202C16784CE09309B92922CE7D00EF1E55
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:<Filters>.. <Filter dll = "TeamViewer_XPSDriverFilter.dll".. clsid = "{40D118AB-04EA-4CFC-8C8B-85D1C7ECB046}".. name = "TeamViewer_XPSDriverFilter1">.. <Input guid = "{4d47a67c-66cc-4430-850e-daf466fe5bc4}" comment="IID_IPrintReadStream"/>.. <Output guid = "{65bb7f1b-371e-4571-8ac7-912f510c1a38}" comment="IID_IPrintWriteStream"/>.. </Filter>.. <Filter dll = "PDFRenderFilter.dll".. clsid = "{CD087E95-A362-4A50-B233-20DC89DED268}".. name = "MS XPS to PDF">.. <Input guid = "{b8cf8530-5562-47c4-ab67-b1f69ecf961e}" Comment ="IID_IXpsDocumentProvider"/>.. <Output guid = "{65bb7f1b-371e-4571-8ac7-912f510c1a38}" comment="IID_IPrintWriteStream" />.. </Filter>.. <OptionalFilterServiceProvider dll="XpsRasterService.dll"/>.. <Filter dll = "TeamViewer_XPSDriverFilter.dll".. clsid = "{40D118AB-04EA-4CFC-8C8B-85
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Generic INItialization configuration [DriverRender]
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):287
                                                                                                                                                                                                                                Entropy (8bit):5.371163047122097
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6:/5KsGXMfVCzpIcPxYDXQyW59bCO2MngN+jAJh6O4BVAZVhe81W8l2y:bHfkzpha8dnCOztKh6tKe8xh
                                                                                                                                                                                                                                MD5:A578F666C0CB526085384D35C536B5D9
                                                                                                                                                                                                                                SHA1:F019631640D4BAA684CD589696CDCF1F8252F302
                                                                                                                                                                                                                                SHA-256:9C8859987D13AE53C5B206A7D59660C7754A7940185B599AC97E1E806551730F
                                                                                                                                                                                                                                SHA-512:E0FBF7054A32B5C370E98A644AEC0478CC68FE5018E7B7720574E5E656C8B61FD51E712A20289DD72B38A9560D7D8633156CCF4E4302390BC180EFF1D2983729
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:[DriverConfig]..DataFile=TeamViewer_XPSDriverFilter.gpd..PrinterDriverID={4949F9E6-DB2F-47B7-9489-56815A5847C8}..RequiredFiles=UNIRES.DLL,PDFRENDERFILTER.DLL,STDNAMES.GPD,MSXPSINC.GPD..DriverCategory=PrintFax.Printer.Virtual..UserPropertyBagScope=Queue....[DriverRender]..XpsFormat=XPS..
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):66209
                                                                                                                                                                                                                                Entropy (8bit):4.11237765266599
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:3E513+/TLYbpmS1Gx5M7ytzk9wjKS0ff8sEOxPOwhKGhBmAAGFD4iaKhvmOaoGJd:Cv8
                                                                                                                                                                                                                                MD5:B58E72E75C1CF590FA2722ECDA95F64A
                                                                                                                                                                                                                                SHA1:651B69DAADE01DBFD7CB470B24D1C3EF2369B821
                                                                                                                                                                                                                                SHA-256:9C77255FA10B116C1E5D1F8AB7D12A956455AD7610905DBD05EFD6FCE465C11F
                                                                                                                                                                                                                                SHA-512:6A44613F66B93DD671546042FBD0FBE2A4B78C78AC3127E69AD8794FC53AD45F2D889E6FB59D3DA5E302B9EC3CDB787818E3DDC503A47707B9FF16B7BBE5A265
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:*%..*% Copyright (c) TeamViewer GmbH..*%..*% All rights reserved...*%....*GPDFileVersion: "1.0"..*GPDSpecVersion: "1.0"..*GPDFileName: "TeamViewer_XPSDriverFilter.GPD"..*Include: "StdNames.gpd"..*Include: "msxpsinc.gpd"..*ModelName: "TeamViewer Printer"..*MasterUnits: PAIR(1200, 1200)..*PrinterType: PAGE..*MaxCopies: 999..*PrintSchemaPrivateNamespaceURI:"http://www.teamviewer.com/printschema/2018"....*%******************************************************************************..*% Orientation..*%******************************************************************************..*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.... *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. }.... *Option: LANDSCAPE_CC270.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. }..}....*%******************************************************************************..*%
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Windows setup INFormation
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1507
                                                                                                                                                                                                                                Entropy (8bit):5.236509327317478
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:f2O7xJoF+hiEvHf+My83n8rELHfVoHfusb9ooHfhHfr7BHfVoHfusb9ooHfpHfra:uO9dhiEv/+4X1/Vo/uHo/h/PB/Vo/uHD
                                                                                                                                                                                                                                MD5:2C5FD2866B91861275917ADB4CED33E2
                                                                                                                                                                                                                                SHA1:E76DEB1717D3B1610A769571943A9C5C5A00699A
                                                                                                                                                                                                                                SHA-256:B7F148ED1BA6293F323E9834182D64E8756D414FF8A5B9B826E3EE2986E0B259
                                                                                                                                                                                                                                SHA-512:EFAAB915AD8BFA769073B4CE1FEA689FF379216D04204F8B21CFC6AA41413A94EA08E19A61613DCA29649F36E82B854861397E5E1F7C450AF7A1B656A0547267
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:;..; Copyright (c) 2022 TeamViewer GmbH..;..; All rights reserved...;..[Version]..Signature="$Windows NT$"..Class=Printer..ClassGuid={4d36e979-e325-11ce-bfc1-08002be10318}..Provider=%ManufacturerName%..CatalogFile=TeamViewer_XPSDriverFilter.cat..ClassVer=4.0..DriverVer=04/13/2022,1.2022.413.641....[DestinationDirs]..DefaultDestDir = 66000....[SourceDisksNames]..1 = ,,,\....[SourceDisksFiles.x86]..TeamViewer_XPSDriverFilter.gpd = 1..TeamViewer_XPSDriverFilter-PipelineConfig.xml = 1..TeamViewer_XPSDriverFilter.dll = 1,\x86..TeamViewer_XPSDriverFilter-manifest.ini = 1....[SourceDisksFiles.amd64]..TeamViewer_XPSDriverFilter.gpd = 1..TeamViewer_XPSDriverFilter-PipelineConfig.xml = 1..TeamViewer_XPSDriverFilter.dll = 1,\x64..TeamViewer_XPSDriverFilter-manifest.ini = 1....[Manufacturer].."TeamViewer"=TeamViewer,NTamd64.6.1....[TeamViewer].."TeamViewer Printer" = TeamViewer_XPSDriverFilter.gpd,,TeamViewer_XPS_Printer....[TeamViewer.NTamd64.6.1].."TeamViewer Printer" = TeamViewer_XPSDriverFilte
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):12658
                                                                                                                                                                                                                                Entropy (8bit):7.077237390641632
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:28vvoHISmpMCRsGyV2uR8OL7yKnUi8rFWQFgy50Nr7OxX01k9z3Azsx+ZPb9Vt9r:2Yo3U/4CFR+y50ZSxR9zusx+x3
                                                                                                                                                                                                                                MD5:74134E66B593D16717C8124B0DEFA42B
                                                                                                                                                                                                                                SHA1:5FA1072B57FCE09C70904464602C1FB7AD07BDAA
                                                                                                                                                                                                                                SHA-256:3D4201227D709C49B77031C8BEFFBFDB09337AD6E0A171A7E058B0E0B04320F6
                                                                                                                                                                                                                                SHA-512:B3A07AF69F7F0F0163CA275C153A2155BA69D7AE5371D3390F57D6448B9B17DBA60EAA3394344F8588E0102F6EC3DE72DE8E1AB6F94B5A03F2A6C192BBD9837E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:0.1n..*.H........1_0.1[...1.0...`.H.e......0..3..+.....7.....$0.. 0...+.....7...../.'._LDJ.z....!...220505065722Z0...+.....7.....0...0....R6.5.1.B.6.9.D.A.A.D.E.0.1.D.B.F.D.7.C.B.4.7.0.B.2.4.D.1.C.3.E.F.2.3.6.9.B.8.2.1...1..g0E..+.....7...17050...+.....7.......0!0...+........e.i......G.$...#i.!0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.1.0...0...0`..+.....7...1R0P...F.i.l.e.......>t.e.a.m.v.i.e.w.e.r._.x.p.s.d.r.i.v.e.r.f.i.l.t.e.r...g.p.d...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.9.9.2.5.B.8.8.3.5.7.E.0.9.2.0.8.C.8.1.E.C.5.4.4.A.5.C.9.5.2.5.B.F.D.0.9.4.C.4...1..o0M..+.....7...1?0=0...+.....7...0...........0!0...+........y.[.5~. ...TJ\.%...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.1.0...0...0`..+.....7...1R0P...F.i.l.e.......>t.e.a.m.v.i.e.w.e.r._.x.p.s.d.r.i.v.e.r.f.i.l.t.e.r...d.l.l...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):773552
                                                                                                                                                                                                                                Entropy (8bit):6.562891536553011
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:E2qWLii0HeFTzBTqtO/zKSeAWgSd6kLsjJLPJC5Wdp24XgI7wK3l+aG7X:5qvxwdqtO/zFbWZ6WsjJzJ52Y7wK3l7i
                                                                                                                                                                                                                                MD5:D47FE8D92AF08C8FCA8E1C71DA05CEC5
                                                                                                                                                                                                                                SHA1:F53C8DEF485712748315BEFEB631453B594FC67F
                                                                                                                                                                                                                                SHA-256:698FED30F5715BAA387C89D043FB0E1C8A1C4F4C8F837510DA292A943ED778ED
                                                                                                                                                                                                                                SHA-512:DCCDC640981B68C3DDA4F949DAEED12F39C08E456588DE6BDD061CFE7BC7AEB18EC237E0358B6D6F368BC74F9B939D712363B2556BD9321C43900435BFAE6256
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                                                                • Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................3..d.....d.....d.........................."..].....].....].&......N....].....Rich...........PE..d.....Vb.........." ................................................................G.....`............................................................. ....`...V.......I..............p.......................(.......8............ ...............................text...$........................... ..`.rdata..J.... ......................@..@.data....P.......:..................@....pdata...V...`...X..................@..@_RDATA...............j..............@..@.rsrc... ............l..............@..@.reloc...............r..............@..B........................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):8306992
                                                                                                                                                                                                                                Entropy (8bit):6.537707320579697
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:K02Ucv1JqiXcI3NOppRGG4yf5WxSr2XdlI36mW:X2UcvGDmNONGMf5y++lI3S
                                                                                                                                                                                                                                MD5:7C231D826B3BFD109350534C054EE950
                                                                                                                                                                                                                                SHA1:59D3907B41AA5D1FA75127941EF542C142769097
                                                                                                                                                                                                                                SHA-256:DAE032ABDB85EFB75CF6AAC20B45A7B70A1C69CA727AD52DD378C9CAAA635C44
                                                                                                                                                                                                                                SHA-512:71A387790855FF661F6642D3BA561C90DAC1831423EE3C2D8670046F25BE62B757666020C87AE99F4F05A46E9DF065D45709B47F80F6675AB5038C6401FCBC9E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........-W_.C._.C._.C...@.L.C...F...C...G.O.C...@.U.C...F...C...F.z.C...@.^.C...G.D.C...B.R.C._.B...C...G...C._.C.~.C...F...C...J.K.C...C.^.C....^.C._...^.C...A.^.C.Rich_.C.................PE..d....3g.........." ...".V`...........V......................................P.......D....`A..........................................v.P...0.v.......~.x.....y.......~.0/....~.x...@.k.T.....................k.(.....k.@............p`..............................text.../T`......V`................. ..`.rdata......p`......Z`.............@..@.data...T.....w..b....v.............@....pdata........y......Dy.............@..@_RDATA..\.....~.......}.............@..@.rsrc...x.....~.......}.............@..@.reloc..x.....~.......}.............@..B................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):85625136
                                                                                                                                                                                                                                Entropy (8bit):6.658650600522072
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:786432:PB4Hds6xPbqWDmXjJDGzKLZNLt+SiqDOlpf8/F8:PKHe6xPbqWyXdaaZNLqlz
                                                                                                                                                                                                                                MD5:EF03E2E8B6BE62936FFB28EFAADB6514
                                                                                                                                                                                                                                SHA1:FF668698839A663043B40A8017A37D56AF60A183
                                                                                                                                                                                                                                SHA-256:A57EDCEB5C04052AA799EE821087C959FF6ED06351C98C0DA7C7D2FD05167C3F
                                                                                                                                                                                                                                SHA-512:F5B3EDF394F939BE8A3B4FB9BDBF9A6904DD2E629070A761A28653B8837F671A975EFF5B29529C0FCEEBEFA44141768D9FE74A3B5B19E1BAF75B49B4275CECE0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.......^.=...SN..SN..SNU..N..SNU.WO..SNU.PO..SNQ.PO?.SNU.VOd.SN@).Nn.SNQ.TO..SNQ.UO..SNQ.WO@.SNu..N..SNQ.VO..SNQ.RO..SN.PO..SN..SN..SN.WOe.SN.VO..SN..RN..SN.ZO..SN..N..SN...N..SN.QO..SNRich..SN........................PE..d...P.3g.........."....".T....................@..............................L...........`................................................. O..P.....D...... &.p....Z..0/....D.X.....7.T.....................7.(.......@............p..............................text...c........................... ..`IPPCODE............................ ..`.rdata.......p.......Z..............@..@.data.............`..b..............@....pdata..p.... &.....................@..@.didat........B.. ..................@....rodata.......C.....................@..@IPPDATA...... C.....................@..._RDATA........C.....................@..@CPADinfo8.....D.................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:MS Windows icon resource - 4 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):24812
                                                                                                                                                                                                                                Entropy (8bit):5.642850515262277
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:y/TQsT49/RA+ho5NhNsuOMVWFSY5o3VpWSYE8q3QeKT89NKqkfpqyRidOJe:XAb5hNVQStfWSr8q31NfPkfIp
                                                                                                                                                                                                                                MD5:CDB33F6074944D1E46820B43B3AA5155
                                                                                                                                                                                                                                SHA1:C48BA3161407C21F0FE2F1C37A93599B4B6C7AB7
                                                                                                                                                                                                                                SHA-256:12D5C4D656533096A594E1EF4EB75C5EA6EA9F5DF616D84480EE6B41D41F6343
                                                                                                                                                                                                                                SHA-512:9D5679E8911972D0600CD489E099F5633CAE5102F09F2808748CD4D3550F6052129407B68C624D04973EFB6264C2DCF0A66F0A014B5E8FDB1987E517218CDDB4
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:............ .h...F... .... .........00.... ..%..V......... ..%...:..(....... ..... .........................R...R...R...R...R...R...R...R...R...R...R...R...R...R...R...R...R...R...R...R...R...U...................U...R...R...R...R...R...R...R...R...R...................................R...R...R...R...R...R...R...........................................R...R...R...R...R...................................................R...R...R...U...................................................U...R...R...........................................................R...R...............`76.R...~fe..vv..vv.~fe.R...`76.............R...R...............`76.R...~fe..vv..vv.~fe.R...`76.............R...R...........................................................R...R...U...................................................U...R...R...R...................................................R...R...R...R...R...........................................R...R...R...R...R...R...R...................................R...R...R.
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):16315184
                                                                                                                                                                                                                                Entropy (8bit):6.642593896924685
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:fOIvW9Mrz/hauvwhVr/LvISP/xHLhrUNkVQ4b4d1qGICyweztZKWs3Mxdg7hBP+b:fOIV/4uvYnvH/RtcqV1wIZ2OiVFVomO
                                                                                                                                                                                                                                MD5:D3184FE9DF9AF2651D8B285978B8CC65
                                                                                                                                                                                                                                SHA1:F1FF6CC86A242D09A1994D62CC96F9B8D95FE76F
                                                                                                                                                                                                                                SHA-256:0D3F258763D8D5C601B558A8CD815065EE96E21C9B7800643EE2041F205D9EEA
                                                                                                                                                                                                                                SHA-512:1A16D5D448DB50BA0267B70BA678E1023C8B53619DCAB36005DCF4721D518B0B089F83D06B2675305E0F48BC12753BBF958C3FC330FB8ACBBA4B858FD08B8AA0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......9.{`}..3}..3}..32..3u..32..2n..32..2q..36..2n..32..2...36..2[..36..2|..36..2v..3'y.3..3...2...36..2|..3...2..36..2...3}..3l..3}..3..3...2..3...2|..3...3|..3}..3|..3...2|..3Rich}..3................PE..d.....3g.........."....".....zL................@..........................................`.................................................p#..x....@..`l...P..........0/..............T.......................(....6..@............................................text...x......................... ..`.orpc............................. ..`IPPCODE.a......................... ..`.rdata..p.>.......>.................@..@.data...4....P.......*..............@....pdata.......P......................@..@.didat.......0......................@....rodata......@......................@..@IPPDATA......P......................@..._RDATA..\.... ......................@..@CPADinfo
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):652080
                                                                                                                                                                                                                                Entropy (8bit):5.121982276129856
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:GEPLX+/+PlxYFSCHAFUEojFN6zqDsXuiohhLdM2HBG5z87L:GEPLX+/OldjFiFN6gsXdoxaz87L
                                                                                                                                                                                                                                MD5:49F29369B987D17428689C0B40754654
                                                                                                                                                                                                                                SHA1:E8899D0409001C06734D8CFA865CB1DD6929E651
                                                                                                                                                                                                                                SHA-256:69D3667F77429AA1E109CE766B46E8E79D9A4A496385FF7A8AEC388D329E35BF
                                                                                                                                                                                                                                SHA-512:38361907CB1371ABBEB278F384792802A860B2CF61D71F74DCDFDDF7BB08006DEA16B6BEAC53E78C2E08A45969B3D46C6462785B9BC1B95F4A08CADD16F4F71B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H&m..G...G...G..G?...G..C;...G..C;...G..G?...G..C;..VG..G?...G..G?...G...G...G...;...G...;...G...G...G...;...G..Rich.G..........................PE..d.....3g.........."....".j...p.......}.........@............................. ...........`.....................................................(.......X....0..x-......0/..........P...T.......................(......@...................8... ....................text....i.......j.................. ..`.rdata...t.......v...n..............@..@.data..../..........................@....pdata..x-...0......................@..@.didat..8....`.......(..............@..._RDATA..\....p.......,..............@..@.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):382768
                                                                                                                                                                                                                                Entropy (8bit):4.336723902201868
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:qNtIX+j7T4YXQwhoLZtXICyULHFjHJxnPYl+awPZVYlN6sMsd/b:qNN7T8who7DZiwP/YlN6YD
                                                                                                                                                                                                                                MD5:513FFC1FB618095C2EF8C1930D782ED0
                                                                                                                                                                                                                                SHA1:9175900F4A5710A1847E6FDBA47EBEEC98C1FAAC
                                                                                                                                                                                                                                SHA-256:10504607478067A86BEE1DC69AB349A736B1137521A09111DFAD5721D297D00E
                                                                                                                                                                                                                                SHA-512:7AA5B419438A6F8AC081B5DFE5CF6665451251F0211FEB51E58C6F293A93E0775EB319DB3D262427807CCC9DFFAE18052AE62D02924F7396C7DD8DFC18B90F05
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!..."..................................................................@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]...d...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):447792
                                                                                                                                                                                                                                Entropy (8bit):4.274671808882741
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:sNsGpzFbhhqXjJbAMDZpRA01jr0fabYjby/59BoliII7psM8ZosNx2akpOxlsRaL:sNOmMYDOi8wL
                                                                                                                                                                                                                                MD5:64B881D33CEFA652BC99A533296AB23F
                                                                                                                                                                                                                                SHA1:218505017B86DF511B354BF5B29D4EA8131831B3
                                                                                                                                                                                                                                SHA-256:9DAF7C0153B764151C1FD4D3EF0657930A0DDB5C22F51B0872B89945865B5BB9
                                                                                                                                                                                                                                SHA-512:9666204AD515316D30198D591C98E9EFB45C5D675E8D1CEBBA5542D9E01E76F9478175BDDDEFD808C3729A7306A1F88AAF2593C17816086780E64FFA697CE513
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L....3g...........!..."............................................................+.....@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@.....3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..pd...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):417584
                                                                                                                                                                                                                                Entropy (8bit):3.944204457073994
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:PNE0kkALenmGn5ea0hOL/LbDusFbBtQFNWP6ZPOxjMaWg5iCFvVGZCo1yUvq5AEp:PNzlH2MQAO9u70EFUu3rbP2OoY4U
                                                                                                                                                                                                                                MD5:57A20B60BDCCF1A339C607C74693D3F9
                                                                                                                                                                                                                                SHA1:22C0EAD23CF35F2BE9E812CFF6B0CD5D7589514A
                                                                                                                                                                                                                                SHA-256:795F05F3B9B02AEEFD6FA2165BD72A570488EB18EDD33CAFFBC96507C37DDFF9
                                                                                                                                                                                                                                SHA-512:F2046606B86C429F7EEEF25BC2095EE558361ECEA5BE07691337D486BC8DE814281EFEC9CCC7421DF6A3BA2463A90757B08CE1880C2B52826ADA8DA16D32499E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!...".....................................................P.......0....@.......................................... ..@+...........0..0/...........................................................................................rdata..............................@..@.rsrc...@+... ...,..................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ].. ....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):411440
                                                                                                                                                                                                                                Entropy (8bit):3.6900986952283032
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:NNRn5gGpUXPql7P07P6W2ZOxCT5OShtiOncyct7HeDzMC+/CDedchrfi/wzcJpHF:NN5q70sErYR
                                                                                                                                                                                                                                MD5:0F7BEA067FD543BB1E216A4937724759
                                                                                                                                                                                                                                SHA1:62E0D96758D1E6C127DA742653759CDE8F658051
                                                                                                                                                                                                                                SHA-256:DAD39A828E6CFD77B1CEB94C2F251054097F73F20412C1F2F2F512A1BDEA5F69
                                                                                                                                                                                                                                SHA-512:92093542B47F568F4D5982D0F5B440CE260012D8B6A10A3A700DB87EC1F0D59530D5954A980081D62EEAF8DFCB0F484D48C4803FD7A4FEAC5AA6097E320660B8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...g.3g...........!...".....................................................@......M.....@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@....g.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ].......rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):460080
                                                                                                                                                                                                                                Entropy (8bit):3.677814163230104
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:ZNs9PNMHDB74Zpf97C0QpqlCumdO5XyzTFmyGOak1vofx9fuxMBFcKjXSSnNCxpx:ZNycq6uWtvvXbG4PD
                                                                                                                                                                                                                                MD5:E2803A653F35630C69E85A069A33AE73
                                                                                                                                                                                                                                SHA1:BA68DF18D7DA064F6A657B2C4765A218EFF212E8
                                                                                                                                                                                                                                SHA-256:C5441729770210CF2A62003293B851653F35C95014189477BB2EB8264076D6E9
                                                                                                                                                                                                                                SHA-512:F025B2613A7C570F86F718B7C688D820880518BBAA0BBC876D05EEBBDC8964445B6E175B6BAC74829D0EB1F5BB6C85A728D5A4A63644D5EE6D4C90C8235A5A92
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...<.3g...........!...".............................................................e....@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@....<.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]......rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):487728
                                                                                                                                                                                                                                Entropy (8bit):4.3924282228119935
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:ZNNLyTZk1/K/UKMw8LTFc61Kpl4n3INi1N5F78zocrJkdd2wQfafv+nAXFFHrfC+:ZNp7TuwSoPNdVIM44DPcB5GJj4NvFe5x
                                                                                                                                                                                                                                MD5:6C8C859DFE8A16BBE7D56E18095051E5
                                                                                                                                                                                                                                SHA1:FE150A6226C0D70D5CE330437AD206B6E7613377
                                                                                                                                                                                                                                SHA-256:C98259E3B5942304AC53F0E8A5A95BBB1519E8DF2A292805FA67AF795B18FA35
                                                                                                                                                                                                                                SHA-512:EE8C4336C219CBA6ADC2CA56450975CC0E930E7E16183598E284ECA8748736C40973CA11A0DBDF4F5289E337552340F6136FE7AFE1BD608E7F9A7164C47FA281
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!...".....@...............................................`............@.......................................... ...<...........B..0/...........................................................................................rdata..............................@..@.rsrc....<... ...>..................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ].......rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):401712
                                                                                                                                                                                                                                Entropy (8bit):3.677935838671882
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:eN5pZMf+PIMS6rIakScR7344Pad+onG7n69vjk8Kt9ue9pQuKK5WF0g/4u:eNl0den8nILPKSeaxrD
                                                                                                                                                                                                                                MD5:2D8ED226FE227D0D9BC66929712A10A4
                                                                                                                                                                                                                                SHA1:5180C433F2B1BAB818B07E269F2A6B6E057C58DC
                                                                                                                                                                                                                                SHA-256:92814DABD4BE397781321918006A6488FFDFD224EFA03F9487C0E42DD79B8AC2
                                                                                                                                                                                                                                SHA-512:7D5929C56DFF56CFAB5981A9048B6A4032102DF7DB1645C76DD49EB185096B40189D4DB317BD79FA815807E8208BB8F1BDEE386EED1C6530996B9757574CC833
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...F.3g...........!..."............................................................{u....@.......................................... .. ...............0/...........................................................................................rdata..............................@..@.rsrc... .... ......................@..@....F.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ].......rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):455984
                                                                                                                                                                                                                                Entropy (8bit):3.61117792135751
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:MNn2TasbUVcbHah2003ABms5OU92QxLdsxwXU93sxw39uy7SBJunhLYAD75/Q7Ex:wJ/G
                                                                                                                                                                                                                                MD5:3D978EABD81511C62229CA9A848D2F0A
                                                                                                                                                                                                                                SHA1:F95AD8A9FBAEFF72ED36607D4388D0C2A715B8BC
                                                                                                                                                                                                                                SHA-256:DE958DC2A60D9AA396EC8720D5BB39348A6785D9A4732F4EE380B663AE6E1C22
                                                                                                                                                                                                                                SHA-512:D4B05C281596A00960CC3B93F3011D71EA1DB9E1073689B886F0FBC205B2A9C205D7121A3CD219D2CC14448FD0FEDD7F939C17BF3FE633DC9387157418C4EEAA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...}.3g...........!..."..................................................................@.......................................... ..@...............0/...........................................................................................rdata..............................@..@.rsrc...@.... ......................@..@....}.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ].. ....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):412976
                                                                                                                                                                                                                                Entropy (8bit):3.6696075372697208
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:INdqyrKYCoUgVWOZWrmHMyJTGkCCHvG9hutYcWQjr0:bXq0
                                                                                                                                                                                                                                MD5:0DC85892D76CD1102A3E6FF6E058E2CE
                                                                                                                                                                                                                                SHA1:A65535E0D2BDB158F2DD6642BAAA99EBC988269D
                                                                                                                                                                                                                                SHA-256:664BD7E12FFC04A71B2A8E37E8355561184737757ECB18E6806B39D011E8F642
                                                                                                                                                                                                                                SHA-512:C22A90B29602A096ACA792F91FF164E68DF7126A44E8429C0B4B9724C50B459B3CF9C835582FD704397F031AF27EBC9D608A4AF484B56B774388202925395EFF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!...".....................................................@......']....@.......................................... ..`...............0/...........................................................................................rdata..............................@..@.rsrc...`.... ......................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..@....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):475952
                                                                                                                                                                                                                                Entropy (8bit):3.6413069266245923
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:ANi0IvRbnBkCYE4fMhAJZ2W6Y+ZyeApDk9557FjZwntu0Nj/C:ANMneOI38W6Y+ZFlVwnD6
                                                                                                                                                                                                                                MD5:5B97F99ED3B5A99DC413500F3A7020B8
                                                                                                                                                                                                                                SHA1:BD4395CC149E4079E24A5DF5998EA700E3825E1D
                                                                                                                                                                                                                                SHA-256:10B0460BB5F0B94C15231FEC7054F1B6991E039FCBAC20C93173A5A6F1D9BD1D
                                                                                                                                                                                                                                SHA-512:7262984BE72D878618DA0344E235079D4C5CAE19093D2B553923716D931A568FEEB3AEF11290E794B0D3E230FA13A012E922F472F55EFE261ED9BD41452237E4
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...Q.3g...........!...".....................................................0............@.......................................... ..P...............0/...........................................................................................rdata..............................@..@.rsrc...P.... ......................@..@....Q.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..0....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):336688
                                                                                                                                                                                                                                Entropy (8bit):4.465302989031539
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:HNwE86CVLIADQQLjQOu1r7bihsvEojtJkKsQ/ILEis:J868UQLjQOu1nbiO4KsQSs
                                                                                                                                                                                                                                MD5:A0D36CD17EF93A6052432FD90120FABD
                                                                                                                                                                                                                                SHA1:4C4720305FF8C2D8547B93D5E8779849FF24039B
                                                                                                                                                                                                                                SHA-256:CBCE1AA9CD42F5DA131D303B7D2B89ACE839F55C570DBB3BB8283A63676CFA2A
                                                                                                                                                                                                                                SHA-512:7E8148444BB4F748C73D03FD0A133B05330E46CF9415133E14DECA5A7F1BA6B36BFEF37518D2DD1D3AD512E60DBB98CFA44FDFA48CDA454AEA4066ECFD56988F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!..."..................................................................@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..`....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):434992
                                                                                                                                                                                                                                Entropy (8bit):3.7404379881615846
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:zN26UDABostCju38Zwxl7OafE+KSBA5fEMumY0oR17ifc+Wv0kk7n3/SUvb18R/+:zNFxztCSsZw37DkSWsZRW
                                                                                                                                                                                                                                MD5:C1E3F2D4FCBE719BE85D55673B63BC4D
                                                                                                                                                                                                                                SHA1:8D8F12A4B968BF4B91F92663BB2ED90ACF2C9947
                                                                                                                                                                                                                                SHA-256:3DD5EDB2ECD62DF1CD05D9797223F3E464DC10D7052B38352094627A41EE7BA4
                                                                                                                                                                                                                                SHA-512:E2287157B693DF4EBE7557D41DAB7BE098348BBD7A93FB72E8E1F31DE64DBBA89F67C3467AC53417716FDC34310CDE88D44CEC709EE7E48F6BFDA27F59D48B3A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!...".....r......................................................X:....@.......................................... ...n...........t..0/...........................................................................................rdata..............................@..@.rsrc....n... ...p..................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]...1...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):448304
                                                                                                                                                                                                                                Entropy (8bit):3.819894570217334
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:0NJBaDYxtVtcuehcMLhg5RcQ98xYKpYNtwzqPs1U5ihwv+Yk/l2SPyiHo/c5ZQRT:0NEQRyT50yXB13oFn32+sdgwVsT
                                                                                                                                                                                                                                MD5:0598E989FDBAC8A3BEECCB82228EFEF7
                                                                                                                                                                                                                                SHA1:B687B2F33BBDE2D3CB91FB794AB4717E7C56508E
                                                                                                                                                                                                                                SHA-256:CA5AFDEACE4F99DF885DC1CCA7E8A5430B91E193610A2B05585CE7DD26D83379
                                                                                                                                                                                                                                SHA-512:35163A1DFA7CF622B088E8872901C0ED17C2CD3E2BE000AC28F3B30D75AD9131FC063813CF91161B4B1910F9F48D2CC5C1BB1967E7AD07FA7A574F250F0675A6
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!..."..................................................................@.......................................... ..8...............0/...........................................................................................rdata..............................@..@.rsrc...8.... ......................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]...e...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):419120
                                                                                                                                                                                                                                Entropy (8bit):3.647004993502636
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:vNAk95jHDue/7RhlV1MjqnsIjydlyjOWPvma+pnGAg4NtgHzOi/hX:vNd/T7FbRjydgCC1
                                                                                                                                                                                                                                MD5:7837FB6EF7DF09CB67CAFA715334B819
                                                                                                                                                                                                                                SHA1:32986BF01298CAAF7FB897D6CA78D3642A4E96D9
                                                                                                                                                                                                                                SHA-256:703C9BC5288175973AED875954767170ACBA696364181952872BC0C162DA6B96
                                                                                                                                                                                                                                SHA-512:40859ACC024EC464FDA1C788ABF429186B56DC01345D423AF20EB2B8EDB5EE988EC14F44A85706882142615A7EC23A0FF1AD94D17FE1A30C4727EF557CFE1B79
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...#.3g...........!...".....4...............................................`............@.......................................... ...1...........6..0/...........................................................................................rdata..............................@..@.rsrc....1... ...2..................@..@....#.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..p....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):451376
                                                                                                                                                                                                                                Entropy (8bit):3.61660465185004
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:tN5p1SOwQZ0I/09YiX4EJDH8efKHDu3wZMBTwvl0VAaRIwQ3/oMtdCmr4O+Aa02f:tN5TNwWLEtHt0MIWAaQm8dQ
                                                                                                                                                                                                                                MD5:08664CDEE9083323BD2A512A422F4442
                                                                                                                                                                                                                                SHA1:2D22989ED8FDFAB69FDA83E9D3AC122235AE96A5
                                                                                                                                                                                                                                SHA-256:6811A198C67AF6909BA0A9E36974E8BC7A0D247F577041E66F13B9DEDCEDB4E5
                                                                                                                                                                                                                                SHA-512:6A6AAD8BDE712F4BEFA37040D4D2FD7CF1174D6C7A0865F4499418671EEBCE359EE169FE429D331DDCB2CB2778C3416B78FD39C959FE75C5BC54E54AD72FC4E9
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...].3g...........!...".............................................................:....@.......................................... ..X...............0/...........................................................................................rdata..............................@..@.rsrc...X.... ......................@..@....].3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..8q...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):255792
                                                                                                                                                                                                                                Entropy (8bit):5.5239889037798156
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:BNHSBUYYv/SV54CE9J+45tpVCQGu7lUzVWSqZAxXakiAVwz/YDTgcDcO2t3qdcB9:BNHpXlzgVw0YPBGl9hk
                                                                                                                                                                                                                                MD5:BA4482F5BB4FE1AC104E64F0315B342D
                                                                                                                                                                                                                                SHA1:DDFD3DB8FAF065D6E80A02DC49A974D818B3F862
                                                                                                                                                                                                                                SHA-256:E488FA29DE9FE6700B9870D1BEA99BED95906ABEE53D5445AC61D246B0D10FE7
                                                                                                                                                                                                                                SHA-512:C803DF25F6DF0B32D92AB9D8E6F6D5B5F65B965EBA0E60B9132E54FB0E3FCE3A8C969B0CDFB23ECAB9F9E7AAD6C164D726ECF4A43D53F1D0CB897B15AEDB9D9C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!..."..................................................................@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]...u...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):249648
                                                                                                                                                                                                                                Entropy (8bit):5.644474255154363
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:tN4uHCzHKIQnZcmPTp9vgeSneem/QVBbTHvui9BqV4DSjlkSdlCHCqze/a/E:tN1C+5cm+9BUys
                                                                                                                                                                                                                                MD5:12AD084B7547058CAD474BB3951E912E
                                                                                                                                                                                                                                SHA1:0F33E3CE36CDC1B6317661E29F5C3ECBCCADFFC4
                                                                                                                                                                                                                                SHA-256:0CB6F9D7E08CCF07BDDF825AEAF45AAFE3E7D9E89666737890F4813BD63BF57C
                                                                                                                                                                                                                                SHA-512:35DB3181C3D5103F615A7435C96E7E7FF9CB216CD6367829BD513D168F04AA5A375542E1D81B732685E81D567F9D5733598334642826BCB1B777E5EDFB4813DA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!..."............................................................e.....@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]...\...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):441648
                                                                                                                                                                                                                                Entropy (8bit):3.824660956670209
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:5NF28cWe59Jjva4odQDyPh8rp2NgFgXkLZB3fUEO9VZ8vllQBSCTupSCjh0fDxd6:5NM8+ZInNXIok7
                                                                                                                                                                                                                                MD5:2DC459ABDBAC050BC9BF128687E4B3DF
                                                                                                                                                                                                                                SHA1:B2E74BFE4F7624BE4BF9D5980E8D58988742F367
                                                                                                                                                                                                                                SHA-256:560D9DFF99F732ECAC7A66C48643352D0FEB92C65469CFCFD4B480627796FEE4
                                                                                                                                                                                                                                SHA-512:62629AEA3AD82FB4BFD2D58DCE2E6BEBA5DD8397C721F9809AE59000A9A025CC502C65FAC69A801F144A1A0EFEB50D0378882A2E0AE06C867FFF5A31F4ABE8E8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.../.3g...........!..."............................................................O.....@.......................................... .................0/...........................................................................................rdata..............................@..@.rsrc....... ......................@..@..../.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):444720
                                                                                                                                                                                                                                Entropy (8bit):3.628002476208683
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:PNxfX37/LbVWPIogpG2QVUNw/rn3teH/QURrFkaVYx9jUrptaasWaT8FxaKTJvZG:PNxfhqvWUF1vr2vFVsWSlB
                                                                                                                                                                                                                                MD5:51C094716CDEF71171609903C8AAFFFF
                                                                                                                                                                                                                                SHA1:AFB6CAC59BEC2540191B4FFA746D7CD90F4E6D96
                                                                                                                                                                                                                                SHA-256:02988E72FC4383C09FC88CD08558B8C8D882B4D8E011A887354DCC093C14D267
                                                                                                                                                                                                                                SHA-512:4F06E2AA6A52FD7A9BA329B1F93B11C3ABEC03103F5BB9B241C37B8F93B3D8EE9BE988FD1A907EB4DA67C3F613818D8FBB7D95CD3F3547CD32F0CF67E12B8944
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...r.3g...........!...".............................................................G....@.......................................... ..x...............0/...........................................................................................rdata..............................@..@.rsrc...x.... ......................@..@....r.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..XW...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):406832
                                                                                                                                                                                                                                Entropy (8bit):3.685184360796393
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:pNEcw/9/mYX/bXrQPo1vhctz/psJAQsJATfhzxATelfVJ5ZQNU/J2JMw19CgMhnX:pNRlx3Zfmd
                                                                                                                                                                                                                                MD5:0F3A79C7B0C1E12363DD667B68EEE909
                                                                                                                                                                                                                                SHA1:D7195A330B9F3CB240D1C4B587F4C39E84D6171E
                                                                                                                                                                                                                                SHA-256:12541948539D17AC3B1CF7D08A24060920719B9129790CD3A63167A32055FCE8
                                                                                                                                                                                                                                SHA-512:8A7C2C395630CEC128BD1DBF3D4C2C788216356E0BBE6A8BE6FBAF608D279676A1B16457BCB5941A8E1CDB3CCEF2889ECF8FC61659C557A641F8F6BC2EB1A260
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!...".....................................................0......P.....@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ].......rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):444720
                                                                                                                                                                                                                                Entropy (8bit):3.8844397051722477
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:7NaAQtPb/oZo4synbxIkqZd87eEIspDhDYDt/dch+jEa6OXyPZU/r:7NkmvHpD9YDta+gCBz
                                                                                                                                                                                                                                MD5:61E43AD0B8D5FF40D0DE1FC348050D9F
                                                                                                                                                                                                                                SHA1:A91BE32D753A281AA7E2D186A100DDA0821D8BC1
                                                                                                                                                                                                                                SHA-256:180D2590B2474C310D33F5E1C386004A36A517EC1A0E857D9758A001D9590ACF
                                                                                                                                                                                                                                SHA-512:BDE04951299F53DBB4B9B96AEAC2FD293FC794E56F06517EF820D032FFCC422C5FDE6F7560BCD0DB7C113E2B34F7B059E6010413CD47561705DCAD8A7D352C2C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L....3g...........!..."..................................................................@.......................................... ..x...............0/...........................................................................................rdata..............................@..@.rsrc...x.... ......................@..@.....3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..XW...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):438576
                                                                                                                                                                                                                                Entropy (8bit):3.662598624261109
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:UN99HXpcYqo/SB+keVl6RQ1OMQLEvDDaS7kpx/Xz:UN37/naRqlW7
                                                                                                                                                                                                                                MD5:7FC44921490C9B659CE21014F29E02B5
                                                                                                                                                                                                                                SHA1:41841820C81E84B3A153D1E71BAD90A1CCB9E8D9
                                                                                                                                                                                                                                SHA-256:B772E0F9EB92A7D79FD6E383E446727CABA1A0BCA1725E719EDE2B2A75A35B57
                                                                                                                                                                                                                                SHA-512:6CFA2404F2D000CD16F139D41DE7A0F5DE58E279FA2857AB7EF477AA06B645CB37D326C7EC2EF1D7609191286B7B93C81F3361BBBAC5C653CE887EB6979EACE8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!..."..................................................................@.......................................... ..8|..............0/...........................................................................................rdata..............................@..@.rsrc...8|... ...~..................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]...?...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):462640
                                                                                                                                                                                                                                Entropy (8bit):3.760042685339397
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:GNxlPqoAmTY+mO/5z2ap8ImhBpr9pmZsnecOHOPCC4ui3gXXjtRUpgJKlAqlwSoi:Dls
                                                                                                                                                                                                                                MD5:64368FFD42598CEEC16C5CB6EF28B086
                                                                                                                                                                                                                                SHA1:CA81EFA15B0C115F741D325747F1248A2A1BDF73
                                                                                                                                                                                                                                SHA-256:9BA335C6BF51352EA96474A0216415942D361744B5D96CA1B53FE80A9CC89C3D
                                                                                                                                                                                                                                SHA-512:DD2F825A66987173AC7D214F933B11F97C0C3F334DDA09B50D726C5602A4D9E59F86772C50CF573A02A184B9CE3761455D9D524B8453E2F3FA6AB06CE293FE02
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...:.3g...........!...".................................................................@.......................................... ..h...............0/...........................................................................................rdata..............................@..@.rsrc...h.... ......................@..@....:.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..H....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):445232
                                                                                                                                                                                                                                Entropy (8bit):4.345162063583558
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:8NZQWwJlyo2D4i/IvBgWrCd+y5jsgj2eaqh/6y1wBMktt+WX8dLTOsiU/d:8Nw04mut+tPl
                                                                                                                                                                                                                                MD5:976A3EF9EE5553B73F36A6CA646A3A35
                                                                                                                                                                                                                                SHA1:E5667986292B0D25B333F94C23BA4A582DE4C2C6
                                                                                                                                                                                                                                SHA-256:F02163EBBE7C856374057E979B2CC8D7D1841EF5A58815CA4F7F9DEE2F9E373F
                                                                                                                                                                                                                                SHA-512:E231DBADDB70E47F2DD983E3A45C699C68B66E0C9EF4ED995299E6579F0DFE04BF206C650D85C8580EB6478548B3A1286D3D53D00A1CD84AE2DD53434EAC614F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!..."............................................................q.....@.......................................... .................0/...........................................................................................rdata..............................@..@.rsrc....... ......................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]...Y...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):430384
                                                                                                                                                                                                                                Entropy (8bit):3.881624332655778
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:6NVr+CzkliVLjgTllqcfO5BT7bF9mQeLF7A2ubIr3S4WWe/jHHtc6B0qzDWA5lP0:6N+vp0qlSg8N/ZBHPg
                                                                                                                                                                                                                                MD5:E6929C83BA3FB74DF718BA370BF88AE4
                                                                                                                                                                                                                                SHA1:6F833CCDFDA5DF382D87DA3CE15215A1B53791D5
                                                                                                                                                                                                                                SHA-256:0F0CE1A8C2B07896C04D378B5B8187BD3106FB16A239CC79C595DB30431D32C9
                                                                                                                                                                                                                                SHA-512:7BE761D5407ABF4CE1E7EBF9C171A695232071E32578F339707FADE588E0EB26B6B45875E9936B3EE279CD5780559E88B6C9A3CEDA7ED752DC390938D1F2F64D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...E.3g...........!...".....`......................................................(.....@.......................................... ...\...........b..0/...........................................................................................rdata..............................@..@.rsrc....\... ...^..................@..@....E.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..h....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):429872
                                                                                                                                                                                                                                Entropy (8bit):3.742433535213962
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:LNPOD/v+AHa291uVZVAZcMMv40K4+0stMpNu3k3+hB/S5Hs7hUvEnfS755P1ER1/:LNsVaYW540JHpUUIn+3PHmXWbsmdstr
                                                                                                                                                                                                                                MD5:F46651A9BEC66D71EF2A7554B3731463
                                                                                                                                                                                                                                SHA1:49B0E0FDB9438848B86244F47BF2999A4FDE4144
                                                                                                                                                                                                                                SHA-256:1A5DD2142C66BECEB99415B0A1ABF2BD0310857B6A4B61E099506CEEE59A73E3
                                                                                                                                                                                                                                SHA-512:B495070B05A87E6D232532EE0C0A68258BEF153E8F626FAB3473D33BA74351951D7C7D3BD89978F55A5BC2C645B3D902661BE56CC4BBC8387AB337305A1A71F5
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...P.3g...........!...".....^......................................................M.....@.......................................... ...Z...........`..0/...........................................................................................rdata..............................@..@.rsrc....Z... ...\..................@..@....P.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ].......rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):410416
                                                                                                                                                                                                                                Entropy (8bit):3.724018748105119
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:8NeQ4ns/DX8CNRbjDr1E4kHk7IFBMlU/Wo7UwQddabm7Doe51jaO/YV+tL8tVL3l:8NeDnp4XkoB1bhFBY
                                                                                                                                                                                                                                MD5:C9B3394CBF0FD17C4CE80933754392B3
                                                                                                                                                                                                                                SHA1:37A51405221AA2CCFED69021EB097F8D579FB399
                                                                                                                                                                                                                                SHA-256:30BCB07C1A52B6D49A1816377EB6D2F34E8CF63DECBCBF2256339DFD515E2FFD
                                                                                                                                                                                                                                SHA-512:FFC6EC98A16B9FE9DE7A5B0ED3EEAE2649F1E883596786AF8CF860E32B5E9ABE714C8D3DD2EE2405CC9DD7C6643BD8886AB5373B2596BA9ECE2C542B5D7B2881
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L.....3g...........!...".....................................................0.......Z....@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@......3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ].......rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):397616
                                                                                                                                                                                                                                Entropy (8bit):4.5378484416090945
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:gNSiyD1Ja7bVSCCn8a/uO9NanCBhBh79pwhZpk1gFMGSI3yeB73u+bf/DC:gNUgRSHQaI352
                                                                                                                                                                                                                                MD5:99289969CA72D6E7B5AD982730A1641C
                                                                                                                                                                                                                                SHA1:3ED18D9FAAF32DC00D11F3377ED6FF59841BCC35
                                                                                                                                                                                                                                SHA-256:837783AAEF963F2F5DEB0B22A7CE875F9900FF61CA41E9362295E457FE1DD959
                                                                                                                                                                                                                                SHA-512:A21BE03A91E646A441CA4427428F9594D79427F3F7EA0001374EA214E09B7AB9C585D8DF1ADA682D3086DAB29052170B0713E69E00D4C31FE803712FD09CFBF8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...[.3g...........!..."............................................................q.....@.......................................... ..@...............0/...........................................................................................rdata..............................@..@.rsrc...@.... ......................@..@....[.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ].. ....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):415536
                                                                                                                                                                                                                                Entropy (8bit):3.8945278850522436
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:DNP/M4v2h5ooD6qrQrxO9VEaOy/4EZPvsnNM+cJRS1klrD5oNAr0sJIS8HEEiLnM:DNX6zvsnNCoXw9hRacRzc7yj4
                                                                                                                                                                                                                                MD5:AFE6CF3CEA7F0453F5B678CC9AF1CDE9
                                                                                                                                                                                                                                SHA1:17566D68DC26838C51274295CD1B519D49F22691
                                                                                                                                                                                                                                SHA-256:48015D7439ED9FB3D86B778525BE8C9B1C49E75855BD82DC55B616C0D05B4956
                                                                                                                                                                                                                                SHA-512:FB44757317ACD945960C6FF728E0FAE05ADB0AA865C95F05A63E1EFDC49B50775C09D7CA25986354E8B0DCF345A4449950356EE285062A419E83DD022B73CC30
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L....3g...........!...".....&...............................................P............@.......................................... ..."...........(..0/...........................................................................................rdata..............................@..@.rsrc...."... ...$..................@..@.....3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ].......rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):440112
                                                                                                                                                                                                                                Entropy (8bit):4.368660233666246
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:MN8D1xxNKRcO5TyZUUJPKY4jgUgRQiXYL7fe/7UVitNbwyjCAyyaaiiQjFqZ0UFd:MNQxhTGkt/Ljok
                                                                                                                                                                                                                                MD5:0B8832DE8B98424331A3CEA77561DB3D
                                                                                                                                                                                                                                SHA1:3AA10F7B386706EB95E7126051BDA8313AE7A79A
                                                                                                                                                                                                                                SHA-256:D1A86642F816EACB751D997E53557916F79213CA994B5FC1CA5F98B65868DF0D
                                                                                                                                                                                                                                SHA-512:B25D703A187327D3C253B259EAEF6D136069CCF0D86605E6B98698275FD5BCDC42F83C43C1E444F3272BBEAB3D441481D7B353F55C689836FA431BED026818AA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...f.3g...........!..."..................................................................@.......................................... .................0/...........................................................................................rdata..............................@..@.rsrc....... ......................@..@....f.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):445232
                                                                                                                                                                                                                                Entropy (8bit):4.197917458611077
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:fN0F+xOdgYDbwp68tkyfTdHid5s2ZMQkeMZs5rceohHLx:SvpUaSrx
                                                                                                                                                                                                                                MD5:A28F6234836449378972FA4C49B1B573
                                                                                                                                                                                                                                SHA1:F11556BA5621B9C844625717F7713D6A294AB984
                                                                                                                                                                                                                                SHA-256:9A4DDF7E4F561ECFEF63956FCF23304724E6B5DA30FA1734BC22AB8129E00F3E
                                                                                                                                                                                                                                SHA-512:02649268CE8E7AF99E63CD47659160853BFCEBDF9DAE026CDCFA98CD4A0F7D23B5A41763EA4B41D19B742BDEEDD8AC483752FCFB516ABCDB8114A4C761B2A187
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...q.3g...........!..."..................................................................@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@....q.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..pZ...rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):194352
                                                                                                                                                                                                                                Entropy (8bit):6.058995434031819
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:XNV5FxIjlioSnfY9yIGJD4Gh+jrOZUiXQU+k4yLfg8OQWQRt3/b:XNAjonQ9yIGcjniek4iX3T
                                                                                                                                                                                                                                MD5:21EAD4236D0DD62F19A48E657DFB342B
                                                                                                                                                                                                                                SHA1:206E222004E281D5C21E99C2FE4807A0776F5F81
                                                                                                                                                                                                                                SHA-256:CC9F0B70C3496FF16302F3CF52703E4D98040419D5948EB8651C2357B9BFDD53
                                                                                                                                                                                                                                SHA-512:8050175B360FF1FBC18756FDF81C7BCCB7BF18BCFA5A9DECFA422D4DBC3A28676C05D2068DCFF9340F2308166A61A6E915A8664251B77D3E0BC1D48DBE6ABA55
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L....3g...........!..."..................................................................@.......................................... ..................0/...........................................................................................rdata..............................@..@.rsrc........ ......................@..@.....3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..`....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):194864
                                                                                                                                                                                                                                Entropy (8bit):6.099202422195636
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:gNIm5gMYHcWLiw7iHuvCwRNMdMHa/5MuAi3ZQUhkZVx8906OU/SF:gNImcHc6HUkNRHa/5MuA4QUhYAOUaF
                                                                                                                                                                                                                                MD5:D31C5EC36B40C97A970E5DFBDA2A0C44
                                                                                                                                                                                                                                SHA1:141C4A2918C6305B02E2683121F4B385BE51ED4C
                                                                                                                                                                                                                                SHA-256:A3F0622DADABB8264DCB0CE1C25959347614F54448F781F69CF4825E8BBAA3D3
                                                                                                                                                                                                                                SHA-512:2B53489CD34E828346BC0F1C77F288510A3BC69D3E69456786BC80DD665FF051AEB32A90169D7D09A7007A8F6DC6FDB6E4FAB906857808970594714A60AD48BB
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........PE..L...|.3g...........!..."............................................................W.....@.......................................... ..x...............0/...........................................................................................rdata..............................@..@.rsrc...x.... ......................@..@....|.3g........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .. =...rsrc$01.... ]..X....rsrc$02............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22681904
                                                                                                                                                                                                                                Entropy (8bit):6.631480939944556
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:393216:KcTW/8hgQcbLqItw/cIqiQwxhWt24zvIR:KqQcOs
                                                                                                                                                                                                                                MD5:E901C556A63E8738AFFA2D2F1C82DA4C
                                                                                                                                                                                                                                SHA1:87092E6C7A60C8E8595A7C034DADFAA55DFF417D
                                                                                                                                                                                                                                SHA-256:4E40C3381FB5A99BCC4ADF2E3B6F3ECD1E224C4CC22B39648552EF4514EA933B
                                                                                                                                                                                                                                SHA-512:314BED464671B2B5E9A94B3EA2E3BB2E3899A5B5CAFAD146691B5A6A009D50414DE2A84B518E2F7B253F55CD7393EECF7F5C3D73A9D443164689174069FF21B2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......O#...B}J.B}J.B}J@:xK.B}JD>.J.B}JD>yK.B}JD>~K.B}J@:~K.B}JD>xKqB}J@:{K.B}J@:|K.B}JQ..JQB}J.>~K.B}J@:yK'B}J.B|J.@}J.>xK.B}J.B}J.C}J.>yK.A}J.>tK.E}J.>.J.B}J.B.J.B}J.>.K.B}JRich.B}J........................PE..d.....3g.........."....".F...vo......?.........@.............................._.......Z...`..................................................VC.(.....\......`S.49....Y.0/...@].8....^..T...................._..(...@...@............`..`... &C. ....................text............................... ..`IPPCODE............................ ..`.rdata..B.T..`....T..J..............@..@.data...\.....C......`C.............@....pdata..49...`S..:...jN.............@..@.didat..H.....[.......V.............@...IPPDATA.g.....[.......V.............@..._RDATA..\.....\......xW.............@..@.rsrc.........\......zW.............@..@.reloc..8....@]......"X.............@..B........
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):36885808
                                                                                                                                                                                                                                Entropy (8bit):7.909820490100587
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:786432:KSLjrC6ES0BCVUx2qRw4nZnv69fakl8Q8kpwDQ6/Y:VLf+2m3hqSCZoI
                                                                                                                                                                                                                                MD5:4161468092501B8739E3411C5E423002
                                                                                                                                                                                                                                SHA1:F3007F049E8E3272058CAD1D32195E28580359E3
                                                                                                                                                                                                                                SHA-256:FCD688CA0D1DE2AEDE56E5736D63F7A12BD6BEC5C2C927F149028375762DC736
                                                                                                                                                                                                                                SHA-512:8F06DF358486259509CB73C3C73387524E73C563B2388F50F59F77BA52F187378DBA2BEDB675F2EE7A65B55DC20228FFEEA03AC0E1A3BE7E78E6B8AFDEFFFCB9
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F..Q'..Q'..Q'..[,.P'..Q'D.V'..[..P'..RichQ'..........................PE..d.....3g.........." ..."......2...............................................2......03...`.......................................................... ....2...........2.0/...........................................................................................rdata..............................@..@.rsrc.....2.. ....2.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):518960
                                                                                                                                                                                                                                Entropy (8bit):6.393116974761183
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:IjcUW8R1ZXBVmLpjmjXY57NIk/Vo693Qe9:IjcUDRnQsXY5h7/VfBQO
                                                                                                                                                                                                                                MD5:3075E4759956DCAA841ED4C416F89C92
                                                                                                                                                                                                                                SHA1:A650F1FBFC3DBB9A1DCCED09EC9B4F342F22C0BE
                                                                                                                                                                                                                                SHA-256:9B9B433FEB51663EA5351C7FE63881B1F721AD8B16A9ACC27D7EBED0A639CEC9
                                                                                                                                                                                                                                SHA-512:E6AB3EB08C8087F5015FF85D4CB82AEC7A14E1909F75A25FC7B61D662096C47C82637C1B545F16AF791FAC61E4A082C3E68E45575A4DEEC12907C85F72F35006
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........IS..(=..(=..(=.P8.u(=.T9..(=..T8..(=.T>..(=.P>..(=.P9..(=.T8.(=.P<..(=..(<.u(=..T4..(=..T...(=..(...(=..T?..(=.Rich.(=.........................PE..d.....3g.........."....".......................@.....................................?....`.................................................H...(........l...0...C......0/......L.......T.......................(....(..@...............`............................text............................... ..`.rdata..............................@..@.data....J.......2..................@....pdata...C...0...D..................@..@_RDATA..\............<..............@..@.rsrc....l.......n...>..............@..@.reloc..L...........................@..B................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1714992
                                                                                                                                                                                                                                Entropy (8bit):6.546953457862245
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:xpQyGyf6Rxzu54UP7OKkxlFsuKdHVTtajlGA:xfGfRpUA
                                                                                                                                                                                                                                MD5:248C2A80CBD5647C23C55CFE70D843BC
                                                                                                                                                                                                                                SHA1:31275E7C87AED241D3871C9A805B2D2EA10F3758
                                                                                                                                                                                                                                SHA-256:99464B26D99A8187194E7580011FD0E5FCEEF9BCFD5FC85A36400F5CBF533060
                                                                                                                                                                                                                                SHA-512:133150B983C61C7CA28D5C35728092CAB2FFD822FCE8C42B8D29BE9355D1C294D97E8ED76B56EA0D4E18C06C89D55A98E6D4859D82258FE38A627C05C4E14D9C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................[..............................:..................;...:.......:...s...:.R.....:.......Rich....................PE..d....j.f.........."....".....l.................@.............................p............`.........................................................@..................0/...P..@.......T....................!..(.......@............................................text............................... ..`.rdata..............................@..@.data...(`.......>..................@....pdata..............................@..@_RDATA..\.... ......................@..@CPADinfo8....0......................@....rsrc........@......................@..@.reloc..@....P......................@..B................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):17712
                                                                                                                                                                                                                                Entropy (8bit):6.949643172483514
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:2LGBxtmkhZSf+VIYic51LgdkSJIVE8E9VF0NytJ:2LIxtmkw/Yic5A2Ep
                                                                                                                                                                                                                                MD5:4D6089A8744DA5197DF65AFF0567E893
                                                                                                                                                                                                                                SHA1:31F6D32398CD3E465A95B1E40383981E4979167A
                                                                                                                                                                                                                                SHA-256:D96179353562C8C7F39C3CB8D7D3F9815CF8AC6F19A00627480CF37EA6DE1515
                                                                                                                                                                                                                                SHA-512:4E60F4891EB101F076BFDC59EB0EDFE48AEFAF7336F0D5818BB52BA2A50FB757F7D1165C0AA77A2C65BFB501A6ABB0B69445C0278A94F51930792395047F0773
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3g.........." ..0..............,... ...@....... ...............................T....`..................................+..O....@..................0/...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ..4....................*.......................................0..b.......~.....~......(.....(......o.......(.......o.....0.~....(....,..(....&.~....(....,..(....&.(....&.*..........%1.0......(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......d...#Blob...........G..........3..................................................-...........................0.......f...|.f...].f.....f.....f.....f.....f...7.f.........B.....
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):355632
                                                                                                                                                                                                                                Entropy (8bit):6.544582451742204
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:NY4IB2B+o2FgZEdOD/eSsgp2YX58ODnEpt0El4NnUszFoSqrzqwX9ZDuaoos0aEo:OOdqZ8lJDn20ElV0QmQg308
                                                                                                                                                                                                                                MD5:A3448D601918784C38F202FEC27FF8A4
                                                                                                                                                                                                                                SHA1:1254E9362FBA584C7CC5634EBEDEB71F74ED195C
                                                                                                                                                                                                                                SHA-256:027BC60E1C036D170398A289B7FA2F6C9161A198C48346D6F847E3EA63F4AAC6
                                                                                                                                                                                                                                SHA-512:224949BE3684AA7EB4812E8A3FD34580898B8645E242C52E0C10EBE776C878BB925482FE11264E9C74855E63AE6680ADF310B3563BEFEA7829133531802BAB25
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3g...........!.....4..........rS... ...`....@.. ...............................D....@..................................S..W.......`............>..0/...`....................................................... ............... ..H............text...x3... ...4.................. ..`.reloc.......`.......6..............@..B.rsrc...`............8..............@..@................TS......H.......(....f..........$....\............................................(*...*..{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....(....*..{....*"..}....*....0.. .......s.......{....o......(....o.....*2.(.........*...6.......(....*.....*.0............o....(.....o......E............#...*...>.......*...Z...u.......*.......*...*..........;....8......t....o....(....8......t....o....(+...(....8......tS...o....j
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):139056
                                                                                                                                                                                                                                Entropy (8bit):6.532462408923504
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:miieN9+xseRPLVfO2jiQpp0woz/cLruLwNiCoJa/Y:mpU9heFLRjCQadJaA
                                                                                                                                                                                                                                MD5:E5D8A7EB95C608523C9F8D1753691474
                                                                                                                                                                                                                                SHA1:0D20930588A8EC799D97A7DD13967E6CCF9973A7
                                                                                                                                                                                                                                SHA-256:63BC815B7896DF84C73489BB12C3845E5C3978AB9BACD5BE69B91F6528EB86DE
                                                                                                                                                                                                                                SHA-512:28AC0BD57201455CF5D157DAED6D8FF0F52AD5550ABD3B6505CF6FD5C1108537296F7A218C413ADD83395A0AF98AA52E8C35F7F2768CAA68E98A77A7637AEF6D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........`E...+...+...+.y(...+.y..|.+.}/...+.}(...+.}....+.y/...+.y*...+..S....+...*...+.:}....+.:}/...+.:}+...+.:}....+.......+.:})...+.Rich..+.........................PE..L....3g...........!...".0...........{.......@............................... ...........@A...........................................P...............0/.............T...............................@............@...............................text...*/.......0.................. ..`.rdata.......@.......4..............@..@.data...............................@....rsrc...P...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):182064
                                                                                                                                                                                                                                Entropy (8bit):6.2310805988584175
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:9gRdGN0Ik4/3dGctH4Xmyw0hHRhzopV+9JmTBZ1wuwbPz4efAAYVqsLiy/q:kC0r4/3dRHSmv0hHRlI+9VSPV1y
                                                                                                                                                                                                                                MD5:61AD15F02535262E120D16CC1642ED07
                                                                                                                                                                                                                                SHA1:B179B3ABA71D55A022361B0DF30946316FB318DC
                                                                                                                                                                                                                                SHA-256:54AEA2D51D13F0ADD6B5738D7A0D7399C4531F012358245AF85932784BF44ABB
                                                                                                                                                                                                                                SHA-512:A671493B783DC9C9D4C5D95E64C84940EF352E4BB4C5B5E6691DE56332855920065A22173BA87FA84545A28EEED16BA96D6217E96171EC5A23676FFDCA4C771D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......B....|.].|.].|.]M..\.|.]I..\.|.]I..\.|.]I..\)|.]M..\.|.]M..\.|.]M..\.|.]...].|.].|.]{|.]...\.|.]...\.|.]...\.|.]..f].|.].|.].|.]...\.|.]Rich.|.]........................PE..d.....3g.........." ...".~...(......`.....................................................`A.........................................S.......S..........X...............0/..............T...........................p...@............................................text....|.......~.................. ..`.rdata..B...........................@..@.data....$...`.......R..............@....pdata...............f..............@..@_RDATA..\...........................@..@.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):479536
                                                                                                                                                                                                                                Entropy (8bit):6.914122396366591
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:ITbmbvN1jVKS3+dIPIkuFRYoevk2gpb45w3n:ITbmbvN1VKRdIA12gpb4i
                                                                                                                                                                                                                                MD5:2499441F9DA7A30E39B38EAF9D38BA1B
                                                                                                                                                                                                                                SHA1:7150959613391297B73EBD918F0F5BFDAD4921A5
                                                                                                                                                                                                                                SHA-256:6459A030059A3054ED1C42D7F195DE1B0B04348300BFC1469016E2D5D4A65FFA
                                                                                                                                                                                                                                SHA-512:0487CF992E16BFE87F1FB12722086DD3647F3650031F72266D4C16118FF9233972B746897A7B3F4BDF5D0826FBD8E9C1F3077DC9C155324B16D96003085EE6C7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[......T...T...TT..U...TT..U...TP..U...TP..U...TP..U...TT..U...TT..U...T...T...T..U...T..U...T..T...T..U...TRich...T................PE..L....3g...........!...".l.......... ...............................................K4....@A........................ ...t............0..............."..0/...@...;.....T...............................@............................................text....k.......l.................. ..`.rdata...e.......f...p..............@..@.data....$..........................@....shared.$.... ......................@....rsrc........0......................@..@.reloc...;...@...<..................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):362288
                                                                                                                                                                                                                                Entropy (8bit):6.600580188701235
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:VAFcz4hAtmr5rMSKW7g+JZFUEEgwbGfQASFCQk4AOUo56Gt4mE2R:u+21Bvk+JZiEE/GfQpHj6mE2R
                                                                                                                                                                                                                                MD5:048CC47BE05A3D22BB5019015F8286B1
                                                                                                                                                                                                                                SHA1:E7D5836562B028763D107E8372B5914A7CEE35F2
                                                                                                                                                                                                                                SHA-256:74C5FAB3BCC1542EF0A92D6EB54CBB72ECABA72D50A981B07A7104A18A1F12C9
                                                                                                                                                                                                                                SHA-512:C51CC6E8CC23B0C36957E9E6F95C49F77D80468D38DDAE8A45FCF69A7AA7B62B2A754458F323A0D59DFD933E037527CB699AA8F7E618B14DDB611E5A2290603D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.U.J...J...J...2...J...2...J...6...J...6...J...2...J...6...J...2...J...J..[J..u6...J..u6)..J...JA..J..u6...J..Rich.J..........................PE..L....3g..............."............p.............@.................................V.....@.....................................(....`...............X..0/...p..$1..0...T...............................@....................... ....................text............................... ..`.rdata..PH.......J..................@..@.data...l"... ......................@....didat.......P......................@....rsrc........`....... ..............@..@.reloc..$1...p...2...&..............@..B................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):612656
                                                                                                                                                                                                                                Entropy (8bit):6.6296860228182775
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:e779BVP6hn9cQ9u/esIMyUXOR7nXxBFUOU8I/Ubzi2G6PpqBlgXAjR+UhGhsoS05:e7prP6hnyb7jeNx73F+Ai+AZsbseCiwu
                                                                                                                                                                                                                                MD5:9F597B5EBB2EAB9E85E4B5BD1FEB27AE
                                                                                                                                                                                                                                SHA1:0EA591E2A6541B012BB702F13D4A93E6E5AC8ACD
                                                                                                                                                                                                                                SHA-256:136B724BF8A88AEAABF186E5F3617EDBBF090231C3047E1447D6A5261EA63684
                                                                                                                                                                                                                                SHA-512:48B072A4952D953A9D136796A7CE191515DB352FA73503280A987205AB1CE7B8F2C4C7794C76014D28C019319CC8D00DDBF0D523FA1D55FC550AE13808EB2EF7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8Xy.|9..|9..|9..7A..z9..7A...9..3E..\9..3E..r9..3E..u9..7A..p9..7A..q9..|9...9...E..p9...E..}9...E..}9...E..}9..Rich|9..........PE..d....3g.........." ..."............@...............................................7@....`A............................................t........................U...*..0/........... ..T...............................@............................................text............................... ..`.rdata..6...........................@..@.data...H1..........................@....pdata...U.......V..................@..@_RDATA..\....p......................@..@.shared.H...........................@....rsrc...............................@..@.reloc............... ..............@..B................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):429360
                                                                                                                                                                                                                                Entropy (8bit):6.403512694173202
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:7CvCVmlq3sJ0WyvoY9phDKTFVZodiMyhsw:7CqVmlq8rcoUp1KTHZgy
                                                                                                                                                                                                                                MD5:C2569AFDF453FF8EDC35546C6CD99F25
                                                                                                                                                                                                                                SHA1:AFBFF67E0DD01BB43804C2D861A3ED385BEEFC6E
                                                                                                                                                                                                                                SHA-256:82DEB0B2CFD81447C6EF19CC8620793E143D0F7D543EEC4DB2939C29EED34ED1
                                                                                                                                                                                                                                SHA-512:FBB0DB2DDFFDE7CDCAB2D5B0EA98A4D88AEF1000A6F5FD11650EFD3F3EDA3DF8D774E71DB0DC3946D1F98677272DA16484C7B8DD03D00598348722EC5FF21091
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I...I...I...............F.......C.......D.......]...............J...I.........i....v.H...I...H......H...RichI...........PE..d.....3g.........."....".L...*......P..........@.....................................k....`.....................................................(............P..T3...^..0/..............T.......................(....~..@............`......d... ....................text....K.......L.................. ..`.rdata.......`.......P..............@..@.data...|2..........................@....pdata..T3...P...4..................@..@.didat...............H..............@..._RDATA..\............J..............@..@.rsrc................L..............@..@.reloc...............R..............@..B................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:7-zip archive data, version 0.3
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):68012141
                                                                                                                                                                                                                                Entropy (8bit):7.999996391476119
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:1572864:7tHGL2imNGck9gTKQtEZjZjb914komphRDrGdXCl2EXTcAeUu:Jm3gtEZR4KfR/l2EeP
                                                                                                                                                                                                                                MD5:6481BE826C6C0E4E5044B7AEFD798C8F
                                                                                                                                                                                                                                SHA1:A158D4C2A009803D4AEA0F266B34CBB4AE65DCCD
                                                                                                                                                                                                                                SHA-256:0E6C4D5CC07EE959F526295E79C56FE2ED8A8D1023F688555F1FB6F1A154D69A
                                                                                                                                                                                                                                SHA-512:1640A148D63FA843D3B85BCD49A9AF3BE7358BF96A82B9032D557783785951647D1DCC290EC494A913E5B2E9BDD9897B3D71B1386EB3C2F7601243743A06074C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:7z..'....d.b(.......%.......y.C...`...Q....}.=m.u`...Ah3u.kv!.. Kg)...%.....ii....j..:0..Q.x~..".....y34~D..c...0..k.O..W*.....G^....:].ce.#.q.$TzuW...h..'imfv.,UK...D;... (.l..z..A...5.y.4..........M.y...3.....)'......80ILrPF...@..bU.!.<.... .:o....^.T....-...^.Ytuq.. .WI.i.j.[.7.. s....H..<......./Ad3...p[..%Y,..2.s[.H6"..jF.7..e-.E.7T.....0....K./.MW../.6.l..<.k...2..(..f....t.Bv..~.m)...1....z.j.|.v....5..ui.@_.~...>.@W..Y..qF.V..y..A.,@."......j....e].....A.t.1..1...SQ..g/.s.b.<D.).X6./.}UbYe.+.n.;..{....]...(....e.!R....h...G....S..CC..$f...N......m..{....e\/....I..|n<.u...d*..|. .-3QjpY. oKu..H](........a....YRA.n.u..E..w.C~..d..`..xF..,.DK.#.t.e.._B8H\$.u.!lS...9-u@.3f......, ).Z...*.^...........8i-.........._..]..e...t.8......]....M.'.,+%....v....pFz>..q2..u%AV.O............5....Tm....:.f...PO>~......e..7O.,&8.....W.R.....<;.!a.e.*...KY3v..b..5........Pk...{.~O...R........B.F.m.G......h..f..=$k....4.._b7C2.....o.8.p...s...F.........
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:7-zip archive data, version 0.3
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):364560
                                                                                                                                                                                                                                Entropy (8bit):7.9995333112503495
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:6144:ZF/r31fRSYFtbAtnX98TKt1f4ymTN0fvez0bMYJlcBHALHmULTk:ZFb1ftC6TKt1fWJqveobMYJlcBHuXLY
                                                                                                                                                                                                                                MD5:113DE28B4DC4D132A53AACB43D88D064
                                                                                                                                                                                                                                SHA1:927B206CB925D73D48E1D626B148453055748C40
                                                                                                                                                                                                                                SHA-256:35641CACBEB210DD857F9CF3C8AD1AA81A74F8EDCDD2526BE07E16580C7EF08C
                                                                                                                                                                                                                                SHA-512:92867E0914E4A1F06FB80D89E68E1EF0ABB4AF6EB4FAF302E05FF6DD21F46758AA8150BF2267F6DC052702FB9C99F055254A2F7CB5F6AF26F672119B729ADFFD
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:7z..'....w-s.......$.......3......&....FnP..p<......o..:.D.y.2...;N...$.....R%.$.+.y.4N.T...I..!...W.iX.u..>c.......>....hU.}V...!E.......>1...`.........-\?.&S....9...A.(1.O[kOK..|.a.=.`XK..%..9F.S8..|.D=.5.b.z....]....?..........SV1.Pj.W.....z....<*P....DU\..._7.Z..W..W..cL...Me..@*j.0=]I.....Y...Va.J.Lu.)B.1.@+0...)e.....[.x."!.UX.........P!../7.$..."R.....j. 3.Pxp.W...JN...5../.?G9b.C..>...=y7. ..~TV.......T.y.......{#.Hm[k.x0..WB|..=..7sY.f..t...fs...e...V!.g..6s./,n.D?..`.t..H...^jPv....>...]K./...,ej_..D,....T..)..h[##..i...'b...e......7.$.od'.5.K.K.V.G..[....CUn.Y.*...*...J.....$...y.-J^....V.,...,.\../...g....:....i.kp8%..i....Y..x.....m..Ne..........~.i..+..G:B....#`.-^.+..%gS-L..P).Zz.....8.s........Bx.... ..>h.2...2..J....~l..G.z....).b.C.^Rtd.....s-.b..3:Hb.qXG...f.0 =.^...5..q.&.z.8.g....d.76.....&..==.....[]./0.....).:7P..y.w.F4...jr#..;.....*L>z.j.`Q...6.X.J.....6..R......b.........@.....9P.._..,..Y.c#+..I.bS.(.C..F..!
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:7-zip archive data, version 0.3
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):310194
                                                                                                                                                                                                                                Entropy (8bit):7.999382001365806
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:6144:4S2ruVvp26RNW2ee98lcMXZ7cOxmFb4tFzaUNrDw394mV6L2JAyLw:auVEQW2r0cMlAB4tVaUJ+94mu
                                                                                                                                                                                                                                MD5:846AF7A620836D57195ADBA6CB2F9327
                                                                                                                                                                                                                                SHA1:AFE4FBF75BCAFE480997387F74633CB34D667290
                                                                                                                                                                                                                                SHA-256:612A8D33CB8B6E5BAA0E9C91189C13873664DB0846B9FDFECB345961BD11CB5B
                                                                                                                                                                                                                                SHA-512:C78B719A00AE1064EA62A2FF685069699166333678AD5D485B3982FBBDD685019B1B57EACD88133BDAFDD8D3FA1E7EB9F93E7BD3409ECFE686D24F95E4A8CAED
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:7z..'....~.hn.......$.......r..+.. .(.....H.U......6.PXGp..F.5J..E=I..2..A/@.%....P)..H..Sp..u>=C..C...N).......(..."ZZS ....W..@[_f%...$..E!..a..B...v...L.'.`.~.b..F.._Rbc2......^.s..D@.?..8,z_S.xY...............YJ0gzd...J..*.jYl......DD.. .'M...C.....h~.6.....r...K?-.m..]."........5..Q5*!b......7...^......s.....g2j.S.'.;.K.3'.s.=^b...)%2.'...~=...!...m>JmGS~D.......s...P..._...G...h...%..M......#.[.B...Y.N8..J,..H+O2.....d......R.Q..R.t.....qU.3i.[..z7...NcB>Tig.*..\K5.,.P4y....}..w.....j<..O9.....[A.-..]...L8.K..B..LT.H3.bF./.FaX...."wD..ss.N.I....7......]m,.m{.E.7b..6..R;Z..^Q....o{.+.)g.a.....C....|.,...3...).xQ..}..D. ?........ H5..4X.r...K...X..u.H].o&..nU..E..a.T.$.....f....3...Vr/._;..Cw.`+..@&d..}..-;)..d1j q.t.S...Y%}[K....]:.sP........x.F.2NU%..<.>VE..9$_KP.....H.w.7......H...lg7.."^.`K0....8.....1........8t....F...}.i..N....i....S..^.`.g..42...:..`{.V..7...V...f..,...C.m04...I.j.d...h...D9.}.hPQ......Q.N2!..K.I.*.jB9.....x.q...;.....S
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1165840
                                                                                                                                                                                                                                Entropy (8bit):6.419383926919195
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:Gnzn0vN6aSoGsZwXV22NNNKwhfmH5abENDcCBV:A0vSoGsZwXV2ExnbENDcC3
                                                                                                                                                                                                                                MD5:E217DB9E269FF85272513E81B9F191B3
                                                                                                                                                                                                                                SHA1:FA493446A28D9CC3B0578E7136068048E140134B
                                                                                                                                                                                                                                SHA-256:43E868678463F759F4CE8EA235486B955EF6426977C869BDA308622E3D57855D
                                                                                                                                                                                                                                SHA-512:5833DEF4E078D73196019318B62EC104DC1CC016E53599EC70785FFCD39A9A031244B066E21841429884EB0B02DC9762CFF7C4DDAA757A475F9C7F622A343E8F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@.......................... .......f....@.............................................................0/...........................................................................................text...{c.......d.................. ..`.rdata...............h..............@..@.data...............~..............@....ndata...@...P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1592616
                                                                                                                                                                                                                                Entropy (8bit):7.928355704554102
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:Uwyf3Su4a/KnwYtDXl42hxt3q7lR3hVtTcKaBQ7SdBZpeUY:Zyf3L4aGweXl1h/C3Jc9BQ7SdPMh
                                                                                                                                                                                                                                MD5:B32D72DAEEE036E2B8F1C57E4A40E87A
                                                                                                                                                                                                                                SHA1:564CAA330D077A3D26691338B3E38EE4879A929D
                                                                                                                                                                                                                                SHA-256:65F6EFDF6DF4095971A95F4BF387590AE63109388344632A22458265AB7DD289
                                                                                                                                                                                                                                SHA-512:B5D62CE1462D786C01D38E13D030AD6236CE63321819CF860CC6169F50F6309E627BC7709B305422851779E37DBAE9FB358008AAD8D6C124CD33CDEC730288D5
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.c.....................t...... }............@..........................p......m.....@..................................?..x.......................(/...P.. ....1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.. ....P......................@..B................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Windows setup INFormation
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1775
                                                                                                                                                                                                                                Entropy (8bit):5.282965170818026
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:+vsh8Q2XFbsf0z6Joq7mgHwuMgHPgHxGFWlFVfXj/g:+vM4QI6JoimIMsCGFWlFZE
                                                                                                                                                                                                                                MD5:5C05880E0ED65FAC3A4DFB7B6802B898
                                                                                                                                                                                                                                SHA1:55EA8DAC7093123E26584A49012517818C0F586D
                                                                                                                                                                                                                                SHA-256:60FA2925C589AC38BAB74713E1B0BB2A205A8C825D614B971FC3426991CD86CA
                                                                                                                                                                                                                                SHA-512:5176504DE06E6F8249815F8F8472ED7C9A26003E92ECD80299DA8B611A630A1BA8179419CDF50F02B78A19CAF221D6E0AE59452B224DC55FEEF72A93CD4D147D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:; Copyright 2010 TeamViewer GmbH All rights reserved...[Version]..Signature="$WINDOWS NT$"..Class=Monitor..ClassGUID={4d36e96e-e325-11ce-bfc1-08002be10318}..Provider= TeamViewer GmbH..DriverVer=02/01/2017,1.02.0000..CatalogFile=TVMonitor.cat....[SourceDisksNames]..3426 = %SourceName%....[SourceDisksFiles]..TVMonitor.sys = 3426....[DestinationDirs]..DefaultDestDir = 10..MonitorFunction_Files_Driver = 12....[Manufacturer]..%MfgName% = Driver_Mfg,NTAMD64....[Driver_Mfg.NTAMD64]..%Driver_DeviceDesc%=Driver_DDI, *PNP09FF....[Driver_DDI.NT]..CopyFiles=MonitorFunction_Files_Driver....[Driver_DDI.NT.Services]..Addservice = MonitorFunction, %FLG_ADDREG_NOCLOBBER%, MonitorFunction_Service....[MonitorFunction_Service]..DisplayName = %MonitorFunction_SvcDesc%..ServiceType = %SERVICE_KERNEL_DRIVER%..StartType = %SERVICE_DEMAND_START%..ErrorControl = %SERVICE_ERROR_NORMAL%..ServiceBinary = %12%\TVMonitor.sys..LoadOrderGroup = Extended Base....[MonitorFunction_Files_Driver]..TVMonito
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):18336
                                                                                                                                                                                                                                Entropy (8bit):6.275348584247018
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:qumQmspn15C9l0HDRRdrauc056CAyIKGNsuIeInYe+PjPtrwnc8ijtlAur9ZCsp5:qmF100Hzdrau/NAyoauQnYPLWUUHeMt
                                                                                                                                                                                                                                MD5:B7CA6668278FBAE3FBD649285F8CCC35
                                                                                                                                                                                                                                SHA1:DD5CD2FB0E6818EB56268F0D6E72D0F5AC74AEF4
                                                                                                                                                                                                                                SHA-256:78318C6A8AE65FB3AFE6BA06CF1BDA69903390E250950D3BF78895CD79AFD4D8
                                                                                                                                                                                                                                SHA-512:7305B979ABBEF7BEB4789261E9FC0EBDE00415BB00ECEEE2289CD1FCF91467CCC7C84ED77E7F5CD042243508B5FC8C3384EA59D6A1A17497781110FE5238103C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..S%.S%.S%.S%.s%.Z]I.P%.Z]O.Q%.Z]Y.W%.Z]P.R%.Z]N.R%.Z]K.R%.RichS%.................PE..d...)x.Y..........".................d`.......................................................................................................`..(....p.......@.......(...............!............................................... ...............................text............................... ..h.rdata..t.... ......................@..H.data... ....0......................@....pdata.......@......................@..HPAGE....z....P...................... ..`INIT....x....`...................... ....rsrc........p.......$..............@..B........................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):11393
                                                                                                                                                                                                                                Entropy (8bit):7.262775900557745
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:qtxI5sxyQJCxSFBkyKuqwFWQFH5JUoowcLK+X01k9z3A4ZdMXrWp:80GFRdfUo6R9zrvMu
                                                                                                                                                                                                                                MD5:746441B276B24B7A5B487A429F60D214
                                                                                                                                                                                                                                SHA1:657258CBAF47D6FAA2EC58C77B948C6398828F96
                                                                                                                                                                                                                                SHA-256:2C714A3687424C798B565128C0720322A7EA0FB779D91963048394EA471707AA
                                                                                                                                                                                                                                SHA-512:F734829EC6D6AD84848FA5CD2B866337360481B596A383A49AE3BA5176FFD74850C8DFA345F1DD3BC4644DA6FA905AD91644E450DA02C413D39849EA3C35753C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:0.,}..*.H........,n0.,j...1.0...`.H.e......0.....+.....7......0...0...+.....7.....<.O....E.L........240125134120Z0...+.....7.....0...0..'. `.........5.[.}.....t..oB.....1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0X..+.....7...1J0H...F.i.l.e.......6t.v.v.i.r.t.u.a.l.m.o.n.i.t.o.r.d.r.i.v.e.r...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... `.........5.[.}.....t..oB.....0.......@i...E@8z!:D^ze./1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0X..+.....7...1J0H...F.i.l.e.......6t.v.v.i.r.t.u.a.l.m.o.n.i.t.o.r.d.r.i.v.e.r...i.n.f...0.....]..n..|...{.;....n.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0X..+.....7...1J0H...F.i.l.e.......6t.v.v.i.r.t.u.a.l.m.o.n.i.t.o.r.d.r.i.v.e.r...d.l.l...0.... .^......%f..u`.c.l.IJ...5d.x.o.A1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .^......%f..u`.c.l.I
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):72056
                                                                                                                                                                                                                                Entropy (8bit):6.655826001710673
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:Mdq9xYKLIHVgKqnS/OLlGkQctwE/uf95v13d6YHU3/Yic5Hf+AMxkEBsF9zmGW:MUYK7xxacKYS5vBHU3/7IHkxuXznW
                                                                                                                                                                                                                                MD5:5DA3DD0A7761D1C1678D65F22005175A
                                                                                                                                                                                                                                SHA1:13EDDA1695D1080379ADF30596F149CFE09E865D
                                                                                                                                                                                                                                SHA-256:CD858C1A37D9599181285CE55E38BBD7CEF8637F8DF1D3BA425B78C2670E345E
                                                                                                                                                                                                                                SHA-512:54C14B06F3CF373DD4A6D77030D7908FC6CB42BF151760877EF2EA0C5662B56F2DD09A334BB55602A4F1920CDF91FBA140AAEA14113DA369CD25B89AB8B3CA3A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3t..w.a.w.a.w.a.%`e.~.a.%`b.q.a.%`d.T.a.gd.v.a.~m..e.a.g`.r.a.w.`.4.a.gf.u.a.gb.u.a.ge.u.a.`d...a.`a.v.a.`c.v.a.Richw.a.........PE..d....6.e.........." .....v...R......@>...............................................%....`A........................................0...`...............................xU.............8...............................8............................................text....t.......v.................. ..`.rdata..R7.......8...z..............@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Windows setup INFormation
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4640
                                                                                                                                                                                                                                Entropy (8bit):3.7271215593412443
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:Kw/Pg6KAXlFHmk9/BabDIWebYNnitU42S42Lx:s1E
                                                                                                                                                                                                                                MD5:6CCC14F0F72BB4398F0A15CC96BBBB86
                                                                                                                                                                                                                                SHA1:891A0A4069C8CCEC4540387A213A445E7A65982F
                                                                                                                                                                                                                                SHA-256:F35E1BED01D9EFDD2566F6A07560D263CE6CD9494AED03CD3564A7788F6FFA41
                                                                                                                                                                                                                                SHA-512:1EF640FEC7F68587E938646AB2771F5BFA8384542E401B097CFCE3A0D0B67A3F5A6F756FC9F66C77D7D8AC6DAA87D227864E7B44FC81A64BEBC42254DEE906EE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:..;.....;. .T.V.V.i.r.t.u.a.l.M.o.n.i.t.o.r.D.r.i.v.e.r...i.n.f.....;.........[.V.e.r.s.i.o.n.].....P.n.p.L.o.c.k.D.o.w.n.=.1.....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e.=.T.V.V.i.r.t.u.a.l.M.o.n.i.t.o.r.D.r.i.v.e.r...c.a.t.....D.r.i.v.e.r.V.e.r. .=. .0.1./.2.5./.2.0.2.4.,.1.1...2.4...5.4...2.8.4.............[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.=.S.t.a.n.d.a.r.d.,.N.T.a.m.d.6.4.........[.S.t.a.n.d.a.r.d...N.T.a.m.d.6.4.].....%.D.e.v.i.c.e.N.a.m.e.%.=.T.V.V.i.r.t.u.a.l.M.o.n.i.t.o.r._.I.n.s.t.a.l.l.,. .R.o.o.t.\.T.V.V.i.r.t.u.a.l.M.o.n.i.t.o.r._.I.n.d.i.r.e.c.t.D.i.s.p.l.a.y.....%.D.e.v.i.c.e.N.a.m.e.%.=.T.V.V.i.r.t.u.a.l.M.o.n.i.t.o.r._.I.n.s.t.a.l.l.,. .T.V.V.i.r.t.u.a.l.M.o.n.i.t.o.r._.I.n.d.i.r.
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Windows setup INFormation
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5852
                                                                                                                                                                                                                                Entropy (8bit):4.8898985616021315
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:q2i3bD2JlgdmibjR+iAz4C7bZ7xTMPTtQ2rtu3DcNSjXKjvKY8kz7s7wfQTXvMYk:ri3WJlgdmibjR+iAUC7bQPu6o3DcNSju
                                                                                                                                                                                                                                MD5:65FA1C2E7127E7B7D42A712574BE0877
                                                                                                                                                                                                                                SHA1:2BEA89F8A0D9A867C6BB7711F51ECB7ECDB0F988
                                                                                                                                                                                                                                SHA-256:07C7CFF907E6BCC9C3B587728C055DF6DE9F5089AC1C4BAB4014A8993A5FF788
                                                                                                                                                                                                                                SHA-512:27BDC76B443DABC72FE7EA9338716B3BD4520858A2CB40BB4F4C00E1FA423F3A2FD339E305C68A81AC8474B794FE8BA5AC7DD07FDC9FBAE52D48E2AC37DB5874
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:; ****************************************************************************..; * Copyright (C) 2021 TeamViewer Germany GmbH *..; ****************************************************************************....[Version].. Signature = "$Windows NT$".. CatalogFile = teamviewervpn.cat.. ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}.. Provider = %Provider%.. Class = Net....; This version number should match the version..; number given in ..\version.m4... DriverVer = 10/08/2020,9.24.6.601....[Strings].. DeviceDescription = "TeamViewer VPN Adapter".. Provider = "TeamViewer Germany GmbH"....;----------------------------------------------------------------..; Manufacturer + Product Section (Done)..;----------------------------------------------------------------..[Manufacturer].. %Provider% = teamviewervpn, NTamd64....[teamviewervpn.NTamd64].. %DeviceDescription% = teamviewervpn.ndi, root\teamviewervpn ; Root enumera
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):11460
                                                                                                                                                                                                                                Entropy (8bit):7.27311231791528
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:6F7Y/7MMMyECxPpramyKQFWQFN4p7El+X01k9z3ApdzO4:dg4h8FR7oY+R9z6p
                                                                                                                                                                                                                                MD5:7BDE799A1F3A2D770E132E646DCB7FBE
                                                                                                                                                                                                                                SHA1:D8FA17ADFB97E97F7604BCDA40B3B0A3AA3A17FA
                                                                                                                                                                                                                                SHA-256:9A3039C3D44BAF9B38302C73F5D1EDEF209A6A56E3A4BB1BE325479C1883C4F9
                                                                                                                                                                                                                                SHA-512:0FD462F2D6DC3DFB18F83EE235207C8B435D2D4A3BFBB51CEC04D3CF12B57068F130D9494D1AF5034AA9E89B8268EC334D8F61171F2BB62CD7B254CF0FB0FF7C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:0.,...*.H........,.0.,....1.0...`.H.e......0.....+.....7......0...0...+.....7......,.c.w)K....Z..^..231018055851Z0...+.....7.....0...0..7. \..P....W8..oY.C.Dd.~...QT..5m<1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... \..P....W8..oY.C.Dd.~...QT..5m<0h..+.....7...1Z0X...F.i.l.e.......Ft.e.a.m.v.i.e.w.e.r._.v.i.r.t.u.a.l.d.e.v.i.c.e.d.r.i.v.e.r...d.l.l...0....{.j.......H..N.E..:1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0h..+.....7...1Z0X...F.i.l.e.......Ft.e.a.m.v.i.e.w.e.r._.v.i.r.t.u.a.l.d.e.v.i.c.e.d.r.i.v.e.r...d.l.l...0.....a.]QI,.A..Te.W.H..71..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0h..+.....7...1Z0X...F.i.l.e.......Ft.e.a.m.v.i.e.w.e.r._.v.i.r.t.u.a.l.d.e.v.i.c.e.d.r.i.v.e.r...i.n.f...0../. .!e..W....^.b.&..~Q;.......#}..1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0U..+.....7...1G0E0...+...
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):604952
                                                                                                                                                                                                                                Entropy (8bit):6.471942712240294
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:FKt/PGMjuTxFzMp25O5sXwYTSaqU6LwonnRDt8:FiGDIKAYTSaRfunRDi
                                                                                                                                                                                                                                MD5:A380586D76C8AC7D594FCC584D3EB3D5
                                                                                                                                                                                                                                SHA1:67B07EB2B6DE9BBE2485A5B9075218DC70752388
                                                                                                                                                                                                                                SHA-256:816DEFEC7889C3B4F69D253492402E2E3D0F0016CD5A22136828D5B60A2AA33E
                                                                                                                                                                                                                                SHA-512:14D09A692964202300D71506E2741A46EB8BB2A54332E2B370AFDE3B5021DB2DC06737718D6EAFC680DD05BCD130872B5EC860CB80EB2BE3C2910B7B2536F306
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Z...Z...Z..."...Z..."..*Z..."...Z...&...Z...&...Z...&...Z..."...Z...Z..PZ..."...Z..I&...Z..I&...Z..I&...Z..Rich.Z..................PE..d...r.'e.........." ...".h..........................................................xY....`A.........................................W..h...8X..<...............tX.......U.............8.......................(...0...@...............H....T.......................text....f.......h.................. ..`.rdata...............l..............@..@.data........p...$...T..............@....pdata..tX.......Z...x..............@..@.didat.......`......................@..._RDATA..\....p......................@..@.reloc..............................@..B................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Windows setup INFormation
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2420
                                                                                                                                                                                                                                Entropy (8bit):5.324223103982517
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:x+FhiEAMeGZIVsomMGVWtbAM62fUifVwqgPbKJn0Fjeu70Fpn0Fpa70FLe4CAo0f:x+zinSZIVstMXtsM62fUif1gGJ0Ku704
                                                                                                                                                                                                                                MD5:7A630E28A84F90884018048A034D3AB4
                                                                                                                                                                                                                                SHA1:B661B95D51492CE7410ADC5465E157FE48A7C837
                                                                                                                                                                                                                                SHA-256:FD2165838357E9FE0BCA5EBB621326950F7E513B9E85A2ABE8A5D006237D8317
                                                                                                                                                                                                                                SHA-512:EA566268AE74FDF9A930442DAFE415A9FFCD892B9E1EF4A43D3BCA9862CD5FAD23A8CEE5CE7AD11C242CF1183FA4BD2F5E6FC93BE1D8789F4D92579E2FD89F6E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:;..; TeamViewer_VirtualDeviceDriver.inf..;....[Version]..Signature="$Windows NT$"..Class=System..ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%ManufacturerName%..CatalogFile=TeamViewer_VirtualDeviceDriver.cat..DriverVer = 10/12/2023,9.33.58.52..PnpLockDown=1....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%DeviceName%=Device_Install, root\TVVirtualSmartCardReader....[SourceDisksFiles]..TeamViewer_VirtualDeviceDriver.dll=1....[SourceDisksNames]..1 = %DiskName%....; =================== UMDF Device ==================================....[Device_Install.NT]..CopyFiles=UMDriverCopy..Addreg=LogParams_AddReg....[Device_Install.NT.hw]....[Device_Install.NT.Services]..AddService=WUDFRd,0x000001fa,WUDFRD_ServiceInstall....[Device_Install.NT.CoInstallers]..AddReg=CoInstallers_AddReg ....[Device_Install.NT.Wdf]..UmdfService=TeamViewer_VirtualDeviceDriver,TeamViewer_VirtualDeviceDriver_Install..UmdfServiceOrder=TeamViewer_VirtualDeviceDriver..UmdfMethodNei
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Windows setup INFormation
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5391
                                                                                                                                                                                                                                Entropy (8bit):4.832043523407305
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:s2iQJD2WlsdGebjR+iAz4C7bZ7xpRStQ2rtu3DcNSjXKjvKY8ks7nuwfQTXv/zof:FiQQWlsdGebjR+iAUC7bpR6o3DcNSj6e
                                                                                                                                                                                                                                MD5:447FC733747DB11CD4492AE01C5652FE
                                                                                                                                                                                                                                SHA1:2A70DCD391464CB8D3736322E07E966E105D396E
                                                                                                                                                                                                                                SHA-256:A817B0E8A669D5ACAF2DDFBC95ACF2A1213B092B44DC896A0EE4A5301D06EBC3
                                                                                                                                                                                                                                SHA-512:238099DB072AF55445D421E941944ABE8A6F52A124A26CAE84C1DD52FFFAFC4DAC5586D0C7407B461CD0DB8E771E1DBB6CA34AEE84581B24347F401410B2AFE5
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:; ****************************************************************************..; * Copyright (C) 2007 TeamViewer GmbH.. *..; ****************************************************************************......[Version].. Signature = "$Windows NT$".. CatalogFile = teamviewervpn.cat.. ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}.. Provider = %Provider%.. Class = Net.. DriverVer=11/27/2007,2.10.00.0000....[Strings].. DeviceDescription = "TeamViewer VPN Adapter".. Provider = "TeamViewer GmbH"....;----------------------------------------------------------------..; Manufacturer + Product Section (Done)..;----------------------------------------------------------------..[Manufacturer].. %Provider% = teamviewervpn,NTamd64....[teamviewervpn.NTamd64].. %DeviceDescription% = teamviewervpn.ndi, teamviewervpn....;---------------------------------------------------------------..; Driver Section (Don
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):10645
                                                                                                                                                                                                                                Entropy (8bit):7.272624114612594
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:H64PyG0o6orbfUG3afdjIafdjShjFivhE:jnrbVafdjIafdjcjFiJE
                                                                                                                                                                                                                                MD5:5CFFE65F36B60BC151486C90382F1627
                                                                                                                                                                                                                                SHA1:F2A66EAE89B4B19D4CAB2AC630536AF5EEEEF121
                                                                                                                                                                                                                                SHA-256:AA7C09A817EB54E3CC5C342454608364A679E231824F83BA5A2D0278EDCC1851
                                                                                                                                                                                                                                SHA-512:1BD48EF66F8714E7E9591043D03BD69A30881ED3D0F2463B15750A3282DF667FFB076B3A92358EECEDAE0E54485B07D702667E8FE0AF64C52BE04DB47145920B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:0.)...*.H........).0.)~...1.0...+......0.....+.....7......0...0...+.....7.....^FZ..t.K.........071228163009Z0...+.....7.....0..^0....R2.A.7.0.D.C.D.3.9.1.4.6.4.C.B.8.D.3.7.3.6.3.2.2.E.0.7.E.9.6.6.E.1.0.5.D.3.9.6.E...1..O0>..+.....7...100....O.S.A.t.t.r........2.:.5...2.,.2.:.6...0...0F..+.....7...1806...F.i.l.e.......$t.e.a.m.v.i.e.w.e.r.v.p.n...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........*p..FL..sc".~.n.]9n0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R8.7.C.A.9.7.9.F.2.2.A.E.3.2.A.2.6.8.5.5.1.C.A.1.9.6.2.C.D.9.5.2.F.D.E.2.3.8.6.9...1..W0>..+.....7...100....O.S.A.t.t.r........2.:.5...2.,.2.:.6...0...0F..+.....7...1806...F.i.l.e.......$t.e.a.m.v.i.e.w.e.r.v.p.n...s.y.s...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........".2.hU...,.R..8i...L0..H0
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):35112
                                                                                                                                                                                                                                Entropy (8bit):6.279693420486803
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:/a/ZSDKMhnknetMdlHJRXz0yjSDomtN6l5cJQGftSSXakqEqLXb9:C/ZWnkn0uTRXz00Ss1m1YvEq/9
                                                                                                                                                                                                                                MD5:F5520DBB47C60EE83024B38720ABDA24
                                                                                                                                                                                                                                SHA1:BC355C14A2B22712B91FF43CD4E046489A91CAE5
                                                                                                                                                                                                                                SHA-256:B8E555D92440BF93E3B55A66E27CEF936477EF7528F870D3B78BD3B294A05CC0
                                                                                                                                                                                                                                SHA-512:3C5BB212467D932F5EAA17A2346EF8F401A49760C9C6C89C6318A1313FCBABB1D43B1054692C01738EA6A3648CC57E06845B81BECB3069F478D5B1A7CBCB0E66
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mN... ... ... ...... ...N... ...!... ...[... ...]... ...M... ...Q... ...\... ...X... .Rich.. .........................PE..d.....`G.........."......Z..........................................................|......................................................0...<....................t..(...........0q...............................................p..(............................text....P.......R.................. ..h.rdata.......p.......V..............@..H.data...x............`..............@....pdata...............b..............@..HINIT.................f.............. ....rsrc................n..............@..B.reloc..<............r..............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):10136
                                                                                                                                                                                                                                Entropy (8bit):7.111963563245086
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:xpkA4I/yo2JC6vyyKwnsFWQF3lrIzLMmDWqnajKs57wczb:J52lrnsFRJlrEQmDWlGs53
                                                                                                                                                                                                                                MD5:87F9F85E95F9FBE3846E145CEC886E42
                                                                                                                                                                                                                                SHA1:BAA55A0CFA3DBAAC1D082C4A2FEE1DA43DEABCF1
                                                                                                                                                                                                                                SHA-256:CC2359A2FBF7962B3DF4D88D75A878A393F8C2694465D629F67593C107F94B0C
                                                                                                                                                                                                                                SHA-512:D80DEC2C15FF05B9E6468BF5841BB024F48B0EB6822E932D65EED024B4A8FAE352AFE370E798CEE9AA2C06773E2163E849AF40B14C3B7D2C3657186F61278FBF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:0.'...*.H........'.0.'....1.0...`.H.e......0..u..+.....7.....f0..b0...+.....7.......~.?..A./:.d.)...211208152411Z0...+.....7.....0.. 0....R2.B.E.A.8.9.F.8.A.0.D.9.A.8.6.7.C.6.B.B.7.7.1.1.F.5.1.E.C.B.7.E.C.D.B.0.F.9.8.8...1..+0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0@..+.....7...1200...O.S.A.t.t.r........2.:.6...0.,.2.:.1.0...0...0E..+.....7...17050...+.....7.......0!0...+........+....g.w....~...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.9.9.D.C.6.4.0.E.9.9.5.E.4.2.7.5.6.B.D.C.2.E.5.9.3.9.A.7.0.4.1.3.D.6.5.4.A.2.3...1..=0@..+.....7...1200...O.S.A.t.t.r........2.:.6...0.,.2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$t.e.a.m.v.i.e.w.e.r.v.p.n...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........y..@..'V...pA=eJ#0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0J..+.....7....<0:.&.Q.u.a.l.i.f.i.c.a.t.i.o.n. .L.e.v.e.l.
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):46936
                                                                                                                                                                                                                                Entropy (8bit):6.656488161316276
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:XD0lMrZrZwFu/xdw9/oxBwNNyElQWmjI11YiWJ1hP4n2u41z2:6MT1ZyFoElQWAI11772H2
                                                                                                                                                                                                                                MD5:6317A1890582D5ABB3E3E3EE6B217411
                                                                                                                                                                                                                                SHA1:78F44D94212467FC61B98EFBDA91F2BC701E1A39
                                                                                                                                                                                                                                SHA-256:3A09C3A24EC480BA4AD466760996E0F3CED30C1499ABDA32DA6EAD9DE5D08836
                                                                                                                                                                                                                                SHA-512:6241DC81EF29736972D2E8CE3FE0C52371445CF80E5EBF22630D9F29B1953470A0F2C15A57262E400F90773EB74428AF4521C744ACFE7D202F19EBF9B7AE3E03
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........JF..+(.+(.+(.@..+(.@).+(.+).+(.@+.+(.@,.+(..^,.+(..^..+(..^*.+(.Rich.+(.........................PE..d..../La.........."......X.....................@..........................................`A....................................................<............p..T....v..XA...........R..8............................S...............P...............................text....=.......>.................. ..h.rdata.......P.......B..............@..H.data........`.......N..............@....pdata..T....p.......P..............@..HPAGE.................T.............. ..`INIT.................b.............. ..b.rsrc................n..............@..B.reloc...............t..............@..B................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):8881
                                                                                                                                                                                                                                Entropy (8bit):7.27496797439638
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:Ast9AnYe+PjPtrwnc8ijtlAur9ZCspE+TM4rwMcA0qTv0a:NAnYPLWUUHeM4cAVv0a
                                                                                                                                                                                                                                MD5:1F2380A5474583DBA929F761A760546F
                                                                                                                                                                                                                                SHA1:561248613C6F443D8A993900E2DBEBF3B718A660
                                                                                                                                                                                                                                SHA-256:143DF27418B1EAF375BED6291765E2E77166830D6216A6BFB71A075735F05DA5
                                                                                                                                                                                                                                SHA-512:4309403DF0A29C53190833AA13A6E67A4501650B77106BC62925F691DFFEDCAB184B6DF3B8BA750E0A8FD4C9B6E0919B729F5BD250413178CD7A4CE287241AED
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:0."...*.H........".0."....1.0...+......0..|..+.....7.....m0..i0...+.....7......i.&...E..l....N..170512092819Z0...+.....7.....0..F0....R2.9.6.0.7.A.C.D.0.3.F.6.4.A.B.F.5.2.3.9.8.B.F.3.D.E.0.4.E.8.1.9.D.1.A.0.8.C.3.4...1..K0>..+.....7...100....F.i.l.e........t.v.m.o.n.i.t.o.r...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........)`z...J.R9........40V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R5.5.E.A.8.D.A.C.7.0.9.3.1.2.3.E.2.6.5.8.4.A.4.9.0.1.2.5.1.7.8.1.8.C.0.F.5.8.6.D...1..C0>..+.....7...100....F.i.l.e........t.v.m.o.n.i.t.o.r...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........U.p..>&XJI.%....Xm0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......0..0....+.....7......0.....O.S
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\Client-built.exe
                                                                                                                                                                                                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):71954
                                                                                                                                                                                                                                Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\Client-built.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):328
                                                                                                                                                                                                                                Entropy (8bit):3.236892865807448
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6:kKAplL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:zDImsLNkPlE99SNxAhUe/3
                                                                                                                                                                                                                                MD5:54C8475C895CC8BFF53396A57A94E411
                                                                                                                                                                                                                                SHA1:4A1735471B8A9CF13E89428F1E583858D8C2C926
                                                                                                                                                                                                                                SHA-256:CF5F5D2633C78C73EBBA144B22A8E0843953A486E01F47A94C913CB4C6141E3E
                                                                                                                                                                                                                                SHA-512:6C233170EEC71DD2A016008935EDDB39468A64BE32169A1E46C112E0B106417273E53A936E1E621B4FA6BC3E4A1F6D49DE593CAF599919E3364875C6F3FBDB3E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:p...... .........x.*cJ..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\lz3EbiqoK4.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):388
                                                                                                                                                                                                                                Entropy (8bit):5.20595142366915
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk7v:MLF2CpI329Iz52Ve
                                                                                                                                                                                                                                MD5:2452328391F7A0B3C56DDF0E6389513E
                                                                                                                                                                                                                                SHA1:6FE308A325AE8BFB17DE5CAAF54432E5301987B6
                                                                                                                                                                                                                                SHA-256:2BC0F7D1CBD869EF4FD93B95495C8081B01B3FD627890B006B6A531D8C050AA2
                                                                                                                                                                                                                                SHA-512:AC65283B0959E112B73160BB4322D0725C7D0EC79E3BB93555B1412204AA72F1F66BB9EB8D8B24B6570EC8717A1A4A129454588C3EA9ACE206B6E9CCB7F2ABDC
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\lz3EbiqoK4.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):3266048
                                                                                                                                                                                                                                Entropy (8bit):6.0837240941236725
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:bvk22SsaNYfdPBldt6+dBcjHwKRJ6JQa:TJ7jjM
                                                                                                                                                                                                                                MD5:181719B653C83D0463D89A625A7F5C3E
                                                                                                                                                                                                                                SHA1:1173005BE27979DC74779E60DC790299E4F2B0A4
                                                                                                                                                                                                                                SHA-256:03A4B081B4966130CBE615FF249954E7E9A0D62A79FAF8E56AC3830929748E43
                                                                                                                                                                                                                                SHA-512:D05E6FC586A8731903DF4CFFE3BDCB92F99E2CDBE15E40706E87ECC038E4E9B1EF1FC9A39F8ADEDA4341E3507F2F8F81AE50D590FF9F4233CD7694B26FB3FA04
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, Author: Florian Roth
                                                                                                                                                                                                                                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, Author: ditekSHen
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@...................................1.W.....2...................... 2...................................................... ............... ..H............text...4.1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(....*....0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........-5..........08......f~w...,.~....(....(....*.*v.(.....s....}.....s....}....*r..(......(.....(......(....*....0..L........{....r...po....
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\lz3EbiqoK4.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):72005560
                                                                                                                                                                                                                                Entropy (8bit):7.999967414230672
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:1572864:Ve9Md8ir5RcKqhxdJjHKO56/nMgt5LhZx5oZiJG2Ol40hi7iU:E2NdRTqhXJDLenHhZx+ZiJcl4n
                                                                                                                                                                                                                                MD5:D15511E4B90CC6729FEDAF86D080D1F6
                                                                                                                                                                                                                                SHA1:F793057F848979822C892AD135AF23C6B45EE15B
                                                                                                                                                                                                                                SHA-256:F5BA0D0FAB79FAFF553D77B2BE94AD3B21D978AF62C716D580995978E2A316D6
                                                                                                                                                                                                                                SHA-512:6661E262B9C0D2FFEE467F4503257FC3DE4736A47B805660315E813EE0523C5A1696628DC89B77EC2662E52D6D8EF069F9D9B0E91B51B7BDBF7FFD3916495341
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....z.W.................^...........0.......p....@..........................`......?MK...@.................................(t..........hk............J.0/...........................................................p...............................text...[\.......^.................. ..`.rdata..F....p.......b..............@..@.data................v..............@....ndata.......@...........................rsrc...hk.......l...z..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):702776
                                                                                                                                                                                                                                Entropy (8bit):6.74302767407908
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:H9bt5E1nHSqUSCX0UD0GgUGLt9jkqvaStOIkWk5Yu5yclFQxq8p0:H9btgnHSqUSCXnD0GgUGLt9jkm3Ask5v
                                                                                                                                                                                                                                MD5:878C644C12C3D96438C2909FBB7375CD
                                                                                                                                                                                                                                SHA1:4FB206E213BD088E28A1C10AB815D1BFD1B522F1
                                                                                                                                                                                                                                SHA-256:75CF60D72A2CB6A748DB6F69E2BFA065422DF7BB6636D3C214F5435341574A66
                                                                                                                                                                                                                                SHA-512:DF0D1903901FFAF7CA1EE22CC5B8BAC37CB554F78ED07A8CCAF84A2CD6FB7F9AC5599CAAD83D92079E170190701A9391468331EC8AA562BFDF32376703E05BD8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..(.p.{.p.{.p.{...z.p.{...z.p.{...z.p.{...z.p.{.p.{.p.{Z..zNp.{Z..z.p.{Z..z.p.{\S.{.p.{...z.p.{...z.p.{...{.p.{.pq{.p.{...z.p.{Rich.p.{........PE..L......d...........!................................................................C.....@.........................P... ...p ..........@...............8/.......Q..|...T.............................@...............$............................text............................... ..`.rdata.............................@..@.data....@...@......................@....rsrc...@............2..............@..@.reloc...Q.......R...8..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):3354
                                                                                                                                                                                                                                Entropy (8bit):5.085404755027287
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:8RLHoRhbqlLACBeky7yaEHhRMoKZgMian0i6Xmj/t84ht4fPLtfLI92x0w:ILH+laKTEBYZgMiaJaCteLV1
                                                                                                                                                                                                                                MD5:C2B771362CB13ECA6AB87B6A5B935755
                                                                                                                                                                                                                                SHA1:BDF0CE6B5B7E45414BD2FEC131C118376AB14823
                                                                                                                                                                                                                                SHA-256:E910BBDD7DB7755F273740CB5A3692686F67AB910A020D7F7B965E017CBCB6B0
                                                                                                                                                                                                                                SHA-512:FC8819E516AFDD487A12E80C45103CF7AF7FC531718AF16CEA0B613F3967C32A0D8EF4317EC25611DE73B9A5F11B13D07CD7798D191DC25A5127CFD6CD33F84C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:2024-12-09-12-52-56 ----------------------------------------------------------------------------------------------------..2024-12-09-12-52-56 Installer: TeamViewer..2024-12-09-12-52-56 Version: 15.59.5 (JMP-91.4)..2024-12-09-12-52-56 Install mode: Admin..2024-12-09-12-52-56 Account type: Admin, UAC supported:1, Elevation:2..2024-12-09-12-52-56 Time: 2024-12-09-12-52-56..2024-12-09-12-52-56 OS-Version: 10.0.19045(64-bit) SP:0, Type:1..2024-12-09-12-52-56 OS-Info: Server:0 Home server:0..2024-12-09-12-52-56 User-SID: S-1-5-21-2246122658-3693405117-2476756634-1002..2024-12-09-12-52-56 Log level: 100 (default)..2024-12-09-12-52-56 ----------------------------------------------------------------------------------------------------..2024-12-09-12-52-56 ..2024-12-09-12-52-58 TVInitRollback(): create scheduled task for restore..2024-12-09-12-52-59 Create backup directory:<C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TVInstallTemp>..
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):71272344
                                                                                                                                                                                                                                Entropy (8bit):7.999987306679704
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:1572864:re9Md8ir5RcKqhxdJjHKO56/nMgt5LhZx5oZiJG2Ol40hi7id:C2NdRTqhXJDLenHhZx+ZiJcl4m
                                                                                                                                                                                                                                MD5:8318FC63158C01368AADC6D4BE89FAD1
                                                                                                                                                                                                                                SHA1:88F4AEFCBDD5A748EC21469A565D9C57B7F6CB46
                                                                                                                                                                                                                                SHA-256:B64A8F72105117FF71ECA4692DF030B6E60C4ABA2631E0FE01411086BB42B1DC
                                                                                                                                                                                                                                SHA-512:DB7601C5A1AD25CF3F076C8C504EB885D3EBE6358A6490492DEE967C7FF5AC72319AAF75EDBFFD7FB0F7102473A2C16830408C7762283C67A374535EF8420076
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@.................................0k@...@..........................................`..............hX?.0/...........................................................................................text...]a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...................................rsrc........`......................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):78
                                                                                                                                                                                                                                Entropy (8bit):4.299916880895009
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:HWRBXUrDikRLWvSGXR1mQWRKRL4RLJ:H8XUWkRL+TWgL4RLJ
                                                                                                                                                                                                                                MD5:A3C26DD25FC88922E9297E2A9D04AC53
                                                                                                                                                                                                                                SHA1:807B0CA16C4080B6CE7AE8B09E7DCCE7E52D5C19
                                                                                                                                                                                                                                SHA-256:1C5231379C3025A42D51F956F649C445EBC550F9AD9B9F5CC4AE5E627EF456B3
                                                                                                                                                                                                                                SHA-512:1D36EE7B43D82B72000520C0B0C37585576363FCD506AEAB362C544000B0BF9702A357E118B2AE3499D8F8C9A7529F56169CC14E5281A5246AE9EFD342C4FA59
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:[Installer]..DefaultInstallation=1..UnattendedAccess=0..CustomInstallation=0..
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):50
                                                                                                                                                                                                                                Entropy (8bit):4.703465189601647
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:HWRFRLMKxKAhdXCzTtA7:H4RLMqKAh8zm
                                                                                                                                                                                                                                MD5:A48B05E8E36F7F4E9096ADE8950B87E4
                                                                                                                                                                                                                                SHA1:C743C68FB5798389435927338D1C8ED1C59496A2
                                                                                                                                                                                                                                SHA-256:72935BCB05A31B405A0E4A13EB0BABD1640BBE03FAD52FF85FFA91390D0E8EEE
                                                                                                                                                                                                                                SHA-512:7943A5C44C136347F199A1A3E1AA8AF3F4EE9D5024D4588E3FAA95F57DCD51292E606A057D567D45C8BC9D62EBFCFEBD199654D1F1214B205124418C592F47F7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:[Installation]..INSTEXE=TeamViewer_Setup_x64.exe..
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):73450358
                                                                                                                                                                                                                                Entropy (8bit):7.942447696919663
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1572864:AZQtHGL2imNGck9gTKQtEZjZjb914komphRDrGdXCl2EXTcAeUL:aAm3gtEZR4KfR/l2EeA
                                                                                                                                                                                                                                MD5:8501B26923CBA585012B43C6E2ED1507
                                                                                                                                                                                                                                SHA1:05B7FDAE45254680888186EF51A188C80903D7E9
                                                                                                                                                                                                                                SHA-256:39C57507250071C76253592748EA2AA9ED19D370AD3F16FB73EBD78F34159564
                                                                                                                                                                                                                                SHA-512:3FDB930BB02BFB803B88FF5A25D6DAE98450C476F4ABAEFC0157EE8B157DA462EB0AB0CE8B241C10C3F9F6627E72AE0981AFEFC1810349916EC3655197AE785A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:.b%.....,.......................<.......r1%.!....b%.....................................................~...................................................................................................................................................................................G...J.......................F.......y.......................................................................................................................%...............................................................................................................................D.......k.......*.......................................j.......l...r...t.......*.......................................................................................................................4.......................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):27960
                                                                                                                                                                                                                                Entropy (8bit):6.728473100924503
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:E4C43tPegZ3eBaRwCPOYY7nNYXCT/YosaiZSf+VIYiWL3LU9Pxh8E9VF0NyzDcHF:ElTgZ3eBTCmrnNAho/YiWk9PxWEZsOe
                                                                                                                                                                                                                                MD5:E87068563FC18E67A78230067CC240E5
                                                                                                                                                                                                                                SHA1:37CD2CB5581FC575B8C46383D877926BDA85883B
                                                                                                                                                                                                                                SHA-256:822F75B69DD87332B5995528771923EC74DC5329C65094BF4E372EB8EF42BB8E
                                                                                                                                                                                                                                SHA-512:DAB6B330D73ABADB63F6EB02A5BC87CE9B9D1BC64FCB9289581CFC2E04BE0254893945B3BDB762B382BB491388E34BC018F098A489908DFBC9FECA2A9BA13D5D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.px.q.+.q.+.q.+.q.+[q.+.~C+.q.+^R.+.q.+^R/+.q.+.w.+.q.+.Q.+.q.+Rich.q.+........PE..L....z.W...........!.........`.......+.......0......................................................................8......X1.......................>..8/......X....................................................0..X............................text............................... ..`.rdata..G....0......."..............@..@.data...DL...@.......,..............@....rsrc................6..............@..@.reloc..x............8..............@..B........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):23864
                                                                                                                                                                                                                                Entropy (8bit):6.996623524463238
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:58QIl975eXqlWBrz7YLOlACZSf+VIYiWLbLWQaZdPxh8E9VF0Ny0W3N9:5gPgrfYLOWJ/YiW8PxWE6Y9
                                                                                                                                                                                                                                MD5:938C37B523D7FC08166E7A5810DD0F8E
                                                                                                                                                                                                                                SHA1:47B9663E5873669211655E0010E322F71B5A94BE
                                                                                                                                                                                                                                SHA-256:A91AA7C0EAD677FC01B1C864E43E0CACE110AFB072B76AD47F4B3D1563F4DC20
                                                                                                                                                                                                                                SHA-512:77AFE83FB4E80A775DAE0A54A2F0FF9710C135F9F1CF77396BC08A7FE46B016A8C079B4FA612E764EEA5D258703F860688E38B443E33B1F980E04831739517C1
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....z.W...........!..... ...........'.......0...............................`......|#...............................2.......0..P.......................8/...P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):713528
                                                                                                                                                                                                                                Entropy (8bit):6.691023897960291
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:1vN6jZ0SoGsZwrbV22NJPNKwhtFXWKRc/VL5dAXfyud15bMVq03D:1vN6aSoGsZwXV22NNNKwhfmH5abEP
                                                                                                                                                                                                                                MD5:41C3A6594060581D3BF1A16ED4AE6A72
                                                                                                                                                                                                                                SHA1:62BDF8C2A3FA5F70E8B25E83C946DEBF80C8FD47
                                                                                                                                                                                                                                SHA-256:E35396C7D7E32A8FE771895ED9EA16BD85C8544410BF4DC70A42CCD2884CFD83
                                                                                                                                                                                                                                SHA-512:3FEE7EA74B4173B2815D631C8E69F5A21F2A170A46CE60424F9B9FB03CF7A35EAB6933210497F851816A1A85EB3FDB682781CCB5E2607B7ADE6DBC7A098368BD
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........E.;.$eh.$eh.$eh.Vfi.$eh.V`im$eh.Vai.$eh.Vdi.$eh.$dh|$eh.Q`i.$eh.Qai.$eh.Qfi.$eh..Uh.$eh.Q`i.$eh.Qei.$eh.Q.h.$eh.$.h.$eh.Qgi.$ehRich.$eh........................PE..L......d...........!.........Z......>........................................ ...........@.........................P8.. ...p>..........@...............8/......pQ......T...............................@...............,............................text............................... ..`.rdata..............................@..@.data...LO...`.......B..............@....rsrc...@............\..............@..@.reloc..pQ.......R...b..............@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):30520
                                                                                                                                                                                                                                Entropy (8bit):6.8630485708295605
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:QqVibvTh4qnFP+OPEzinclP+RZSf+VIYiWLglLoPxh8E9VF0NyH5TV:QqVavVfPkzhlmg/YiWLPxWEFX
                                                                                                                                                                                                                                MD5:488819F838ABFCAD73A2220C151292EE
                                                                                                                                                                                                                                SHA1:4A0CBD69300694F6DC393436E56A49E27546D0FE
                                                                                                                                                                                                                                SHA-256:B5BB8D301173C4DD2969B1203D2C7D9400BA3F7F2E34EE102905BD2724162430
                                                                                                                                                                                                                                SHA-512:B00D6CF712FE4CEFCE41479F6E6F4AA5EA006694D10F2837204DE5BDE1C5A4BEF1368F2B0EB4B66D57A66E8CE6DC335FA91E9C8017E8E125C27EB1F5DF4DE9A0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......DH.".)lq.)lq.)lq.)mqP)lq.!1q.)lq./jq.)lqT.]q.)lq..hq.)lqRich.)lq........................PE..L...lKPJ...........!.....4...........:.......P.......................................................................B..J....:..x....`...............H..8/...p..........................................................L............................text...Z3.......4.................. ..`.data........P.......8..............@....rsrc........`.......@..............@..@.reloc.......p.......B..............@..B........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):16184
                                                                                                                                                                                                                                Entropy (8bit):6.9836578650009375
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:hxvcecjqZSF8VG+VIYiYF8u7a7JV+A0MLyfP+noPOJB3hy2sE9jBF0NyH0lQkzkT:QrWZSf+VIYiWLyLvPxh8E9VF0NyHka
                                                                                                                                                                                                                                MD5:77FF6A927940A0E4B8DC07BDDE6AB5DB
                                                                                                                                                                                                                                SHA1:8D0035242289504D050D237F7E3E548C1DDFF077
                                                                                                                                                                                                                                SHA-256:E1CB80A23786B02CB2C6A2F9E391B63CBF3AD911E42BBDC14CC6879C84B7404E
                                                                                                                                                                                                                                SHA-512:6A3050DC8E3F4EAAA85A43CDF1AC4F69745C07EFE48268103EE7D8927EC574B6866740F95E6B3AFF154BA74CD05024223A3EA4957CB773DD065CFD797F8A07E3
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L....z.W...........!................j........ ...............................P......_............................... "......L ..<.......................8/...@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1332
                                                                                                                                                                                                                                Entropy (8bit):3.6031642286014898
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:Q+soqioC/irl1vSCm6a/gC863pXH/aKCo6sSljRF3Cb6LlTQ8CC6Llfnq84RUv:rs4Yx1vEFhaoWXrEJfq86a
                                                                                                                                                                                                                                MD5:F68824A4130EBAF6BC7AB0F62256D7D7
                                                                                                                                                                                                                                SHA1:40AF19A0D92B3C9E1A8B1EAAB7D12C69E5DF436A
                                                                                                                                                                                                                                SHA-256:CD8149A2E89373075EE6DB800B7F2496BACBFE21B23E4A06A3453632503B3965
                                                                                                                                                                                                                                SHA-512:6A173AAA183BE0E5A516CAD484802DAE1FC53A414F870F93EA846A9EF9F9DF35153766EF632EB5E8CED8F94C2ED09A9DECDF3465D46B0DCC44A6918D88E242CB
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:..[.S.e.t.t.i.n.g.s.].....N.u.m.F.i.e.l.d.s.=.6.....R.T.L.=.0.........[.F.i.e.l.d. .2.].....T.y.p.e.=.T.e.x.t.....L.e.f.t.=.1.0.....T.o.p.=.1.4.....R.i.g.h.t.=.1.7.3.....B.o.t.t.o.m.=.2.6.....S.t.a.t.e.=.C.:.\.P.r.o.g.r.a.m.m.e.\.T.e.a.m.V.i.e.w.e.r.........[.F.i.e.l.d. .1.].....T.y.p.e.=.L.a.b.e.l.....L.e.f.t.=.1.0.....T.o.p.=.0.....R.i.g.h.t.=.2.9.6.....B.o.t.t.o.m.=.7.....T.e.x.t.=.D.e.s.t.i.n.a.t.i.o.n. .d.i.r.:.........[.F.i.e.l.d. .3.].....T.y.p.e.=.B.u.t.t.o.n.....L.e.f.t.=.1.8.9.....T.o.p.=.1.2.....R.i.g.h.t.=.2.6.9.....B.o.t.t.o.m.=.2.7.....T.e.x.t.=.B.r.o.w.s.e...........F.l.a.g.s.=.N.O.T.I.F.Y.........[.F.i.e.l.d. .4.].....T.y.p.e.=.C.h.e.c.k.B.o.x.....L.e.f.t.=.1.0.....T.o.p.=.3.6.....R.i.g.h.t.=.2.9.6.....B.o.t.t.o.m.=.4.5.....T.e.x.t.=.I.n.s.t.a.l.l. .T.e.a.m.V.i.e.w.e.r. .P.r.i.n.t.e.r. .D.r.i.v.e.r.....F.l.a.g.s.=.N.O.T.I.F.Y.........[.F.i.e.l.d. .5.].....T.y.p.e.=.C.h.e.c.k.B.o.x.....L.e.f.t.=.1.0.....T.o.p.=.5.5.....R.i.g.h.t.=.2.9.6.....B.o.t.t.o.m.=.6.4.....T.e.x.t.
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1264
                                                                                                                                                                                                                                Entropy (8bit):3.530715965349217
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:Q+soh1v05h6KPlUwmCX6sXxoByx2/uwmpCG6sULAQl6R5wJCD6sUqQ8lICx/L1:rss1vqDUwrXxRxMuwM+AQowQtICxT1
                                                                                                                                                                                                                                MD5:DB0713808219E4D7334171F9E1E6C2BC
                                                                                                                                                                                                                                SHA1:8D8C463837CFCE60B6F501DD75B398E3C7ED8A06
                                                                                                                                                                                                                                SHA-256:51B57CF2C70006646A76797CADAA5D014C9FF707DA8A4B4E17BCDFCCC3C00FD8
                                                                                                                                                                                                                                SHA-512:EF0F8FF01E4F6419BC64AF3A0FADADA15F0C1F23F95A544460DD4FAC83C1DDE3758537FD5F93CC8E3B39A45B310261B3F6511A286D95EE5EDF615EC40AAC08AF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:..[.S.e.t.t.i.n.g.s.].....N.u.m.F.i.e.l.d.s.=.5.....R.T.L.=.0.........[.F.i.e.l.d. .1.].....T.y.p.e.=.L.a.b.e.l.....L.e.f.t.=.1.5.....T.o.p.=.2.0.....R.i.g.h.t.=.2.9.7.....B.o.t.t.o.m. .=. .3.0.....T.e.x.t.=.H.o.w. .d.o. .y.o.u. .w.a.n.t. .t.o. .u.s.e. .T.e.a.m.V.i.e.w.e.r.?.........[.F.i.e.l.d. .3.].....T.y.p.e.=.R.a.d.i.o.B.u.t.t.o.n.....L.e.f.t.=.1.5.....T.o.p.=.5.5.....R.i.g.h.t.=.2.9.7.....B.o.t.t.o.m.=.7.1.....T.e.x.t.=.I. .w.a.n.t. .t.o. .t.e.s.t. .t.h.e. .c.o.m.m.e.r.c.i.a.l. .f.e.a.t.u.r.e.s. .w.i.t.h. .a. .f.r.e.e. .1.4.-.d.a.y. .c.o.m.m.e.r.c.i.a.l. .t.r.i.a.l.....S.t.a.t.e.=.0.....F.l.a.g.s.=.N.O.T.I.F.Y.........[.F.i.e.l.d. .4.].....T.y.p.e.=.R.a.d.i.o.B.u.t.t.o.n.....L.e.f.t.=.1.5.....T.o.p.=.7.1.....R.i.g.h.t.=.2.9.7.....B.o.t.t.o.m.=.8.7.....T.e.x.t.=.I. .w.a.n.t. .t.o. .u.s.e. .t.h.e. .f.r.e.e. .v.e.r.s.i.o.n. .f.o.r. .p.e.r.s.o.n.a.l. .u.s.e.....S.t.a.t.e.=.0.....F.l.a.g.s.=.N.O.T.I.F.Y.........[.F.i.e.l.d. .5.].....T.y.p.e.=.R.a.d.i.o.B.u.t.t.o.n.....L.e.f.t.=.1.5...
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF, LF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):546
                                                                                                                                                                                                                                Entropy (8bit):3.657658544544843
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6:Q+slAm+fpIKiieXtAP9IHauQl33CslECmsCpi8lnMm2RKUEZ+lX1AWm5LlcTcpi4:Q+samuIfHaHNCsgsSaJRKQ1AJLJpDTV9
                                                                                                                                                                                                                                MD5:C33C779207C18F367DE4158CB6BA12CA
                                                                                                                                                                                                                                SHA1:7589131A6C1478A080CD3FD00AC4FEB596E32170
                                                                                                                                                                                                                                SHA-256:B6FD863D06A2E82B9F938296232D5206E2F7E6C3AB4996D5AA6FC5630235C43E
                                                                                                                                                                                                                                SHA-512:C7A4937DA0488BC867F313F3A6BFF07D6101F0A9F209AA499B4A5EE1771BF2ECF391074A9D5E363991062B90BDDD9D02C48060D1798D03E90FE775EBFA6A824A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:..[.S.e.t.t.i.n.g.s.]...R.e.c.t.=.1.0.4.4...N.u.m.F.i.e.l.d.s.=.3...R.T.L.=.0.....[.F.i.e.l.d. .1.]...T.y.p.e.=.b.i.t.m.a.p...L.e.f.t.=.0...R.i.g.h.t.=.1.0.9...T.o.p.=.0...B.o.t.t.o.m.=.1.9.3...F.l.a.g.s.=.R.E.S.I.Z.E.T.O.F.I.T...T.e.x.t.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.y.5.D.7.2...t.m.p.\.m.o.d.e.r.n.-.w.i.z.a.r.d...b.m.p.....[.F.i.e.l.d. .2.]...T.y.p.e.=.l.a.b.e.l...L.e.f.t.=.1.2.0...R.i.g.h.t.=.3.1.5...T.o.p.=.1.0...[.F.i.e.l.d. .3.]...T.y.p.e.=.l.a.b.e.l...L.e.f.t.=.1.2.0...R.i.g.h.t.=.3.1.5.....
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):58168
                                                                                                                                                                                                                                Entropy (8bit):6.650537239673466
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:ZmTLl3rmEgLMP/rLqgidfwHJQDEExmE+Ji4RdVt//wf/YiWGoPxWEfQy:ZgLFm8OdfwpJS/fqt//wf/70Pxf
                                                                                                                                                                                                                                MD5:B05A97BB3F532B7CF57B8EEDF198D7AF
                                                                                                                                                                                                                                SHA1:83C13A90F4A3C1C62E132F5F3BC70C97C2ECFC80
                                                                                                                                                                                                                                SHA-256:7817F79BCDF54EF8617F15B5C0B9B92053549D5A51FA280722EE7179311B69A1
                                                                                                                                                                                                                                SHA-512:40706C5FC72198148962D24046722FC5E488C0CC4B3374A9F4B652175919E97A8712E882940DB8C26479619A26EC4E2D41744627A9CA52EC7CB1CE4F91D7EE8C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6e..X6..X6..X6...6..X6..Y6..X6.X.6..X6..%6..X6..66..X6..56..X6.."6..X6..$6..X6.. 6..X6Rich..X6........PE..L......Q...........!.....n...N.......................................................O.................................d......d.......x...............8/.............................................@............................................text....m.......n.................. ..`.rdata..4........ ...r..............@..@.data...............................@....rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26494
                                                                                                                                                                                                                                Entropy (8bit):1.9568109962493656
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
                                                                                                                                                                                                                                MD5:CBE40FD2B1EC96DAEDC65DA172D90022
                                                                                                                                                                                                                                SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
                                                                                                                                                                                                                                SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
                                                                                                                                                                                                                                SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):18744
                                                                                                                                                                                                                                Entropy (8bit):7.329913522821918
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:nqqedh6EHFRksp7KpFX1ZSf+VIYiWLALiqPxh8E9VF0NymgEy:Ted/FR9mXc/YiWMPxWEspy
                                                                                                                                                                                                                                MD5:9761D708EA7C49662A21F6690D439E06
                                                                                                                                                                                                                                SHA1:B2E757E7EEE5C788F16D666FB6CF9D41CACCB04B
                                                                                                                                                                                                                                SHA-256:8B8BE21FA7BCA491C93683C9F84BB49370CA7E1E864BD0658FF9E1D2809B67E4
                                                                                                                                                                                                                                SHA-512:25990A993373009CCBD9E89CAE3FC601928121775D0D5FE326C55A305CE8DE51F35A2CB160E9DFBF3BE82A53DDF7B9864116E7F5D3325AFD7403CD3B7740C652
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%)y.aH..aH..aH..h0..dH..aH..jH..h0..`H..z..cH..z..`H..z..`H..z..`H..RichaH..........................PE..L.....iO...........!.............p..0................................................\....@.........................$.......X...........X...............8/.........................................................................................UPX0.....p..............................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):18744
                                                                                                                                                                                                                                Entropy (8bit):7.099446360233213
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:BqbGgezxEqoyGgmkN7ZSf+VIYiWLSL/Pxh8E9VF0Ny4LN2:431yGLk8/YiWePxWEOZ2
                                                                                                                                                                                                                                MD5:9EA6EC7934495CC757639B5095362CA7
                                                                                                                                                                                                                                SHA1:EF2C14142B70689483576CC09083DB4A2A363E02
                                                                                                                                                                                                                                SHA-256:4D8C8353641BBB26BF9EA2AB2DBF126BE6EF164B1CE80E3EF5030B873BE166CD
                                                                                                                                                                                                                                SHA-512:414B08F75BD7FEBB56784D8534CEE028F6420776F07CE5797F66A78748C34B52F443AA35F72C8D7C81DD5366B34998B56D99A9D0D2B4B2B6BFC9775E4FF66531
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....z.W...........!......................... ...............................P.......................................$..l.... ..P.......................8/...@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):191800
                                                                                                                                                                                                                                Entropy (8bit):6.526825420894023
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:OBFxfbJUIW9WGExPYD5JFBJOYWjm8KCmRv1fPIVF2tbRpj/uxe:qxzJSAGEdYD5JcYl78FsLP
                                                                                                                                                                                                                                MD5:7FE20CEE9277556F4EF137E61D29D9F5
                                                                                                                                                                                                                                SHA1:D53C37DBF548914ED20C8EBB21186A95BEEF1EE3
                                                                                                                                                                                                                                SHA-256:5D71AAEEFBC81732017E9040C8087E6686A16DD54E6D9BCD5BA7A47AF68CC925
                                                                                                                                                                                                                                SHA-512:A90250214C6C5048B098E031FCA5A8097854A8667330551D7694740E3BC83F7D77791D314E3AC75617EF1834B75C41E3E3D3C74DA9794A207894C13FB2D4BEF7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.I............7y......7y..9...7y..c...........................i.....7y..~...7y......7y......7y......Rich............................PE..L......M...........!.................w....................................... .......o.............................. {.......q..P.......H...............8/......0...................................8;..@............................................text............................... ..`.rdata...k.......l..................@..@.data...._...........p..............@....rsrc...H...........................@..@.reloc...........0..................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2132
                                                                                                                                                                                                                                Entropy (8bit):3.67500518582924
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:ArTYGhjKyTwsJf4VpwX+U2wIoqKb1Cj7n:+T5KyHJgV8+vqb1CHn
                                                                                                                                                                                                                                MD5:FF187ECEFC70B4C7B362F91E5B364BCA
                                                                                                                                                                                                                                SHA1:002369D2CEA8326CB323E17319CD8D4E766E0B5E
                                                                                                                                                                                                                                SHA-256:4255E309D08D7CC98EBFE3644932478EB781878DADED9A2B7F244BC9306DD156
                                                                                                                                                                                                                                SHA-512:9B61ACE4500A3234DCCA0AADB78DAC77F34287F19D9D01B7ACA81FB90C0893A34428F8C49BE0A7F9B79CAA959FDBD4EDC3032FE55CA643050D2472F15E076969
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:..;. .A.u.t.o.-.g.e.n.e.r.a.t.e.d. .b.y. .E.c.l.i.p.s.e.N.S.I.S. .I.n.s.t.a.l.l.O.p.t.i.o.n.s. .S.c.r.i.p.t. .W.i.z.a.r.d.....;. .3.0...0.1...2.0.0.6. .1.1.:.1.9.:.5.5.....[.S.e.t.t.i.n.g.s.].....N.u.m.F.i.e.l.d.s.=.9.....R.T.L.=.0.....S.t.a.t.e.=.0.........[.F.i.e.l.d. .8.].....T.y.p.e.=.L.a.b.e.l.....L.e.f.t.=.1.0.....T.o.p.=.1.....R.i.g.h.t.=.2.9.7.....B.o.t.t.o.m.=.1.0.....T.e.x.t.=.H.o.w. .d.o. .y.o.u. .w.a.n.t. .t.o. .p.r.o.c.e.e.d.?.....H.W.N.D.=.6.6.7.2.6.........[.F.i.e.l.d. .1.].....T.y.p.e.=.R.a.d.i.o.B.u.t.t.o.n.....L.e.f.t.=.1.5.....T.o.p.=.1.3.....R.i.g.h.t.=.2.9.7.....B.o.t.t.o.m.=.2.9.....T.e.x.t.=.D.e.f.a.u.l.t. .i.n.s.t.a.l.l.a.t.i.o.n.....S.t.a.t.e.=.1.....F.l.a.g.s.=.G.R.O.U.P.|.N.O.T.I.F.Y.....H.W.N.D.=.6.6.7.1.6.........[.F.i.e.l.d. .7.].....T.y.p.e.=.C.h.e.c.k.B.o.x.....L.e.f.t.=.1.0.....T.o.p.=.1.5.2.....R.i.g.h.t.=.2.1.5.....B.o.t.t.o.m.=.1.6.3.....T.e.x.t.=.S.h.o.w. .a.d.v.a.n.c.e.d. .s.e.t.t.i.n.g.s.....S.t.a.t.e.=.0.....F.l.a.g.s.=.N.O.T.I.F.Y.....H.W.N.D.=.
                                                                                                                                                                                                                                Process:C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):23864
                                                                                                                                                                                                                                Entropy (8bit):6.996623524463238
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:58QIl975eXqlWBrz7YLOlACZSf+VIYiWLbLWQaZdPxh8E9VF0Ny0W3N9:5gPgrfYLOWJ/YiW8PxWE6Y9
                                                                                                                                                                                                                                MD5:938C37B523D7FC08166E7A5810DD0F8E
                                                                                                                                                                                                                                SHA1:47B9663E5873669211655E0010E322F71B5A94BE
                                                                                                                                                                                                                                SHA-256:A91AA7C0EAD677FC01B1C864E43E0CACE110AFB072B76AD47F4B3D1563F4DC20
                                                                                                                                                                                                                                SHA-512:77AFE83FB4E80A775DAE0A54A2F0FF9710C135F9F1CF77396BC08A7FE46B016A8C079B4FA612E764EEA5D258703F860688E38B443E33B1F980E04831739517C1
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....z.W...........!..... ...........'.......0...............................`......|#...............................2.......0..P.......................8/...P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):18744
                                                                                                                                                                                                                                Entropy (8bit):7.329913522821918
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:nqqedh6EHFRksp7KpFX1ZSf+VIYiWLALiqPxh8E9VF0NymgEy:Ted/FR9mXc/YiWMPxWEspy
                                                                                                                                                                                                                                MD5:9761D708EA7C49662A21F6690D439E06
                                                                                                                                                                                                                                SHA1:B2E757E7EEE5C788F16D666FB6CF9D41CACCB04B
                                                                                                                                                                                                                                SHA-256:8B8BE21FA7BCA491C93683C9F84BB49370CA7E1E864BD0658FF9E1D2809B67E4
                                                                                                                                                                                                                                SHA-512:25990A993373009CCBD9E89CAE3FC601928121775D0D5FE326C55A305CE8DE51F35A2CB160E9DFBF3BE82A53DDF7B9864116E7F5D3325AFD7403CD3B7740C652
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%)y.aH..aH..aH..h0..dH..aH..jH..h0..`H..z..cH..z..`H..z..`H..z..`H..RichaH..........................PE..L.....iO...........!.............p..0................................................\....@.........................$.......X...........X...............8/.........................................................................................UPX0.....p..............................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....
                                                                                                                                                                                                                                Process:C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):18744
                                                                                                                                                                                                                                Entropy (8bit):7.099446360233213
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:BqbGgezxEqoyGgmkN7ZSf+VIYiWLSL/Pxh8E9VF0Ny4LN2:431yGLk8/YiWePxWEOZ2
                                                                                                                                                                                                                                MD5:9EA6EC7934495CC757639B5095362CA7
                                                                                                                                                                                                                                SHA1:EF2C14142B70689483576CC09083DB4A2A363E02
                                                                                                                                                                                                                                SHA-256:4D8C8353641BBB26BF9EA2AB2DBF126BE6EF164B1CE80E3EF5030B873BE166CD
                                                                                                                                                                                                                                SHA-512:414B08F75BD7FEBB56784D8534CEE028F6420776F07CE5797F66A78748C34B52F443AA35F72C8D7C81DD5366B34998B56D99A9D0D2B4B2B6BFC9775E4FF66531
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....z.W...........!......................... ...............................P.......................................$..l.... ..P.......................8/...@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4373449
                                                                                                                                                                                                                                Entropy (8bit):4.833524282835361
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:iJEhVu0vN6aSoGsZwXV22NNNKwhfmH5abENDzfL00+3JGqlxCsKEjzSKJ:rNvSoGsZwXV2ExnbEND00QssKEjOKJ
                                                                                                                                                                                                                                MD5:EDF7280BB63AB1B61C0570FE45F88C03
                                                                                                                                                                                                                                SHA1:0A62C191B86D43167FF9DFBBA1B07BF43E78F9AA
                                                                                                                                                                                                                                SHA-256:9C0A7FCF2D343D53A05FB2A8D3487BEC96A32CE0A1FD16AC887AEFE4D26F1640
                                                                                                                                                                                                                                SHA-512:E3606BAA52879EF78DED7BE0CA1D10168C2F6C3A201B404AF332EE72DF0EB66830D047C538E72E972D12ACE8FD72E298FF9F8AFF89A0A6053501B170CD44F435
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:.b%.....,.......................<.......r1%.!....b%.....................................................~...................................................................................................................................................................................G...J.......................F.......y.......................................................................................................................%...............................................................................................................................D.......k.......*.......................................j.......l...r...t.......*.......................................................................................................................4.......................................................................................................................................................................................................................................
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\lz3EbiqoK4.exe
                                                                                                                                                                                                                                File Type:Windows desktop.ini
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):227
                                                                                                                                                                                                                                Entropy (8bit):5.2735028737400205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6:a1eZBXVNYTF0NwoScUbtSgyAXIWv7v5PMKq:UeZBFNYTswUq1r5zq
                                                                                                                                                                                                                                MD5:F7F759A5CD40BC52172E83486B6DE404
                                                                                                                                                                                                                                SHA1:D74930F354A56CFD03DC91AA96D8AE9657B1EE54
                                                                                                                                                                                                                                SHA-256:A709C2551B8818D7849D31A65446DC2F8C4CCA2DCBBC5385604286F49CFDAF1C
                                                                                                                                                                                                                                SHA-512:A50B7826BFE72506019E4B1148A214C71C6F4743C09E809EF15CD0E0223F3078B683D203200910B07B5E1E34B94F0FE516AC53527311E2943654BFCEADE53298
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:; ==++==..; ..; Copyright (c) Microsoft Corporation. All rights reserved...; ..; ==--==..[.ShellClassInfo]..CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43}..ConfirmFileOp=1..InfoTip=Contains application stability information...
                                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Entropy (8bit):7.999972392721924
                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                File name:lz3EbiqoK4.exe
                                                                                                                                                                                                                                File size:75'655'168 bytes
                                                                                                                                                                                                                                MD5:33c2adebfe2c3acedfb34ffff8151b7d
                                                                                                                                                                                                                                SHA1:8e93f7ecafa92017a7d528423574ab5cfeec754a
                                                                                                                                                                                                                                SHA256:773e13fffd0842e717ce55e2a678da37123c55186f9c92460c671261b1654ffd
                                                                                                                                                                                                                                SHA512:6f545b4da55412ec78de6d1c3bddbcc6bb857b7d13b15fe4bb832259dbe1842d44a02b46395233c23ca57abd34239226a60c9f7ee26fcf82ba383a836f8d61ad
                                                                                                                                                                                                                                SSDEEP:1572864:yIWs/6+mI5n17YTIytz8ATFiQiFGaaoE13gIFxXtzM/zMfCOA6Z:ssJmIBiTvR8UFiQYGvoq35FVEeCOr
                                                                                                                                                                                                                                TLSH:FAF73320BC930947E55128B9B4E1FE3F080DAF376F74A47B1D753E07BE38666A09644A
                                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8...8...8.m.8...8...8...8...8...8...8#..8...8...8Rich...8........PE..L.....Sg..........#........................
                                                                                                                                                                                                                                Icon Hash:71e0d49292c0f033
                                                                                                                                                                                                                                Entrypoint:0x40ccef
                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                Time Stamp:0x675394E3 [Sat Dec 7 00:20:51 2024 UTC]
                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                OS Version Major:5
                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                File Version Major:5
                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                Subsystem Version Major:5
                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                Import Hash:9dd8c0ff4fc84287e5b766563240f983
                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                call 00007F77B4820886h
                                                                                                                                                                                                                                jmp 00007F77B481AA49h
                                                                                                                                                                                                                                mov edi, edi
                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                sub esp, 20h
                                                                                                                                                                                                                                mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                push edi
                                                                                                                                                                                                                                push 00000008h
                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                mov esi, 0041F058h
                                                                                                                                                                                                                                lea edi, dword ptr [ebp-20h]
                                                                                                                                                                                                                                rep movsd
                                                                                                                                                                                                                                mov dword ptr [ebp-08h], eax
                                                                                                                                                                                                                                mov eax, dword ptr [ebp+0Ch]
                                                                                                                                                                                                                                pop edi
                                                                                                                                                                                                                                mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                pop esi
                                                                                                                                                                                                                                test eax, eax
                                                                                                                                                                                                                                je 00007F77B481ABAEh
                                                                                                                                                                                                                                test byte ptr [eax], 00000008h
                                                                                                                                                                                                                                je 00007F77B481ABA9h
                                                                                                                                                                                                                                mov dword ptr [ebp-0Ch], 01994000h
                                                                                                                                                                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                push dword ptr [ebp-10h]
                                                                                                                                                                                                                                push dword ptr [ebp-1Ch]
                                                                                                                                                                                                                                push dword ptr [ebp-20h]
                                                                                                                                                                                                                                call dword ptr [0041B000h]
                                                                                                                                                                                                                                leave
                                                                                                                                                                                                                                retn 0008h
                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                mov eax, 00413523h
                                                                                                                                                                                                                                mov dword ptr [004228E4h], eax
                                                                                                                                                                                                                                mov dword ptr [004228E8h], 00412C0Ah
                                                                                                                                                                                                                                mov dword ptr [004228ECh], 00412BBEh
                                                                                                                                                                                                                                mov dword ptr [004228F0h], 00412BF7h
                                                                                                                                                                                                                                mov dword ptr [004228F4h], 00412B60h
                                                                                                                                                                                                                                mov dword ptr [004228F8h], eax
                                                                                                                                                                                                                                mov dword ptr [004228FCh], 0041349Bh
                                                                                                                                                                                                                                mov dword ptr [00422900h], 00412B7Ch
                                                                                                                                                                                                                                mov dword ptr [00422904h], 00412ADEh
                                                                                                                                                                                                                                mov dword ptr [00422908h], 00412A6Bh
                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                mov edi, edi
                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                call 00007F77B481AB3Bh
                                                                                                                                                                                                                                call 00007F77B48213C0h
                                                                                                                                                                                                                                cmp dword ptr [ebp+00h], 00000000h
                                                                                                                                                                                                                                Programming Language:
                                                                                                                                                                                                                                • [ASM] VS2008 build 21022
                                                                                                                                                                                                                                • [IMP] VS2005 build 50727
                                                                                                                                                                                                                                • [C++] VS2008 build 21022
                                                                                                                                                                                                                                • [ C ] VS2008 build 21022
                                                                                                                                                                                                                                • [LNK] VS2008 build 21022
                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x215b40x64.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x4804714.rsrc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x1b1d00x1c.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20da00x40.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x18c.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                .text0x10000x196d80x19800bbd3e5395b15b06d2967530b6b59018eFalse0.5780292585784313data6.745940569149453IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .rdata0x1b0000x6df20x6e002a36cd4e315443b43c4620372d9a9076False0.5467329545454546data6.443128575748918IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .data0x220000x30c00x1600b37653ac83a62b9683f8689b82ddcb74False0.3126775568181818data3.2624449625054814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                .rsrc0x260000x48047140x480480049cc2cd8fc6ad777f21fa40d77936351unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                RT_ICON0x261fc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.17641843971631205
                                                                                                                                                                                                                                RT_ICON0x266640x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.10834896810506567
                                                                                                                                                                                                                                RT_ICON0x2770c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.08651452282157676
                                                                                                                                                                                                                                RT_ICON0x29cb40x25eePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9794026776519053
                                                                                                                                                                                                                                RT_RCDATA0x2c2a40x47fe11bdata1.0003108978271484
                                                                                                                                                                                                                                RT_RCDATA0x482a3c00x20data1.28125
                                                                                                                                                                                                                                RT_GROUP_ICON0x482a3e00x3edata0.7903225806451613
                                                                                                                                                                                                                                RT_VERSION0x482a4200x2f4data0.4470899470899471
                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                KERNEL32.dllRaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, CreateFileA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle
                                                                                                                                                                                                                                ole32.dllOleInitialize
                                                                                                                                                                                                                                OLEAUT32.dllVariantInit, SafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, SysFreeString, SysAllocString
                                                                                                                                                                                                                                mscoree.dllCorBindToRuntimeEx
                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                2024-12-09T18:52:47.774466+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1167.71.56.11622269192.168.2.449731TCP
                                                                                                                                                                                                                                2024-12-09T18:52:47.774466+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1167.71.56.11622269192.168.2.449731TCP
                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Dec 9, 2024 18:52:45.914556980 CET4973122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:46.034420013 CET2226949731167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:46.034502029 CET4973122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:46.045758009 CET4973122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:46.166585922 CET2226949731167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:47.650424957 CET2226949731167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:47.650532007 CET2226949731167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:47.650593996 CET4973122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:47.655101061 CET4973122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:47.774466038 CET2226949731167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:48.760284901 CET2226949731167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:48.805975914 CET4973122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:51.244883060 CET4973122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:51.373608112 CET2226949731167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:51.373666048 CET4973122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:54.917768002 CET4973722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:55.037065983 CET2226949737167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:55.037139893 CET4973722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:55.037513971 CET4973722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:55.156994104 CET2226949737167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:56.656696081 CET2226949737167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:56.658111095 CET4973722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:56.684508085 CET4973722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:52:56.779582977 CET2226949737167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:56.804809093 CET2226949737167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:52:56.804864883 CET4973722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:00.345165014 CET4973922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:00.464634895 CET2226949739167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:00.465275049 CET4973922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:00.466001987 CET4973922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:00.585247993 CET2226949739167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:02.123843908 CET2226949739167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:02.124569893 CET4973922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:02.152107954 CET4973922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:02.244021893 CET2226949739167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:02.271822929 CET2226949739167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:02.271894932 CET4973922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:06.094727993 CET4974022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:06.215048075 CET2226949740167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:06.215130091 CET4974022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:06.215490103 CET4974022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:06.334804058 CET2226949740167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:07.839298010 CET2226949740167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:07.841795921 CET4974022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:07.849725008 CET4974022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:07.961283922 CET2226949740167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:07.970082045 CET2226949740167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:07.970191002 CET4974022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:11.694304943 CET4974122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:11.813775063 CET2226949741167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:11.813849926 CET4974122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:11.814301968 CET4974122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:11.933593035 CET2226949741167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:13.459006071 CET2226949741167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:13.462239981 CET4974122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:13.464045048 CET4974122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:13.581604004 CET2226949741167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:13.584192991 CET2226949741167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:13.584239960 CET4974122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:17.177974939 CET4974222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:17.297625065 CET2226949742167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:17.297708988 CET4974222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:17.298069000 CET4974222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:17.417360067 CET2226949742167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:18.934458971 CET2226949742167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:18.935055971 CET4974222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:18.936487913 CET4974222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:19.060481071 CET2226949742167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:19.062793016 CET2226949742167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:19.062836885 CET4974222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:22.566176891 CET4974422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:22.686355114 CET2226949744167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:22.686439991 CET4974422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:22.686794996 CET4974422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:22.806077957 CET2226949744167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:24.355647087 CET2226949744167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:24.356369019 CET4974422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:24.369719028 CET4974422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:24.475766897 CET2226949744167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:24.489455938 CET2226949744167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:24.489500046 CET4974422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:28.010126114 CET4975522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:28.131351948 CET2226949755167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:28.131441116 CET4975522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:28.131786108 CET4975522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:28.252947092 CET2226949755167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:29.725255966 CET2226949755167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:29.725963116 CET4975522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:29.726892948 CET4975522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:29.845338106 CET2226949755167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:29.846561909 CET2226949755167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:29.846613884 CET4975522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:33.197348118 CET4976722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:33.316870928 CET2226949767167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:33.317035913 CET4976722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:33.317472935 CET4976722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:33.436924934 CET2226949767167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:34.956608057 CET2226949767167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:34.957283020 CET4976722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:34.958317995 CET4976722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:35.081316948 CET2226949767167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:35.082431078 CET2226949767167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:35.082479000 CET4976722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:38.510016918 CET4978322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:38.629646063 CET2226949783167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:38.629743099 CET4978322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:38.630120039 CET4978322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:38.749567986 CET2226949783167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:40.305145025 CET2226949783167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:40.305789948 CET4978322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:40.306849003 CET4978322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:40.426027060 CET2226949783167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:40.427253962 CET2226949783167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:40.427318096 CET4978322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:43.791279078 CET4979422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:43.910736084 CET2226949794167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:43.910835981 CET4979422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:43.911443949 CET4979422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:44.030900955 CET2226949794167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:45.593015909 CET2226949794167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:45.593626022 CET4979422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:45.594593048 CET4979422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:45.713088989 CET2226949794167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:45.714317083 CET2226949794167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:45.714373112 CET4979422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:49.010149002 CET4981022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:49.129698038 CET2226949810167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:49.129800081 CET4981022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:49.130161047 CET4981022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:49.250066996 CET2226949810167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:50.733612061 CET2226949810167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:50.734277010 CET4981022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:50.735503912 CET4981022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:50.853640079 CET2226949810167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:50.855602026 CET2226949810167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:50.855699062 CET4981022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:54.275758982 CET4982122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:54.395375013 CET2226949821167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:54.395550013 CET4982122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:54.396032095 CET4982122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:54.515405893 CET2226949821167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:56.759954929 CET2226949821167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:56.761007071 CET4982122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:56.762542963 CET4982122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:53:56.881608963 CET2226949821167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:56.890553951 CET2226949821167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:53:56.890620947 CET4982122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:00.510096073 CET4983722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:00.629561901 CET2226949837167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:00.629688025 CET4983722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:00.630053997 CET4983722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:00.750034094 CET2226949837167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:03.265657902 CET2226949837167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:03.267065048 CET4983722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:03.269221067 CET4983722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:03.386449099 CET2226949837167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:03.392818928 CET2226949837167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:03.392973900 CET4983722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:06.635144949 CET4985322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:06.754683971 CET2226949853167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:06.754777908 CET4985322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:06.755088091 CET4985322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:06.875035048 CET2226949853167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:08.712308884 CET2226949853167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:08.713129997 CET4985322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:08.714106083 CET4985322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:08.833177090 CET2226949853167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:08.834477901 CET2226949853167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:08.834532976 CET4985322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:12.135279894 CET4986422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:12.254745960 CET2226949864167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:12.254872084 CET4986422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:12.255178928 CET4986422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:12.375690937 CET2226949864167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:14.254487038 CET2226949864167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:14.255224943 CET4986422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:14.256287098 CET4986422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:14.375061035 CET2226949864167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:14.376806021 CET2226949864167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:14.376862049 CET4986422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:17.651021004 CET4988022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:17.770447969 CET2226949880167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:17.770564079 CET4988022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:17.770853996 CET4988022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:17.890718937 CET2226949880167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:19.359498978 CET2226949880167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:19.360122919 CET4988022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:19.361124039 CET4988022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:19.479522943 CET2226949880167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:19.481873989 CET2226949880167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:19.481964111 CET4988022269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:22.901201963 CET4989122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:23.021102905 CET2226949891167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:23.021218061 CET4989122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:23.021631002 CET4989122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:23.141160965 CET2226949891167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:24.627521038 CET2226949891167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:24.628268957 CET4989122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:24.629255056 CET4989122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:24.747733116 CET2226949891167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:24.749641895 CET2226949891167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:24.749696016 CET4989122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:28.260494947 CET4990722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:28.381359100 CET2226949907167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:28.381454945 CET4990722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:28.381793022 CET4990722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:28.501569986 CET2226949907167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:30.019188881 CET2226949907167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:30.019831896 CET4990722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:30.020891905 CET4990722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:30.139709949 CET2226949907167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:30.140661955 CET2226949907167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:30.140815973 CET4990722269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:33.411936998 CET4991822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:33.532088995 CET2226949918167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:33.532202959 CET4991822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:33.533946037 CET4991822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:33.653924942 CET2226949918167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:35.227840900 CET2226949918167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:35.228532076 CET4991822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:35.229737997 CET4991822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:35.354645967 CET2226949918167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:35.356317997 CET2226949918167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:35.356368065 CET4991822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:38.984467983 CET4992922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:39.105173111 CET2226949929167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:39.105295897 CET4992922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:39.105545044 CET4992922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:39.225013018 CET2226949929167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:40.767601013 CET2226949929167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:40.768340111 CET4992922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:40.769505978 CET4992922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:40.887613058 CET2226949929167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:40.889153004 CET2226949929167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:40.890141964 CET4992922269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:44.307584047 CET4994422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:44.427580118 CET2226949944167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:44.427643061 CET4994422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:44.427854061 CET4994422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:44.547813892 CET2226949944167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:46.063290119 CET2226949944167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:46.064028978 CET4994422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:46.064987898 CET4994422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:46.183474064 CET2226949944167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:46.184542894 CET2226949944167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:46.184623957 CET4994422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:49.354477882 CET4995622269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:49.473841906 CET2226949956167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:49.473933935 CET4995622269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:49.474261045 CET4995622269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:49.593559027 CET2226949956167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:51.118738890 CET2226949956167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:51.131206989 CET4995622269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:51.139187098 CET4995622269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:51.250533104 CET2226949956167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:51.260195971 CET2226949956167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:51.260356903 CET4995622269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:54.682468891 CET4997122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:54.804635048 CET2226949971167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:54.804744959 CET4997122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:54.805062056 CET4997122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:54.924319983 CET2226949971167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:56.420449018 CET2226949971167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:56.421160936 CET4997122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:56.422113895 CET4997122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:56.540616989 CET2226949971167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:56.542201996 CET2226949971167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:54:56.542258024 CET4997122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:54:59.932457924 CET4998322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:00.052089930 CET2226949983167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:00.052198887 CET4998322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:00.052580118 CET4998322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:00.173430920 CET2226949983167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:01.728997946 CET2226949983167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:01.729631901 CET4998322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:01.730818033 CET4998322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:01.848959923 CET2226949983167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:01.851236105 CET2226949983167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:01.851320028 CET4998322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:05.291834116 CET4999522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:05.411412954 CET2226949995167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:05.411509037 CET4999522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:05.411942959 CET4999522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:05.531230927 CET2226949995167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:07.055562019 CET2226949995167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:07.056251049 CET4999522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:07.057600975 CET4999522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:07.175774097 CET2226949995167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:07.178618908 CET2226949995167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:07.178702116 CET4999522269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:10.432521105 CET5000822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:10.551973104 CET2226950008167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:10.555444956 CET5000822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:10.555800915 CET5000822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:10.675228119 CET2226950008167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:12.150042057 CET2226950008167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:12.151242018 CET5000822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:12.152216911 CET5000822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:12.273356915 CET2226950008167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:12.274765015 CET2226950008167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:12.274842978 CET5000822269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:15.901374102 CET5002122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:16.024651051 CET2226950021167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:16.024792910 CET5002122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:16.025166035 CET5002122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:16.145374060 CET2226950021167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:17.616538048 CET2226950021167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:17.617181063 CET5002122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:17.618145943 CET5002122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:17.736555099 CET2226950021167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:17.738182068 CET2226950021167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:17.738240957 CET5002122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:21.213846922 CET5003122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:21.333883047 CET2226950031167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:21.335212946 CET5003122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:21.335464001 CET5003122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:21.455431938 CET2226950031167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:22.943120003 CET2226950031167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:22.943953991 CET5003122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:22.945086002 CET5003122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:23.065702915 CET2226950031167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:23.066566944 CET2226950031167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:23.066622019 CET5003122269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:26.495878935 CET5003222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:26.615320921 CET2226950032167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:26.615402937 CET5003222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:26.615983009 CET5003222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:26.735266924 CET2226950032167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:28.236211061 CET2226950032167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:28.236855984 CET5003222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:28.237802982 CET5003222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:28.356961012 CET2226950032167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:28.358063936 CET2226950032167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:28.358122110 CET5003222269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:31.970688105 CET5003322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:32.090248108 CET2226950033167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:32.090326071 CET5003322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:32.093627930 CET5003322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:32.213030100 CET2226950033167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:33.716212034 CET2226950033167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:33.717000008 CET5003322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:33.718199968 CET5003322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:33.836293936 CET2226950033167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:33.838084936 CET2226950033167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:33.838138103 CET5003322269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:37.137234926 CET5003422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:37.257246971 CET2226950034167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:37.257349014 CET5003422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:37.259663105 CET5003422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:37.382658958 CET2226950034167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:39.306700945 CET2226950034167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:39.307393074 CET5003422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:39.308353901 CET5003422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                Dec 9, 2024 18:55:39.427537918 CET2226950034167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:39.429155111 CET2226950034167.71.56.116192.168.2.4
                                                                                                                                                                                                                                Dec 9, 2024 18:55:39.429212093 CET5003422269192.168.2.4167.71.56.116
                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                Dec 9, 2024 18:52:47.776994944 CET1.1.1.1192.168.2.40x58f8No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                Dec 9, 2024 18:52:47.776994944 CET1.1.1.1192.168.2.40x58f8No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                Start time:12:52:28
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\lz3EbiqoK4.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\lz3EbiqoK4.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:75'655'168 bytes
                                                                                                                                                                                                                                MD5 hash:33C2ADEBFE2C3ACEDFB34FFFF8151B7D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                Start time:12:52:41
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\Client-built.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Client-built.exe"
                                                                                                                                                                                                                                Imagebase:0xfc0000
                                                                                                                                                                                                                                File size:3'266'048 bytes
                                                                                                                                                                                                                                MD5 hash:181719B653C83D0463D89A625A7F5C3E
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000000.1871811766.00000000012E0000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000002.3667738198.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000002.3667738198.0000000003581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000000.1865166351.0000000000FC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, Author: Florian Roth
                                                                                                                                                                                                                                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\Client-built.exe, Author: ditekSHen
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                                                Start time:12:52:48
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:72'005'560 bytes
                                                                                                                                                                                                                                MD5 hash:D15511E4B90CC6729FEDAF86D080D1F6
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                                                Start time:12:52:52
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:71'272'344 bytes
                                                                                                                                                                                                                                MD5 hash:8318FC63158C01368AADC6D4BE89FAD1
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                                Start time:12:52:58
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F
                                                                                                                                                                                                                                Imagebase:0x630000
                                                                                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                                Start time:12:52:58
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0xc10000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                                                Start time:12:53:00
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:71'272'344 bytes
                                                                                                                                                                                                                                MD5 hash:8318FC63158C01368AADC6D4BE89FAD1
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                                                Start time:12:53:20
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
                                                                                                                                                                                                                                Imagebase:0x630000
                                                                                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Target ID:11
                                                                                                                                                                                                                                Start time:12:53:20
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                                                Start time:12:53:26
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
                                                                                                                                                                                                                                Imagebase:0x630000
                                                                                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Target ID:13
                                                                                                                                                                                                                                Start time:12:53:26
                                                                                                                                                                                                                                Start date:09/12/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:11%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                  Signature Coverage:11.3%
                                                                                                                                                                                                                                  Total number of Nodes:53
                                                                                                                                                                                                                                  Total number of Limit Nodes:2
                                                                                                                                                                                                                                  execution_graph 1936 689a84b 1937 689a872 LookupPrivilegeValueW 1936->1937 1939 689a8c2 1937->1939 1876 689aa8e 1878 689aabd AdjustTokenPrivileges 1876->1878 1879 689aadf 1878->1879 1940 689b640 1942 689b662 ShellExecuteExW 1940->1942 1943 689b6a4 1942->1943 1900 689a6a2 1901 689a6ce SetErrorMode 1900->1901 1902 689a6f7 1900->1902 1903 689a6e3 1901->1903 1902->1901 1904 689b662 1906 689b688 ShellExecuteExW 1904->1906 1907 689b6a4 1906->1907 1960 689a705 1961 689a736 CloseHandle 1960->1961 1963 689a770 1961->1963 1920 689b4a4 1922 689b4d6 WriteFile 1920->1922 1923 689b53d 1922->1923 1928 689acc4 1929 689ace2 K32EnumProcessModules 1928->1929 1931 689ad66 1929->1931 1932 689b2c7 1934 689b2fe CreateFileW 1932->1934 1935 689b385 1934->1935 1952 689adbd 1953 689adca K32GetModuleInformation 1952->1953 1955 689ae56 1953->1955 1908 689b2fe 1909 689b336 CreateFileW 1908->1909 1911 689b385 1909->1911 1924 689aeb4 1925 689aedc K32GetModuleBaseNameW 1924->1925 1927 689af62 1925->1927 1956 689b3d4 1958 689b416 GetFileType 1956->1958 1959 689b478 1958->1959 1944 689aa57 1945 689aa61 AdjustTokenPrivileges 1944->1945 1947 689aadf 1945->1947 1948 689a677 1950 689a6a2 SetErrorMode 1948->1950 1951 689a6e3 1950->1951 1888 689b4d6 1890 689b50b WriteFile 1888->1890 1891 689b53d 1890->1891 1916 689a736 1917 689a762 CloseHandle 1916->1917 1918 689a7a1 1916->1918 1919 689a770 1917->1919 1918->1917

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 6b900cd-6b900d4 1 6b9013b-6b90157 0->1 2 6b900d6-6b900f8 0->2 7 6b90159-6b90185 1->7 8 6b901c0-6b901f4 1->8 10 6b900fa-6b900fc 2->10 11 6b90104-6b90107 2->11 32 6b90191-6b90194 7->32 33 6b90187-6b90189 7->33 34 6b9020c 8->34 35 6b901f6-6b9020a 8->35 14 6b903c2-6b903d0 10->14 15 6b90102 10->15 11->14 16 6b9010d-6b9010f 11->16 21 6b9041d-6b90459 14->21 22 6b903d2-6b903d9 14->22 15->16 20 6b90119-6b90135 16->20 20->1 50 6b9064f-6b9066d 21->50 51 6b9045f-6b9064e 21->51 120 6b903db call 68c05df 22->120 121 6b903db call 6b91a2c 22->121 122 6b903db call 68c0606 22->122 123 6b903db call 6b95052 22->123 30 6b903e1-6b903e7 call 68923f4 46 6b903ed-6b903ee 30->46 32->14 36 6b9019a-6b901bb 32->36 33->14 38 6b9018f 33->38 40 6b90213 34->40 45 6b9021e-6b9022b 35->45 36->8 38->36 40->45 53 6b90232-6b9023a 45->53 57 6b90674-6b9067a 50->57 55 6b902ee-6b90307 53->55 56 6b90240-6b90254 53->56 71 6b90379-6b903a5 55->71 72 6b90309-6b90314 55->72 64 6b902cf-6b902d3 56->64 65 6b90256-6b90269 56->65 58 6b9067c 57->58 59 6b906c0-6b906c3 57->59 58->59 62 6b90683-6b906be 58->62 62->57 64->56 69 6b902d9 64->69 65->55 74 6b9026f-6b90296 65->74 69->55 95 6b903ba-6b903c1 71->95 80 6b9033c-6b90377 72->80 81 6b90316-6b9033a 72->81 96 6b90298-6b902c5 74->96 97 6b902c7-6b902cb 74->97 80->95 81->80 96->55 97->74 100 6b902cd 97->100 100->55 120->30 121->30 122->30 123->30
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: :@tk$:@tk
                                                                                                                                                                                                                                  • API String ID: 0-1155632973
                                                                                                                                                                                                                                  • Opcode ID: 0dee570370a4e4312e75785599be128fdf6080b60144956ccab4b41551734d7f
                                                                                                                                                                                                                                  • Instruction ID: 450551fa7df4174d3bc01442d4a3f6c96bb077a0e27e0c4d15c45b07a4008401
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0dee570370a4e4312e75785599be128fdf6080b60144956ccab4b41551734d7f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1F17D70B00210CFDB58EB39C894B6977E7AF8A308F1580B9D90ACB765EB769C45CB51

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 201 689aa57-689aabb 205 689aabd 201->205 206 689aac0-689aacf 201->206 205->206 207 689aad1-689aaf1 AdjustTokenPrivileges 206->207 208 689ab12-689ab17 206->208 211 689ab19-689ab1e 207->211 212 689aaf3-689ab0f 207->212 208->207 211->212
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0689AAD7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AdjustPrivilegesToken
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2874748243-0
                                                                                                                                                                                                                                  • Opcode ID: 0f69afcee472b413e78127f303b2c5ad81218a064c62d808ff98f315520d9507
                                                                                                                                                                                                                                  • Instruction ID: 75a5b500c12be39ae49e52fe69a5b1edc27e5bc7e5f4a0d4ae59e4d9a6bd1b5a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f69afcee472b413e78127f303b2c5ad81218a064c62d808ff98f315520d9507
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A521BF75509384AFEB228F25DC44B56BFB4EF06310F0884DAE985CB163D231A908DB71
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0689AAD7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AdjustPrivilegesToken
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2874748243-0
                                                                                                                                                                                                                                  • Opcode ID: 24b86e7ccee535e6b1f1ea8d1d28ea850591df47bc56027345b05af18ccb257a
                                                                                                                                                                                                                                  • Instruction ID: 3f231dc2d121bca3815ee2e80b49e102675e2007dcbdbbf353dd5a8b80143632
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24b86e7ccee535e6b1f1ea8d1d28ea850591df47bc56027345b05af18ccb257a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 55115E316002449FEB608F55D944B6AFBE4FF08224F08C4AAED49DB652D375E458DBB1

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 125 689b2c7-689b356 129 689b358 125->129 130 689b35b-689b367 125->130 129->130 131 689b369 130->131 132 689b36c-689b375 130->132 131->132 133 689b377-689b39b CreateFileW 132->133 134 689b3c6-689b3cb 132->134 137 689b3cd-689b3d2 133->137 138 689b39d-689b3c3 133->138 134->133 137->138
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0689B37D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: ecaeb9a6ca630f007e12e88142d27779c20ff9b222be2de43cb55a9cec166b40
                                                                                                                                                                                                                                  • Instruction ID: 4a4b6821109eae01e87db36ed84b08146d7142630caf4aa563fc672907729ba5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecaeb9a6ca630f007e12e88142d27779c20ff9b222be2de43cb55a9cec166b40
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6431B2B1505380AFE722CB65DC44F66BFE8EF06214F08849AE985CB262D375E509DB71

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 141 689acc4-689ad56 146 689ad58-689ad60 K32EnumProcessModules 141->146 147 689ada3-689ada8 141->147 149 689ad66-689ad78 146->149 147->146 150 689adaa-689adaf 149->150 151 689ad7a-689ada0 149->151 150->151
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • K32EnumProcessModules.KERNEL32(?,00000E30,38AF7DA2,00000000,00000000,00000000,00000000), ref: 0689AD5E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EnumModulesProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1082081703-0
                                                                                                                                                                                                                                  • Opcode ID: dcc071b320437135f7020850e970f280e67210c95806da90223b19eead872f12
                                                                                                                                                                                                                                  • Instruction ID: 649e4352e85a18730b2c06d31da5c9d9c023e1c4d22a936fbdb2fe08199c07e2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dcc071b320437135f7020850e970f280e67210c95806da90223b19eead872f12
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7121D8715057806FEB128F61DC44FA6BFB8EF46324F0884DAE984DF193D265A909CB71

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 154 689adbd-689ae27 158 689ae29 154->158 159 689ae2c-689ae46 154->159 158->159 161 689ae48-689ae50 K32GetModuleInformation 159->161 162 689ae93-689ae98 159->162 163 689ae56-689ae68 161->163 162->161 165 689ae9a-689ae9f 163->165 166 689ae6a-689ae90 163->166 165->166
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • K32GetModuleInformation.KERNEL32(?,00000E30,38AF7DA2,00000000,00000000,00000000,00000000), ref: 0689AE4E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InformationModule
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3425974696-0
                                                                                                                                                                                                                                  • Opcode ID: bd361821a74064ca095a3c43fe23f118690ef7888e89ec9f123a31eb2306c9b9
                                                                                                                                                                                                                                  • Instruction ID: 9004632e151e6726cc7aeff2a0d47f4463a29fc7ef47f865ab8c116224d20146
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd361821a74064ca095a3c43fe23f118690ef7888e89ec9f123a31eb2306c9b9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 792197715053846FEB22CB51DC44FAABFB8EF46310F0884AAE985DB652D265E908CB71

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 169 689aeb4-689af07 171 689af0a-689af5c K32GetModuleBaseNameW 169->171 173 689af62-689af8b 171->173
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • K32GetModuleBaseNameW.KERNEL32(?,00000E30,?,?), ref: 0689AF5A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BaseModuleName
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 595626670-0
                                                                                                                                                                                                                                  • Opcode ID: 4cc2313ad109d85e331d3837c851a63b0c08fb89460864eba3ad122c33c168f4
                                                                                                                                                                                                                                  • Instruction ID: 10fe25ef70e8a82da0bc0876f47c53fdbecc16915479d4b0443b759e4cf28ff8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cc2313ad109d85e331d3837c851a63b0c08fb89460864eba3ad122c33c168f4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F21DD715093C06FD312CB21CC55B66BFB4EF87210F0984DBE884DB6A3C624A919CBB2

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 175 689b3d4-689b461 179 689b463-689b476 GetFileType 175->179 180 689b496-689b49b 175->180 181 689b478-689b495 179->181 182 689b49d-689b4a2 179->182 180->179 182->181
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileType.KERNELBASE(?,00000E30,38AF7DA2,00000000,00000000,00000000,00000000), ref: 0689B469
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileType
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3081899298-0
                                                                                                                                                                                                                                  • Opcode ID: 0659646264445f97c9b9d8cee1aefa205c801ad10d28033754de08319bd371e1
                                                                                                                                                                                                                                  • Instruction ID: 9e1b216646ac030543c6f4e2399121e2fa2dcaa1709c87a24d73c2a9e7350d11
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0659646264445f97c9b9d8cee1aefa205c801ad10d28033754de08319bd371e1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4321F8754053806FE7128F15DC85BA6BFACEF47724F0984D6ED848F2A3D2646909CB71

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 186 689b2fe-689b356 189 689b358 186->189 190 689b35b-689b367 186->190 189->190 191 689b369 190->191 192 689b36c-689b375 190->192 191->192 193 689b377-689b37f CreateFileW 192->193 194 689b3c6-689b3cb 192->194 195 689b385-689b39b 193->195 194->193 197 689b3cd-689b3d2 195->197 198 689b39d-689b3c3 195->198 197->198
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0689B37D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: 2e3992f6e3c7a6f6989a36fa3a58899e0cc6eae7b9556feb40f9b67bd82bb619
                                                                                                                                                                                                                                  • Instruction ID: 44d0113fede726992ecc63fb9ec4820376a2ba5591f91b96a66154fe1a33685b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e3992f6e3c7a6f6989a36fa3a58899e0cc6eae7b9556feb40f9b67bd82bb619
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F216B71500244AFEB20CF65DC85F6AFBE8EF08214F088869EA85DB652D375E518DB72

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 214 689b4a4-689b52d 218 689b52f-689b54f WriteFile 214->218 219 689b571-689b576 214->219 222 689b578-689b57d 218->222 223 689b551-689b56e 218->223 219->218 222->223
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteFile.KERNELBASE(?,00000E30,38AF7DA2,00000000,00000000,00000000,00000000), ref: 0689B535
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                                                  • Opcode ID: bf018c54f00aad0888d23e8c77b97ea880ccc95d37c7e4a553af72131bcb325f
                                                                                                                                                                                                                                  • Instruction ID: 908dd495882155cdb2bdb035f286fef3d8555ebf51f4265274404869e14a8bcd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf018c54f00aad0888d23e8c77b97ea880ccc95d37c7e4a553af72131bcb325f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6521A171509380AFDB22CB61DC44FA6BFB8EF46314F0884DBE9849B563C225A509CB72

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 226 689adea-689ae27 228 689ae29 226->228 229 689ae2c-689ae46 226->229 228->229 231 689ae48-689ae50 K32GetModuleInformation 229->231 232 689ae93-689ae98 229->232 233 689ae56-689ae68 231->233 232->231 235 689ae9a-689ae9f 233->235 236 689ae6a-689ae90 233->236 235->236
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • K32GetModuleInformation.KERNEL32(?,00000E30,38AF7DA2,00000000,00000000,00000000,00000000), ref: 0689AE4E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InformationModule
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3425974696-0
                                                                                                                                                                                                                                  • Opcode ID: e7209135eb2ec20dfbb2b56ebcae71e5c2cf748f6ebc4a47a161241f7cf25b84
                                                                                                                                                                                                                                  • Instruction ID: c43b7a6684e254bad81aa7717dbac31920cd7703ca71b9b7ac7284564dc5de40
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e7209135eb2ec20dfbb2b56ebcae71e5c2cf748f6ebc4a47a161241f7cf25b84
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F211BE71600244AFEB21CF55DC85FAABBA8EF44324F08886AED45DB691D774E508CBB1

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 239 689a84b-689a899 241 689a89b 239->241 242 689a89e-689a8a4 239->242 241->242 243 689a8a9-689a8b2 242->243 244 689a8a6 242->244 245 689a8f5-689a8fa 243->245 246 689a8b4-689a8bc LookupPrivilegeValueW 243->246 244->243 245->246 248 689a8c2-689a8d4 246->248 249 689a8fc-689a901 248->249 250 689a8d6-689a8f2 248->250 249->250
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0689A8BA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                                                                                                  • Opcode ID: ec63d1ad88c5ddf18d846e9235e2240c9fcf22ec281ef7954ff6df1537a9aaee
                                                                                                                                                                                                                                  • Instruction ID: 492cf9b20051d5aaaa2c8ee826e4a41f98b7a791d733ee4366f319fb1f4a76e7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec63d1ad88c5ddf18d846e9235e2240c9fcf22ec281ef7954ff6df1537a9aaee
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5621A2716053C09FDB21CF25DC44B66BFA8EF46210F0884AAED45DB652D235E804CB71

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 252 689ad02-689ad56 255 689ad58-689ad60 K32EnumProcessModules 252->255 256 689ada3-689ada8 252->256 258 689ad66-689ad78 255->258 256->255 259 689adaa-689adaf 258->259 260 689ad7a-689ada0 258->260 259->260
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • K32EnumProcessModules.KERNEL32(?,00000E30,38AF7DA2,00000000,00000000,00000000,00000000), ref: 0689AD5E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EnumModulesProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1082081703-0
                                                                                                                                                                                                                                  • Opcode ID: aad3ee90c6457a4fc31dc46638d4a0800fc9bd107343cc92926df2b13e57fa40
                                                                                                                                                                                                                                  • Instruction ID: 2410192dec300df926c84a502150712d8e6e76ad383c9ff276cf3e957eec5d2b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aad3ee90c6457a4fc31dc46638d4a0800fc9bd107343cc92926df2b13e57fa40
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C110172500244AFEB60CF55DC45FAAFBA8EF44324F08846AED45DB791D375A508CBB2

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 274 689b640-689b686 276 689b688 274->276 277 689b68b-689b694 274->277 276->277 278 689b6d5-689b6da 277->278 279 689b696-689b6b6 ShellExecuteExW 277->279 278->279 282 689b6b8-689b6d4 279->282 283 689b6dc-689b6e1 279->283 283->282
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0689B69C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExecuteShell
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 587946157-0
                                                                                                                                                                                                                                  • Opcode ID: ac823c4ca3d68577c050f0899e4ee313538f135a8146b7ec3f0600ac4d56b8ed
                                                                                                                                                                                                                                  • Instruction ID: 2401f575ecc54af4c9e92ff0ae979d0bb45f41a45b989f4f765a1e319c635c7e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac823c4ca3d68577c050f0899e4ee313538f135a8146b7ec3f0600ac4d56b8ed
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 591160715093C49FDB12CF25DC94B56BFB8EF46220F0884EAED85CF652D265E908CB61

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 263 689b4d6-689b52d 266 689b52f-689b537 WriteFile 263->266 267 689b571-689b576 263->267 269 689b53d-689b54f 266->269 267->266 270 689b578-689b57d 269->270 271 689b551-689b56e 269->271 270->271
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteFile.KERNELBASE(?,00000E30,38AF7DA2,00000000,00000000,00000000,00000000), ref: 0689B535
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                                                  • Opcode ID: 5d2d9c0955008de8aa52e597be75016d8305f4e7ef7ec572ef13f340c9884160
                                                                                                                                                                                                                                  • Instruction ID: 2c353bbb8d7bec7a7020160f9aed31f31384ece3edf23b6339cefdfcbf48a30a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d2d9c0955008de8aa52e597be75016d8305f4e7ef7ec572ef13f340c9884160
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC11C471500244AFEB21CF51DC44FABFBA8EF44314F08846AED45DB651C375A508CBB2

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 285 689a872-689a899 286 689a89b 285->286 287 689a89e-689a8a4 285->287 286->287 288 689a8a9-689a8b2 287->288 289 689a8a6 287->289 290 689a8f5-689a8fa 288->290 291 689a8b4-689a8bc LookupPrivilegeValueW 288->291 289->288 290->291 293 689a8c2-689a8d4 291->293 294 689a8fc-689a901 293->294 295 689a8d6-689a8f2 293->295 294->295
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0689A8BA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                                                                                                  • Opcode ID: 82dc1410dc52c845a6c27b17b472767e761422e7e1a6d44b492f8df3078fa53c
                                                                                                                                                                                                                                  • Instruction ID: b41c14dc6dbd376c774372df03382a468614c4efbf2c4d18098fdfbd75dcd1c5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82dc1410dc52c845a6c27b17b472767e761422e7e1a6d44b492f8df3078fa53c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62118271A003848FEB64CF19D84576AFBD8EF44224F0CC4AADD45EB742D675E444CAB1
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileType.KERNELBASE(?,00000E30,38AF7DA2,00000000,00000000,00000000,00000000), ref: 0689B469
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileType
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3081899298-0
                                                                                                                                                                                                                                  • Opcode ID: f610c5c96962420b6337c22eab938d1f6a75022112ccbc0d91673959538a1127
                                                                                                                                                                                                                                  • Instruction ID: 05e01ffd704f1ebfe10b4155a2c54ee402745b9621ec984a376399d9bae791cc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f610c5c96962420b6337c22eab938d1f6a75022112ccbc0d91673959538a1127
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C01C471500244AEEB208B05EC85FAAB798DF44624F48C4A6ED459B781D274A548CEB6
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNELBASE(?), ref: 0689A6D4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                                                                  • Opcode ID: 29458088dae377df483f2d5d7ef3cff3c7910d0bc022a8b2cb19893a72e6ad61
                                                                                                                                                                                                                                  • Instruction ID: fb48a8405580754dab5eed9757fcb84206ebbfe36e54e15a0dae0b7fd1da210d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29458088dae377df483f2d5d7ef3cff3c7910d0bc022a8b2cb19893a72e6ad61
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0311C6714053C0AFD712CF55DC44B56FFB4EF46220F0984DADD848B262C279A848CB61
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • K32GetModuleBaseNameW.KERNEL32(?,00000E30,?,?), ref: 0689AF5A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BaseModuleName
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 595626670-0
                                                                                                                                                                                                                                  • Opcode ID: 25af2d6daad0aee32f60a8fe80faf3730cdc24047202c74105abc2b7b7f7dafa
                                                                                                                                                                                                                                  • Instruction ID: b7322ec7499c0ddf704a56d192ccd6d415bcff8a3939066970c3185db820211a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25af2d6daad0aee32f60a8fe80faf3730cdc24047202c74105abc2b7b7f7dafa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73017171600200AFD310DF16DC45F76FBA8FB88A20F14856AED489BB41D775B515CBE6
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0689B69C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExecuteShell
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 587946157-0
                                                                                                                                                                                                                                  • Opcode ID: 04ac2afe7b7aa46d0a308957aaac39dd8cb7f0ec2728f0117a215a7dad346302
                                                                                                                                                                                                                                  • Instruction ID: 6c213e85aae2baec3a42c0082d5d9624520220bef8bb4c54eb763be455fe586d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04ac2afe7b7aa46d0a308957aaac39dd8cb7f0ec2728f0117a215a7dad346302
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE018071A042448FEB60CF15E98576ABBE4EF44224F0CC4AADE49CF642D675E544CBA1
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNELBASE(?), ref: 0689A6D4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                                                                  • Opcode ID: 36decf8a67df2657f066ade017a3171c6e4686d42e6726154a78f8a6857444d6
                                                                                                                                                                                                                                  • Instruction ID: 14f992c47c17a8e3b4f1fd66ba5779e909193efa256918326abea7001332178b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 36decf8a67df2657f066ade017a3171c6e4686d42e6726154a78f8a6857444d6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A7F0A4359002449FEF618F09DC85765FBA0EF04228F4CC0AADE454B752D675E448CEB2
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 0689AB90
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                                                                  • Opcode ID: f932ff880119acbe6ded46a3a2b701f012a082dc8d3e55276619c39d80dbe40a
                                                                                                                                                                                                                                  • Instruction ID: 8882a0aabe2fe1c2a35ee79951f1b07ea4c16bc5b6d22be0515c7f6de29dbe2f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f932ff880119acbe6ded46a3a2b701f012a082dc8d3e55276619c39d80dbe40a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA21F0725093C05FDB128B25DC94B96BFB4AF07324F0C84DAEC858F663D265A908CB72
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 0689A768
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                                                                  • Opcode ID: dbedfdd22675f72a0ea20941429a880b970fe1af8c557ee927152eacb8ac0a58
                                                                                                                                                                                                                                  • Instruction ID: d0bc8b4a0250df6056ad11bf623e57c8831d4d7564cc472de06539928251d2e7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbedfdd22675f72a0ea20941429a880b970fe1af8c557ee927152eacb8ac0a58
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1116A75509380AFDB128B25DC45B56BFB4EF46220F0984EBED85CB263C239A948CB61
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 0689A768
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                                                                  • Opcode ID: 2593e6ee7c60485a2c12087abd8820e2a43536371d552756f2d063c64f6af5c2
                                                                                                                                                                                                                                  • Instruction ID: fae84dccc2c6e55e661c4dc0ed28e08192c4c6f9581a9eb15515c65df002a612
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2593e6ee7c60485a2c12087abd8820e2a43536371d552756f2d063c64f6af5c2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7701D431900244AFEB508F15D885769FBB4EF44224F48C4AADD45DF746D275E544CAB1
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 0689AB90
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944312663.000000000689A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0689A000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_689a000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                                                                  • Opcode ID: 1a2d421c6e80bd40313fae3fbc07c9fff084c01fbc98b97fa93f7ec4b1fb2fc3
                                                                                                                                                                                                                                  • Instruction ID: cbe09738949d2083c54be31d1b09943ba796ad8ff8298cef83bde56ca40f61d6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a2d421c6e80bd40313fae3fbc07c9fff084c01fbc98b97fa93f7ec4b1fb2fc3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5301D4716002488FEB50CF59D88576AFBA4EF44224F08C4AADD49CB742C275E448CFB2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ?
                                                                                                                                                                                                                                  • API String ID: 0-1684325040
                                                                                                                                                                                                                                  • Opcode ID: 284022f25ef5ca5d4d92aefa382503b3afc4b56f9f08bbbab41eed9b41b8fc94
                                                                                                                                                                                                                                  • Instruction ID: 045851e5766502019213316611b1a42613fa5f66ce9649bfec817d5ebbd62543
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 284022f25ef5ca5d4d92aefa382503b3afc4b56f9f08bbbab41eed9b41b8fc94
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09B01270C02108CFFB001F10C5083E97A32EF00320F0400F9DD19212C1C7B40980CED1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b08f241a8847d9ec0a78c56d35b38c734071e0614a37fc5cac9045ddc1391773
                                                                                                                                                                                                                                  • Instruction ID: 2d359cf0788af84d42f658de6120df3481e7ce323dbf74110cee3fee85fa26ac
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b08f241a8847d9ec0a78c56d35b38c734071e0614a37fc5cac9045ddc1391773
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D641B634B102208FEF94ABB8D4E837F36A3FB89300F1446B8D616D7384DA759C459B92
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: e2449ea40ef29ee5d0b6bc1093f87766bb151bcaeb642a317877b1dfbc5a5f00
                                                                                                                                                                                                                                  • Instruction ID: 06b29b35127573ba24ff9d046b286f5163f6c2b727d9596c9dcaf16424dfac76
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e2449ea40ef29ee5d0b6bc1093f87766bb151bcaeb642a317877b1dfbc5a5f00
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3631E670E002558FEF8497B4D8187AE3772EB86300F0841B8CA1AD72D4DA355D45D7E2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1945684267.00000000068C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_68c0000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 2c55281a497568ebba71f27c88aed07ad90b94d4be8db6ac0c845c9c33e2886a
                                                                                                                                                                                                                                  • Instruction ID: 132de9f6d1e9db41f1b05249900e4f60133b63e0770709969906094880f9100e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c55281a497568ebba71f27c88aed07ad90b94d4be8db6ac0c845c9c33e2886a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D101DB764097845FD7118B06DC50862FFA8EB86220708C4DFEC498B612D135B909CB71
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 5300afbcc3d0be87afab3b99f8589164912886241b27834cf8d63c146bc5400a
                                                                                                                                                                                                                                  • Instruction ID: 1f33a92c605206fbb2e69ef0d5cec1ebbe68909a431d2c1b6d688edb4abe5160
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5300afbcc3d0be87afab3b99f8589164912886241b27834cf8d63c146bc5400a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7EF0A772E041289FEF50CE66940865EFFAAEB846A5F05D1BADD0AF3144E73489019BE1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 799b37973193f9a60f15be848f0f3a25f40fdb5f1e1c4c26c1a44301036b0577
                                                                                                                                                                                                                                  • Instruction ID: 50b891c31a940137e618650e1315423670e2cbeeeef33dad4b4d6b57d410895f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 799b37973193f9a60f15be848f0f3a25f40fdb5f1e1c4c26c1a44301036b0577
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CDF0A772E041289FDF94DE9A9C449DFF7AEFF88371B09813AEA09D3100D671890187E4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1945684267.00000000068C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_68c0000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: ac1177c7832734aa9f247fec7c9752c88970aa345dbd112e50cadc6061bb116a
                                                                                                                                                                                                                                  • Instruction ID: 07e10c6f6ed56d29c38aa9515e07d896259ba3ae18545f054bb15c60f5756af1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac1177c7832734aa9f247fec7c9752c88970aa345dbd112e50cadc6061bb116a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AE092766006444F9650CF0BEC41462F794EB84630B48C47FDC0D8B711D636B509CEA5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 506179c7525eba28b5dcb009ca59ff238c4a8c771c2a02d38455ed44bde10b11
                                                                                                                                                                                                                                  • Instruction ID: c8bcca9ba7ea8736de5d6b22147086ebd65d0c4ff9551a09b85b3f85acc0e464
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 506179c7525eba28b5dcb009ca59ff238c4a8c771c2a02d38455ed44bde10b11
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4E08C3479031C8FEB40EB39D882B2A33EBB785648B104065EE28C7349FB71E800CB84
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944283324.0000000006892000.00000040.00000800.00020000.00000000.sdmp, Offset: 06892000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6892000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 7c7559407ff30c01d885f9924df55a7eb2adba40bee8ad0f44cd291c522dded7
                                                                                                                                                                                                                                  • Instruction ID: e9cf7f3bfa6a143a2bae41e03643fb0f541b07965e4d6627ed04f571a6da3f49
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c7559407ff30c01d885f9924df55a7eb2adba40bee8ad0f44cd291c522dded7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2D05B757156C15FD726CA1CC164B9937D47B51704F4A44F99840CB763C768D681D610
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1944283324.0000000006892000.00000040.00000800.00020000.00000000.sdmp, Offset: 06892000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6892000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: ec9397d25c303347904b483e62446ec432bf2910c5c4f47a500905e19687644a
                                                                                                                                                                                                                                  • Instruction ID: 818a5f4d86db8965e4aacd86b8dc650e7f764a5de64c484702ad410638344277
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec9397d25c303347904b483e62446ec432bf2910c5c4f47a500905e19687644a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56D05E346011814FCB19CA1CC2E4F5D37D4AB40704F0A84E9AC10CBB72C3B4EA80DA10
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: d036cda3cc94ab369dd624cf615589fa707479190eaf3fa2f08571b0cfc5f62e
                                                                                                                                                                                                                                  • Instruction ID: 37634fc1ee066ff72930da9c91aa76a57e15e0281c5b66a0538f48a42b7602ca
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d036cda3cc94ab369dd624cf615589fa707479190eaf3fa2f08571b0cfc5f62e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCC04C752041086B8204DA89D851C16F7A9DBD9664714C06DA90D87351DA33ED13C594
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6e535847eea9d200a55a7b9121c5e52c72b7fa1b377b3058a9cd8bb67c22957c
                                                                                                                                                                                                                                  • Instruction ID: 52c19d469e859c453677675bb5d1ae547f7399b5ac81cc39b91743df5e53efe5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e535847eea9d200a55a7b9121c5e52c72b7fa1b377b3058a9cd8bb67c22957c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68D09E74D00158CFDB64CF15C84868CBBF5AB48300F1481EA845DA2250EA700A85CF05
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                                                                                                                  • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                                                                                                                  • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3ad0490bf8d588379b3603ffd05e2db81b9b37b7a4bffb300c00b0d04beba70f
                                                                                                                                                                                                                                  • Instruction ID: 8f365d7df00a802b9b1c247908488a05fb5f40169af76d265f500abbb4342449
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ad0490bf8d588379b3603ffd05e2db81b9b37b7a4bffb300c00b0d04beba70f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCA011B000C20C8A2EC03BF02808008B20CAA00022B8088B8EA2C000020EA8A00088B2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 62dc1e2f5d043d0986854ae407b62e4d3d8c9a12a95c5707238d6a5dfc86f7ff
                                                                                                                                                                                                                                  • Instruction ID: 0e700d061e89e1a7b43fb686bd77ea7821b0c78e0095d2a2ab51930c09cc2e86
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 62dc1e2f5d043d0986854ae407b62e4d3d8c9a12a95c5707238d6a5dfc86f7ff
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4B0123420420C472AC037E0240441D320ED640010B840058DF1E422449D85140406E1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 68e00c4d8ee2ff1d6b95079c6e96fea265a3b601f3fdb161c7a571fc4e60b0d1
                                                                                                                                                                                                                                  • Instruction ID: 1ce1ec16add382fa6998837622c2f30f70d04d3b1f6899db5813839c4707b38f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68e00c4d8ee2ff1d6b95079c6e96fea265a3b601f3fdb161c7a571fc4e60b0d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3AB09231000108CFEB402B70F80C0087B7AEA042023688021FF0A80119AE271884CA51
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: ce55394fdebe9550227d2baf19b053896d9326e54e6d8e6671171e8da3d05b6b
                                                                                                                                                                                                                                  • Instruction ID: b81b226c40479863fcae3296d97ad2dce41065a8071f49cc5e581d4d2b6afec9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce55394fdebe9550227d2baf19b053896d9326e54e6d8e6671171e8da3d05b6b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AA02230002B0C82822C22B02082220338C280020C3E000B8830C0AA200E3FE0A8C880
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 54c0e04e3ed907a51530cd0810b24dc9c221fe1a817db9fc546c6330603e07fb
                                                                                                                                                                                                                                  • Instruction ID: 773e8ca5683ad99331fbda1888c017f2429096348400aa63baa10f18137b44aa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54c0e04e3ed907a51530cd0810b24dc9c221fe1a817db9fc546c6330603e07fb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34B0123200010CE78A001B41E808845BF2DD7102907008022FE0401011D7335460D594
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a1f1ad9ec8c666c62c55b511cf7e69aa69cb93921d57ff9b8ea408ddb3318e2a
                                                                                                                                                                                                                                  • Instruction ID: 5b1b30199374080c8ab521e4393a3a9ef6c7c73401a4260cc7ffe9d7ec767abc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1f1ad9ec8c666c62c55b511cf7e69aa69cb93921d57ff9b8ea408ddb3318e2a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C890023504460C8B9540279575096957B9D95859157804091AF0D415015AA56C2055A5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1950519314.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6b90000_lz3EbiqoK4.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6fe8e222efe346ea7f1a7766b0894f12657f71557c7b90cf83d728458dd68e4c
                                                                                                                                                                                                                                  • Instruction ID: 46c171dbcce3d86c7e6e6e7ac50496d0e7c1c034ef3e77402396ed001ec29e5a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6fe8e222efe346ea7f1a7766b0894f12657f71557c7b90cf83d728458dd68e4c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:10.1%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                  Total number of Nodes:3
                                                                                                                                                                                                                                  Total number of Limit Nodes:0
                                                                                                                                                                                                                                  execution_graph 11696 7ffd9bac3569 11697 7ffd9bac3571 DeleteFileW 11696->11697 11699 7ffd9bac3616 11697->11699

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 285 7ffd9bd393c1-7ffd9bd39409 287 7ffd9bd3940b-7ffd9bd39419 285->287 288 7ffd9bd3941a-7ffd9bd3942c 285->288 290 7ffd9bd394af-7ffd9bd394b3 288->290 291 7ffd9bd39432-7ffd9bd39442 288->291 292 7ffd9bd394b5-7ffd9bd394b9 290->292 293 7ffd9bd394cb-7ffd9bd394cf 290->293 300 7ffd9bd39448-7ffd9bd39497 291->300 301 7ffd9bd3972b-7ffd9bd39761 291->301 299 7ffd9bd394c0-7ffd9bd394c4 292->299 294 7ffd9bd394fe-7ffd9bd39502 293->294 295 7ffd9bd394d1-7ffd9bd394f8 293->295 297 7ffd9bd39508-7ffd9bd3950d 294->297 298 7ffd9bd3971c-7ffd9bd3972a 294->298 295->294 306 7ffd9bd39781-7ffd9bd39799 295->306 297->298 304 7ffd9bd39513-7ffd9bd3951d 297->304 299->293 334 7ffd9bd394a4-7ffd9bd394a8 300->334 335 7ffd9bd39499-7ffd9bd394a2 300->335 312 7ffd9bd3951f-7ffd9bd39531 304->312 313 7ffd9bd3956b-7ffd9bd39570 304->313 322 7ffd9bd397a5 306->322 323 7ffd9bd3979b-7ffd9bd397a1 306->323 312->313 324 7ffd9bd39533-7ffd9bd3955e 312->324 315 7ffd9bd396f8-7ffd9bd396fd 313->315 316 7ffd9bd39576-7ffd9bd39580 313->316 315->298 318 7ffd9bd396ff-7ffd9bd39714 315->318 316->315 325 7ffd9bd39586-7ffd9bd39598 316->325 318->298 331 7ffd9bd39716-7ffd9bd39719 318->331 327 7ffd9bd397a9-7ffd9bd39808 322->327 328 7ffd9bd397a7-7ffd9bd397a8 322->328 326 7ffd9bd397a3 323->326 323->327 324->313 341 7ffd9bd39560-7ffd9bd39564 324->341 339 7ffd9bd3968e-7ffd9bd396f1 325->339 340 7ffd9bd3959e-7ffd9bd395c5 325->340 326->322 346 7ffd9bd39dae-7ffd9bd39dc0 327->346 347 7ffd9bd3980e-7ffd9bd39820 327->347 328->327 331->298 334->290 335->290 339->315 341->313 347->346 352 7ffd9bd39826-7ffd9bd3985f 347->352 352->346 358 7ffd9bd39865-7ffd9bd398a6 352->358 362 7ffd9bd39958-7ffd9bd3996b 358->362 363 7ffd9bd398ac-7ffd9bd398c4 358->363 368 7ffd9bd399c0 362->368 369 7ffd9bd3996d-7ffd9bd3998e 362->369 366 7ffd9bd3994c-7ffd9bd39952 363->366 367 7ffd9bd398ca-7ffd9bd398ea 363->367 366->362 366->363 367->366 383 7ffd9bd398ec-7ffd9bd398fe 367->383 370 7ffd9bd399c2-7ffd9bd399c7 368->370 375 7ffd9bd39990-7ffd9bd399b7 369->375 376 7ffd9bd399b9-7ffd9bd399be 369->376 371 7ffd9bd39a0e-7ffd9bd39a31 370->371 372 7ffd9bd399c9-7ffd9bd399d0 370->372 380 7ffd9bd39b27-7ffd9bd39b33 371->380 381 7ffd9bd39a37-7ffd9bd39a5f 371->381 378 7ffd9bd399d7-7ffd9bd399f1 372->378 375->370 376->370 378->371 387 7ffd9bd399f3-7ffd9bd39a0c 378->387 380->346 384 7ffd9bd39b39-7ffd9bd39b4e 380->384 396 7ffd9bd39a65-7ffd9bd39a80 381->396 397 7ffd9bd39b1b-7ffd9bd39b21 381->397 383->366 390 7ffd9bd39900-7ffd9bd39904 383->390 389 7ffd9bd39d97-7ffd9bd39dad 384->389 387->371 394 7ffd9bd39dc1-7ffd9bd39dfa 390->394 395 7ffd9bd3990a-7ffd9bd3991f 390->395 394->389 401 7ffd9bd39dfc-7ffd9bd39e63 394->401 402 7ffd9bd39926-7ffd9bd39928 395->402 396->397 407 7ffd9bd39a86-7ffd9bd39a98 396->407 397->380 397->381 410 7ffd9bd39f75-7ffd9bd39fa8 401->410 411 7ffd9bd39e69-7ffd9bd39e6b 401->411 402->366 404 7ffd9bd3992a-7ffd9bd39948 call 7ffd9bd34bb0 402->404 404->366 407->397 420 7ffd9bd39a9e-7ffd9bd39aa2 407->420 424 7ffd9bd39faf-7ffd9bd39fba 410->424 414 7ffd9bd39e6d-7ffd9bd39e7f 411->414 415 7ffd9bd39e85-7ffd9bd39e93 411->415 414->415 414->424 416 7ffd9bd39fe8-7ffd9bd3a012 415->416 417 7ffd9bd39e99-7ffd9bd39eb0 415->417 431 7ffd9bd3a017-7ffd9bd3a01b 416->431 435 7ffd9bd39eb2-7ffd9bd39ec4 417->435 436 7ffd9bd39eca-7ffd9bd39ecd 417->436 420->394 422 7ffd9bd39aa8-7ffd9bd39aeb 420->422 422->397 452 7ffd9bd39aed-7ffd9bd39b18 call 7ffd9bd34bb0 422->452 433 7ffd9bd39f41-7ffd9bd39f42 424->433 434 7ffd9bd39fbc-7ffd9bd39fd1 424->434 439 7ffd9bd3a022-7ffd9bd3a061 431->439 442 7ffd9bd39fd3-7ffd9bd39fd5 434->442 443 7ffd9bd39fd6-7ffd9bd39fe1 434->443 435->436 435->439 440 7ffd9bd39ecf-7ffd9bd39ee6 436->440 441 7ffd9bd39ef6-7ffd9bd39f12 call 7ffd9bd37240 436->441 465 7ffd9bd3a06d 439->465 466 7ffd9bd3a063-7ffd9bd3a069 439->466 440->441 459 7ffd9bd39ee8-7ffd9bd39eec 440->459 456 7ffd9bd39f14-7ffd9bd39f40 441->456 457 7ffd9bd39f43-7ffd9bd39f47 441->457 442->443 443->416 452->397 456->433 467 7ffd9bd39f4e-7ffd9bd39f74 457->467 462 7ffd9bd39ef3-7ffd9bd39ef4 459->462 462->441 468 7ffd9bd3a071-7ffd9bd3a07a 465->468 470 7ffd9bd3a06f 465->470 466->468 469 7ffd9bd3a06b 466->469 468->431 471 7ffd9bd3a07c-7ffd9bd3a0ac 468->471 469->465 470->468 475 7ffd9bd3a0ef-7ffd9bd3a122 471->475 476 7ffd9bd3a0ae-7ffd9bd3a0d5 471->476 482 7ffd9bd3a129-7ffd9bd3a171 475->482 476->482 485 7ffd9bd3a0d7-7ffd9bd3a0ee 476->485 490 7ffd9bd3a173 482->490 491 7ffd9bd3a175-7ffd9bd3a197 482->491 490->491 492 7ffd9bd3a1b5-7ffd9bd3a1ba 490->492 494 7ffd9bd3a19d-7ffd9bd3a1af 491->494 495 7ffd9bd3a27a-7ffd9bd3a286 491->495 499 7ffd9bd3a1b1-7ffd9bd3a1b4 494->499 500 7ffd9bd3a1bb-7ffd9bd3a1d3 call 7ffd9bd338a0 494->500 497 7ffd9bd3a292-7ffd9bd3a2c3 495->497 509 7ffd9bd3a305 497->509 510 7ffd9bd3a2c5-7ffd9bd3a2e2 497->510 499->492 505 7ffd9bd3a237-7ffd9bd3a240 500->505 506 7ffd9bd3a1d5-7ffd9bd3a206 500->506 521 7ffd9bd3a231-7ffd9bd3a235 506->521 522 7ffd9bd3a208-7ffd9bd3a22f 506->522 511 7ffd9bd3a307 509->511 512 7ffd9bd3a2f5-7ffd9bd3a2ff 509->512 515 7ffd9bd3a309-7ffd9bd3a30b 510->515 517 7ffd9bd3a2e4-7ffd9bd3a2f4 510->517 511->515 514 7ffd9bd3a301-7ffd9bd3a302 512->514 512->515 514->509 518 7ffd9bd3a30d-7ffd9bd3a31b 515->518 519 7ffd9bd3a31c-7ffd9bd3a32c 515->519 517->512 521->505 521->506 522->521 524 7ffd9bd3a241-7ffd9bd3a266 522->524 524->497 527 7ffd9bd3a268-7ffd9bd3a279 524->527
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: c159d2e7d7479717fcba865965e879a70009c72875042cc9a6395208600d029a
                                                                                                                                                                                                                                  • Instruction ID: 45f6da467ae30debd1865ca2cbea660fc2a8b8ef98aa174e8f82349eef890119
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c159d2e7d7479717fcba865965e879a70009c72875042cc9a6395208600d029a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B192293171D90D4FEBA8EB5C9469AB933D1EF99314F0501BAE44FC72A7DE29AC028741

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 621 7ffd9bd34dc6-7ffd9bd34dd8 623 7ffd9bd34dbe-7ffd9bd34dc3 621->623 624 7ffd9bd34dda-7ffd9bd34e33 621->624 626 7ffd9bd34e84-7ffd9bd34ebc call 7ffd9bd338a0 call 7ffd9bd33730 624->626 627 7ffd9bd34e35-7ffd9bd34e40 624->627 635 7ffd9bd34ebe-7ffd9bd34ed3 call 7ffd9bd34ae0 626->635 636 7ffd9bd34ed8-7ffd9bd34ee0 626->636 629 7ffd9bd34e47-7ffd9bd34e4a 627->629 629->626 632 7ffd9bd34e4c-7ffd9bd34e61 call 7ffd9bd33730 629->632 632->626 641 7ffd9bd34e63-7ffd9bd34e7f call 7ffd9bd33140 632->641 635->636 639 7ffd9bd34ee2-7ffd9bd34efa 636->639 640 7ffd9bd34efc 636->640 642 7ffd9bd34efe-7ffd9bd34f05 639->642 640->642 641->626 645 7ffd9bd34f07-7ffd9bd34f17 642->645 646 7ffd9bd34f18-7ffd9bd34f5a 642->646 647 7ffd9bd34f60-7ffd9bd34f93 646->647 648 7ffd9bd35a36-7ffd9bd35a40 646->648 658 7ffd9bd351ee-7ffd9bd35200 647->658 659 7ffd9bd34f99-7ffd9bd34fab 647->659 649 7ffd9bd35a42-7ffd9bd35a4d 648->649 650 7ffd9bd35a58 648->650 651 7ffd9bd35a5d-7ffd9bd35a5f 649->651 650->651 653 7ffd9bd35a61-7ffd9bd35a73 651->653 654 7ffd9bd35a7a-7ffd9bd35a7f 651->654 653->654 656 7ffd9bd35a84-7ffd9bd35a95 654->656 657 7ffd9bd35a81 654->657 663 7ffd9bd3620e-7ffd9bd362be 656->663 657->656 665 7ffd9bd352c3-7ffd9bd352c5 658->665 666 7ffd9bd35206-7ffd9bd35232 658->666 659->658 667 7ffd9bd34fb1-7ffd9bd34fe3 659->667 669 7ffd9bd352c7-7ffd9bd352d9 665->669 670 7ffd9bd35335-7ffd9bd35347 665->670 666->665 675 7ffd9bd35238-7ffd9bd3523d 666->675 677 7ffd9bd34fe5-7ffd9bd35007 667->677 678 7ffd9bd35016-7ffd9bd3504a 667->678 669->670 683 7ffd9bd352db-7ffd9bd352de 669->683 680 7ffd9bd3534d-7ffd9bd35379 670->680 681 7ffd9bd3591b-7ffd9bd3592d 670->681 675->665 682 7ffd9bd35243-7ffd9bd35246 675->682 677->678 699 7ffd9bd3507e-7ffd9bd350b5 678->699 700 7ffd9bd3504c-7ffd9bd3506c 678->700 703 7ffd9bd353af-7ffd9bd353c6 680->703 704 7ffd9bd3537b-7ffd9bd35384 680->704 701 7ffd9bd3592f-7ffd9bd35937 681->701 702 7ffd9bd3599c-7ffd9bd359ae 681->702 685 7ffd9bd35248-7ffd9bd35251 682->685 686 7ffd9bd3526b-7ffd9bd35274 682->686 687 7ffd9bd352e0-7ffd9bd352fb 683->687 688 7ffd9bd35304-7ffd9bd35332 call 7ffd9bd34bb0 683->688 685->686 696 7ffd9bd35276-7ffd9bd35299 686->696 697 7ffd9bd3529b-7ffd9bd352c0 call 7ffd9bd34bb0 686->697 687->688 688->670 696->697 697->665 716 7ffd9bd35141-7ffd9bd3516e 699->716 717 7ffd9bd350bb-7ffd9bd350d3 699->717 700->699 701->702 711 7ffd9bd35939-7ffd9bd35966 701->711 731 7ffd9bd359b0-7ffd9bd359ba 702->731 732 7ffd9bd35a25-7ffd9bd35a30 702->732 729 7ffd9bd354c2-7ffd9bd354ef 703->729 730 7ffd9bd353cc-7ffd9bd353f5 703->730 713 7ffd9bd353a8-7ffd9bd353a9 704->713 714 7ffd9bd35386-7ffd9bd35396 704->714 711->702 734 7ffd9bd35968-7ffd9bd35971 711->734 713->703 714->713 739 7ffd9bd35170-7ffd9bd35179 716->739 740 7ffd9bd351a4-7ffd9bd351ae 716->740 727 7ffd9bd35138-7ffd9bd3513f 717->727 728 7ffd9bd350d5-7ffd9bd350e5 717->728 738 7ffd9bd35105-7ffd9bd35136 727->738 728->738 749 7ffd9bd3551f-7ffd9bd35548 729->749 750 7ffd9bd354f1-7ffd9bd3551c 729->750 730->681 755 7ffd9bd353fb-7ffd9bd3541b 730->755 736 7ffd9bd35a4f-7ffd9bd35a56 731->736 737 7ffd9bd359c0-7ffd9bd359ec 731->737 732->647 732->648 742 7ffd9bd35973-7ffd9bd35983 734->742 743 7ffd9bd35995-7ffd9bd35996 734->743 736->732 737->732 757 7ffd9bd359ee-7ffd9bd359f7 737->757 738->740 747 7ffd9bd3519d-7ffd9bd3519e 739->747 748 7ffd9bd3517b-7ffd9bd3518b 739->748 740->663 752 7ffd9bd351b4-7ffd9bd351d5 740->752 742->743 743->702 747->740 748->747 768 7ffd9bd355df-7ffd9bd355f3 749->768 769 7ffd9bd3554e-7ffd9bd3557d 749->769 750->749 752->658 770 7ffd9bd351d7-7ffd9bd351e6 752->770 755->729 761 7ffd9bd35a1e-7ffd9bd35a1f 757->761 762 7ffd9bd359f9-7ffd9bd35a09 757->762 761->732 762->761 771 7ffd9bd355f5-7ffd9bd3560c 768->771 769->768 775 7ffd9bd3557f-7ffd9bd355ab 769->775 770->658 776 7ffd9bd3560e-7ffd9bd35613 771->776 777 7ffd9bd35647-7ffd9bd35674 771->777 775->768 780 7ffd9bd355ad-7ffd9bd355dc 775->780 776->777 779 7ffd9bd35615-7ffd9bd35637 776->779 783 7ffd9bd35676-7ffd9bd356c7 call 7ffd9bd34ae0 777->783 784 7ffd9bd356cc-7ffd9bd356f8 777->784 779->771 789 7ffd9bd35639-7ffd9bd35644 779->789 780->768 783->784 793 7ffd9bd3573d-7ffd9bd35769 784->793 794 7ffd9bd356fa-7ffd9bd35738 call 7ffd9bd34ae0 784->794 789->777 799 7ffd9bd357ae-7ffd9bd357da 793->799 800 7ffd9bd3576b-7ffd9bd357a9 call 7ffd9bd34ae0 793->800 794->793 805 7ffd9bd35842-7ffd9bd3586f 799->805 806 7ffd9bd357dc-7ffd9bd357f0 799->806 800->799 810 7ffd9bd358b4-7ffd9bd358e0 805->810 811 7ffd9bd35871-7ffd9bd358af call 7ffd9bd34ae0 805->811 808 7ffd9bd357f1-7ffd9bd35811 806->808 808->805 814 7ffd9bd35813-7ffd9bd35835 808->814 810->681 819 7ffd9bd358e2-7ffd9bd358eb 810->819 811->810 814->808 823 7ffd9bd35837-7ffd9bd3583a 814->823 821 7ffd9bd358ed-7ffd9bd35910 819->821 822 7ffd9bd35912-7ffd9bd35913 819->822 821->822 822->681 823->805
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 0d06d9e08ac48f04da346639e47cd6b6ce16b88fc4ec53bd5709d582905a8352
                                                                                                                                                                                                                                  • Instruction ID: cc40c51e91ffd81b5c966a3f182a1ec912d8fe3ab1943a6812701ba81f317c23
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d06d9e08ac48f04da346639e47cd6b6ce16b88fc4ec53bd5709d582905a8352
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F92A370A19A0D8FDFA8DF58C4A0BA977E1FF58308F1541A9D04ED72A6DB35E941CB40

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 826 7ffd9bd3a7cd-7ffd9bd3a869 828 7ffd9bd3a86f-7ffd9bd3a872 826->828 829 7ffd9bd3aee1-7ffd9bd3aef6 826->829 828->829 830 7ffd9bd3a878-7ffd9bd3a895 828->830 830->829 832 7ffd9bd3a89b-7ffd9bd3a8ba 830->832 834 7ffd9bd3a8c6-7ffd9bd3a8d9 832->834 835 7ffd9bd3a8bc-7ffd9bd3a8bf 832->835 838 7ffd9bd3a969-7ffd9bd3a97b 834->838 836 7ffd9bd3a8de-7ffd9bd3a8f2 835->836 837 7ffd9bd3a8c1 835->837 841 7ffd9bd3a924-7ffd9bd3a962 836->841 842 7ffd9bd3a8f4-7ffd9bd3a90e 836->842 837->829 838->829 843 7ffd9bd3a981-7ffd9bd3a9c0 838->843 841->838 842->829 846 7ffd9bd3a914-7ffd9bd3a923 842->846 843->829 851 7ffd9bd3a9c6-7ffd9bd3a9d0 843->851 846->841 854 7ffd9bd3a9d2-7ffd9bd3a9e6 851->854 855 7ffd9bd3a9e8-7ffd9bd3a9f8 851->855 857 7ffd9bd3aa02-7ffd9bd3aa57 854->857 855->857 861 7ffd9bd3aa5d-7ffd9bd3aa65 857->861 862 7ffd9bd3aa67-7ffd9bd3aa7b 861->862 863 7ffd9bd3aacb-7ffd9bd3aad3 861->863 862->863 867 7ffd9bd3aa7d-7ffd9bd3aac7 862->867 863->829 864 7ffd9bd3aad9-7ffd9bd3aafb 863->864 868 7ffd9bd3abff-7ffd9bd3ac35 864->868 869 7ffd9bd3ab01-7ffd9bd3ab2a 864->869 867->863 868->829 881 7ffd9bd3ac3b-7ffd9bd3ac4d 868->881 873 7ffd9bd3ab30-7ffd9bd3ab56 869->873 874 7ffd9bd3abb1-7ffd9bd3abd2 869->874 873->874 885 7ffd9bd3ab58-7ffd9bd3ab6e 873->885 874->869 877 7ffd9bd3abd8 874->877 877->868 881->829 886 7ffd9bd3ac53-7ffd9bd3ac71 881->886 885->874 889 7ffd9bd3ab70-7ffd9bd3ab88 885->889 886->829 893 7ffd9bd3ac77-7ffd9bd3aca5 886->893 889->874 892 7ffd9bd3ab8a-7ffd9bd3abaf 889->892 892->874 896 7ffd9bd3abda-7ffd9bd3abf8 892->896 900 7ffd9bd3acc8-7ffd9bd3acd5 893->900 901 7ffd9bd3aca7-7ffd9bd3acc1 893->901 896->868 904 7ffd9bd3acdb-7ffd9bd3ad08 900->904 905 7ffd9bd3ad9a-7ffd9bd3adba 900->905 901->900 914 7ffd9bd3ad2b-7ffd9bd3ad37 904->914 915 7ffd9bd3ad0a-7ffd9bd3ad24 904->915 908 7ffd9bd3adc4-7ffd9bd3ae00 905->908 909 7ffd9bd3adbc-7ffd9bd3adbd 905->909 908->829 921 7ffd9bd3ae06-7ffd9bd3ae23 908->921 909->908 919 7ffd9bd3ad88-7ffd9bd3ad94 914->919 920 7ffd9bd3ad39-7ffd9bd3ad45 914->920 915->914 919->829 919->905 922 7ffd9bd3b030-7ffd9bd3b047 920->922 923 7ffd9bd3ad4b-7ffd9bd3ad81 920->923 928 7ffd9bd3ae2d-7ffd9bd3ae68 921->928 929 7ffd9bd3ae25-7ffd9bd3ae26 921->929 930 7ffd9bd3b051-7ffd9bd3b0bf call 7ffd9bd34860 call 7ffd9bd37560 call 7ffd9bd34b60 call 7ffd9bd3b0c0 922->930 931 7ffd9bd3b049-7ffd9bd3b050 922->931 923->919 928->829 943 7ffd9bd3ae6a-7ffd9bd3ae7c 928->943 929->928 931->930 943->829 948 7ffd9bd3ae7e-7ffd9bd3ae9c 943->948 948->829 951 7ffd9bd3ae9e-7ffd9bd3aeba 948->951 954 7ffd9bd3aef7-7ffd9bd3af6c 951->954 955 7ffd9bd3aebc-7ffd9bd3aedf 951->955 965 7ffd9bd3af72-7ffd9bd3af9a 954->965 966 7ffd9bd3b017-7ffd9bd3b02f 954->966 955->829 955->954 965->966 969 7ffd9bd3af9c-7ffd9bd3b010 965->969 969->966
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: d74a7ec73e17bd4a9dfc4e2aaaca1c724b6188707f373319e2e425753c16f812
                                                                                                                                                                                                                                  • Instruction ID: bf010ec8b8a7a778cc34696620af8a995761d3fb195e9d85879bdbf3ba556adb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d74a7ec73e17bd4a9dfc4e2aaaca1c724b6188707f373319e2e425753c16f812
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF625230708A4D8FEBA8EB2CC465B6977E1FF99304F1541B9E44DC72A6DE35E8428B41
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: bc81f786f4599d104507fe1e426c02699cd3a39bda3d01ba004eefd4fbe5cb69
                                                                                                                                                                                                                                  • Instruction ID: 19ee3debfb7d1582698fbe80418a9c8afe1b2e690e94a30a81b910265b5c0505
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc81f786f4599d104507fe1e426c02699cd3a39bda3d01ba004eefd4fbe5cb69
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1122C430B09A0D4FEBA8EB5884A57B873E2FF98304F55517DD44FD32A3DE29A9428740
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 7a180f367a276acac14d09c262d4099f685c5b87fd15ba6c666a4a4fd756546f
                                                                                                                                                                                                                                  • Instruction ID: 8255c18c9a466f873059cfea008fd7a4d40efe11cf6ed230702f62b1efb034c0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a180f367a276acac14d09c262d4099f685c5b87fd15ba6c666a4a4fd756546f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35327274A18A1D8FDBA8EF58C895BB973E1FF58304F1145B9D04ED32A6DB34A981CB40

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 7ffd9bd33f3d-7ffd9bd33f3e 1 7ffd9bd33f9f-7ffd9bd33fa6 0->1 2 7ffd9bd33f40-7ffd9bd33f47 0->2 3 7ffd9bd33fa8-7ffd9bd33fa9 1->3 4 7ffd9bd33fab-7ffd9bd33fbd 1->4 2->1 3->4 6 7ffd9bd33fbf-7ffd9bd33fc7 4->6 7 7ffd9bd3400d-7ffd9bd3400e 4->7 8 7ffd9bd34002-7ffd9bd34008 6->8 9 7ffd9bd33fc9-7ffd9bd33fcc 6->9 11 7ffd9bd34015-7ffd9bd3401d 7->11 10 7ffd9bd34513-7ffd9bd34525 8->10 9->8 12 7ffd9bd33fce-7ffd9bd33ffd 9->12 15 7ffd9bd34526-7ffd9bd34539 10->15 13 7ffd9bd3401f-7ffd9bd34034 11->13 14 7ffd9bd34038-7ffd9bd3403e 11->14 12->15 13->14 17 7ffd9bd34044-7ffd9bd34058 14->17 18 7ffd9bd34379-7ffd9bd34380 14->18 17->18 19 7ffd9bd34382-7ffd9bd34385 18->19 20 7ffd9bd34387-7ffd9bd34393 18->20 22 7ffd9bd34395-7ffd9bd34398 19->22 20->22 23 7ffd9bd343a5-7ffd9bd343ad 22->23 24 7ffd9bd3439a-7ffd9bd343a0 22->24 27 7ffd9bd3450d 23->27 28 7ffd9bd343b3-7ffd9bd343d0 23->28 24->15 27->10 30 7ffd9bd343d2-7ffd9bd343e2 call 7ffd9bd33020 28->30 31 7ffd9bd343f7-7ffd9bd34402 28->31 30->31 41 7ffd9bd343e4-7ffd9bd343f2 30->41 33 7ffd9bd344c2-7ffd9bd344c5 31->33 34 7ffd9bd34408-7ffd9bd3440d 31->34 33->27 35 7ffd9bd344c7-7ffd9bd344cd 33->35 37 7ffd9bd3440f 34->37 38 7ffd9bd34414-7ffd9bd34417 34->38 39 7ffd9bd344cf-7ffd9bd344d4 35->39 40 7ffd9bd344d6 35->40 37->38 42 7ffd9bd34427-7ffd9bd3442a 38->42 43 7ffd9bd34419-7ffd9bd34423 38->43 44 7ffd9bd344db-7ffd9bd3450b 39->44 40->44 41->31 45 7ffd9bd3442c-7ffd9bd3442f 42->45 46 7ffd9bd3447a-7ffd9bd3447d 42->46 43->42 44->15 47 7ffd9bd34451-7ffd9bd34454 45->47 48 7ffd9bd34431-7ffd9bd3444b 45->48 50 7ffd9bd3447f-7ffd9bd34488 46->50 51 7ffd9bd3448a-7ffd9bd3448f 46->51 52 7ffd9bd34464-7ffd9bd3446a 47->52 53 7ffd9bd34456-7ffd9bd3445c 47->53 48->47 60 7ffd9bd3453a-7ffd9bd34561 48->60 55 7ffd9bd34493-7ffd9bd344c0 50->55 51->55 52->46 58 7ffd9bd3446c-7ffd9bd34476 52->58 53->52 57 7ffd9bd3445e-7ffd9bd34461 53->57 55->15 57->52 58->46 65 7ffd9bd34563-7ffd9bd34576 60->65 66 7ffd9bd34578-7ffd9bd3459c 60->66 69 7ffd9bd3459e-7ffd9bd34614 65->69 66->69 74 7ffd9bd34616-7ffd9bd34618 69->74 75 7ffd9bd34619-7ffd9bd34653 69->75 74->75 78 7ffd9bd34664-7ffd9bd34676 75->78 79 7ffd9bd34655-7ffd9bd3465d 75->79 83 7ffd9bd34683-7ffd9bd3468c 78->83 84 7ffd9bd34678-7ffd9bd34682 78->84 79->78 80 7ffd9bd3465f 79->80 82 7ffd9bd346fc-7ffd9bd34701 80->82 83->82
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                                                                                                  • Opcode ID: f9643d2e3f41011b4d1b6bd6ca317a21d0539d47152163d996f678bf002d156a
                                                                                                                                                                                                                                  • Instruction ID: 6a3fa0a679d28694ca6b6cd58f5b246514daeace75f1585efb0ea210e8eb1660
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9643d2e3f41011b4d1b6bd6ca317a21d0539d47152163d996f678bf002d156a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06D13631B0E64E4FEBA99B5894613B83BD1EF46314F0511BED48AC72E3DE5CAD428B41

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3704974952.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bac0000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DeleteFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4033686569-0
                                                                                                                                                                                                                                  • Opcode ID: ff4c06a8fe4da34da5363538982ba66788c9f5f0409ee1b9c912f0cf1c89fa57
                                                                                                                                                                                                                                  • Instruction ID: 6d8f08e142bccd7dac9eaf1dc2837a6d944439bc5ad07eaf4ba5016919700c5a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff4c06a8fe4da34da5363538982ba66788c9f5f0409ee1b9c912f0cf1c89fa57
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4641273190DB8C8FDB19EBA888596F97FF0EF56320F0542AFD049C72A2DA746905C781

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 100 7ffd9bac3569-7ffd9bac35d8 105 7ffd9bac35da-7ffd9bac35df 100->105 106 7ffd9bac35e2-7ffd9bac3614 DeleteFileW 100->106 105->106 107 7ffd9bac3616 106->107 108 7ffd9bac361c-7ffd9bac364a 106->108 107->108
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3704974952.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bac0000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DeleteFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4033686569-0
                                                                                                                                                                                                                                  • Opcode ID: 6e59957cdfb2e566a1579c4f0508e2beebc3ebd6d47ffe110bb419ca7a33e5e0
                                                                                                                                                                                                                                  • Instruction ID: 7f525e4d1a79d62bb277be22578c0979f32f9e9a113ac78ae3b4499452dab595
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e59957cdfb2e566a1579c4f0508e2beebc3ebd6d47ffe110bb419ca7a33e5e0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7731D23190DB5C8FDB19DB988859AF9BBF0FF66320F04426BD049D3292DB74A805CB81

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: %_L
                                                                                                                                                                                                                                  • API String ID: 0-1469106525
                                                                                                                                                                                                                                  • Opcode ID: 83c527aad200a74c774f520652724567f53b757d8fd6c7bb55883db0592eb0b3
                                                                                                                                                                                                                                  • Instruction ID: 60793375dfd7d6d8905738b4284904457d56de6759094338acfdde0ce283c08c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83c527aad200a74c774f520652724567f53b757d8fd6c7bb55883db0592eb0b3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13912631B0EA4E4FDBA9EB6888645F577E1EF54324B0601BED04EC72A3DE29E845C740

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: a%_H
                                                                                                                                                                                                                                  • API String ID: 0-3648799560
                                                                                                                                                                                                                                  • Opcode ID: c07a96b22c59a06d153802bbdcdfb980f6e967adedb91af318feccda9bc543f7
                                                                                                                                                                                                                                  • Instruction ID: 57519fad953cd026bbb7a7336aa312de31c6271ee7244fc1b460141dbe95e5b9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c07a96b22c59a06d153802bbdcdfb980f6e967adedb91af318feccda9bc543f7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F1510873B1AF4E0BE7ACDA6844626B573C2FF98358B54017DD45EC7297DD29B9024300

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 528 7ffd9bd320e2-7ffd9bd32149 536 7ffd9bd3216e-7ffd9bd32215 528->536 537 7ffd9bd3214b-7ffd9bd3216d 528->537 547 7ffd9bd3222d-7ffd9bd32235 536->547 548 7ffd9bd32217-7ffd9bd32220 536->548 537->536 549 7ffd9bd32227-7ffd9bd3222b 548->549 549->547 549->548
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: #&_^
                                                                                                                                                                                                                                  • API String ID: 0-519297270
                                                                                                                                                                                                                                  • Opcode ID: b5e99527a296d5aea0e1d2c15144a1df2817b7473daa9f28ce9d1dc242a732b8
                                                                                                                                                                                                                                  • Instruction ID: 0ec03f6ef6cc080a5519158d6927ba5d8598362dac0fddf411ebfdc19234a810
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5e99527a296d5aea0e1d2c15144a1df2817b7473daa9f28ce9d1dc242a732b8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B312837B081294AC324BABDF8958E87390DF9933F70882B7D59DCF097DA286485C6D4

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 550 7ffd9bd320d7-7ffd9bd320d9 551 7ffd9bd320fe-7ffd9bd32149 550->551 552 7ffd9bd320db-7ffd9bd320df 550->552 556 7ffd9bd3216e-7ffd9bd32215 551->556 557 7ffd9bd3214b-7ffd9bd3216d 551->557 552->551 567 7ffd9bd3222d-7ffd9bd32235 556->567 568 7ffd9bd32217-7ffd9bd32220 556->568 557->556 569 7ffd9bd32227-7ffd9bd3222b 568->569 569->567 569->568
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: #&_^
                                                                                                                                                                                                                                  • API String ID: 0-519297270
                                                                                                                                                                                                                                  • Opcode ID: e66a2d830c76b8084a5431be5c391d2096be799b2b69257718f989d6868f7009
                                                                                                                                                                                                                                  • Instruction ID: e6bf987dab4c30ba6da6b754185234966fcb90985803641327cc61a519bd1912
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e66a2d830c76b8084a5431be5c391d2096be799b2b69257718f989d6868f7009
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41312637B081294AC324BABDF8958E87390DF9933F70842B7D599CF097DA286085C6D4

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 570 7ffd9bd320cf-7ffd9bd32149 576 7ffd9bd3216e-7ffd9bd32215 570->576 577 7ffd9bd3214b-7ffd9bd3216d 570->577 587 7ffd9bd3222d-7ffd9bd32235 576->587 588 7ffd9bd32217-7ffd9bd32220 576->588 577->576 589 7ffd9bd32227-7ffd9bd3222b 588->589 589->587 589->588
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: #&_^
                                                                                                                                                                                                                                  • API String ID: 0-519297270
                                                                                                                                                                                                                                  • Opcode ID: 4972cd19531dab7de17bda05ffcb5b0ed25abc255377d121293b8e1765df9ec8
                                                                                                                                                                                                                                  • Instruction ID: 9df572001f7aa44e1ae1206f893caa9d74d2ee6aec0c12a522bf935210c4c76e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4972cd19531dab7de17bda05ffcb5b0ed25abc255377d121293b8e1765df9ec8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8312627B0812A4AC324BABDF8958E87390DF9933F70886B7D599CF097D9286085C6D4

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 590 7ffd9bd3d6d4-7ffd9bd3d6da 591 7ffd9bd3d677-7ffd9bd3d67d 590->591 592 7ffd9bd3d6dc-7ffd9bd3d792 590->592 594 7ffd9bd3d680-7ffd9bd3d6b3 591->594 595 7ffd9bd3d67f 591->595 607 7ffd9bd3d79a-7ffd9bd3d7a7 592->607 598 7ffd9bd3d6b6-7ffd9bd3d6ca 594->598 599 7ffd9bd3d6b5 594->599 595->594
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: N%_H
                                                                                                                                                                                                                                  • API String ID: 0-556661792
                                                                                                                                                                                                                                  • Opcode ID: 831e0ee7d602d49ed4fd311ecb47a5f1d5143b556fe09bfc2149ef8273acd1b3
                                                                                                                                                                                                                                  • Instruction ID: b3803eabbc95f2b97b863c42888a27b5fb489258f0be170f9de62694b9329d86
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 831e0ee7d602d49ed4fd311ecb47a5f1d5143b556fe09bfc2149ef8273acd1b3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D317D71B0D7890FE3289B2C58295B1BBD1EF96314B1941BFE05ECB297DE29AC438741
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 42ea3130ae7550c09f97e9aaf84e2c429f9742e47012879c07feacd487daedab
                                                                                                                                                                                                                                  • Instruction ID: 7e54ce3d99665abf2fd587a6d0bf8b34b7794f1487097e7970b6713e7c5c3564
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42ea3130ae7550c09f97e9aaf84e2c429f9742e47012879c07feacd487daedab
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3ED16F22F0E98D4FE779EAA888665E477D0FF95394B0501B9D04ECB2A3DD2CAD068741
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 33d71d8e304d85c28395b0d4f145194426eecd331877577fb7c495b41ed27cef
                                                                                                                                                                                                                                  • Instruction ID: 1e10aec075e486b678b5a54f96184933690094846f66c512af7b71c53ea6567a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 33d71d8e304d85c28395b0d4f145194426eecd331877577fb7c495b41ed27cef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 99D14D3071990D4FDB98EB1CC469AB973E1EF59315B1211B9E44FCB2A7DE28EC428B41
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a52dc9af5eb9c5324f0c8e8faa0d12a50ba4481d4a0f18c36dd6dd8718fad7aa
                                                                                                                                                                                                                                  • Instruction ID: 373b44745d900dc75330f81bbe82035a3db96352f0349239ca4be78d1ac97dff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a52dc9af5eb9c5324f0c8e8faa0d12a50ba4481d4a0f18c36dd6dd8718fad7aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97D10420B0EA4D4FE7A9AB6888697B877D1FF54314F0511B9D48FC71E3DE2DAA468300
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: ca26fcb337cb0d1b5df9ce793f4def0c35165aa73d1d26bb7d2747fb437863fe
                                                                                                                                                                                                                                  • Instruction ID: 6f63453c8c2329bc816d7161968e5b46c25d9a878aa402d3edca2641171db8f3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ca26fcb337cb0d1b5df9ce793f4def0c35165aa73d1d26bb7d2747fb437863fe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23D1B631B09A0D8FEBA8EB68C455BB977E1FF58314F0551BDD04EC72A2DE35A9818B40
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: cb9744381b7a322f3edd6e66e4a032d47c16b432d2b1b91e711bb94183c78265
                                                                                                                                                                                                                                  • Instruction ID: 6f8d8deaa7c137068bd5212be28afdbbe7ee65bd8af095d25619d18c8375ca9f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb9744381b7a322f3edd6e66e4a032d47c16b432d2b1b91e711bb94183c78265
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 83C11521B0EA0D4FEBA9AA6984697B877D1FF54304F1511BDD08FC71E3DE2DA9468300
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6e7b30b2a4c1a489ee6cefcc76173a2ec1f42333321b839f9ac54ade1a6ceda8
                                                                                                                                                                                                                                  • Instruction ID: 3322b42c0c954f2125c9018f2d16b315c1d7ed5bce92725294b805d73ce46113
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e7b30b2a4c1a489ee6cefcc76173a2ec1f42333321b839f9ac54ade1a6ceda8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33A19031B19A0E4FDBA8EB68D4616F973E1FF88324F115179E45ED3292DE35E9028B40
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: e5e590d0d1a1fb9a8d22d48ea44eef3fda1d45d0dfad722fd94a893ee79aa694
                                                                                                                                                                                                                                  • Instruction ID: 780002333a108312082fdaab3d4c12024e6b1346cf7535476d6573989aaf9f64
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5e590d0d1a1fb9a8d22d48ea44eef3fda1d45d0dfad722fd94a893ee79aa694
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9A1A520B0990D4FEBA8EB6D84697B873D2FF58344F555079D44FC32E3DE29A9468740
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: d63b8a8f9883c8f277ada7074af36a0a53d0a703ca9efd8ecd16c25d4bd30370
                                                                                                                                                                                                                                  • Instruction ID: fa62b6ca9a4cd05e0c21b939f9e072d7b19b6267eb84f16a12dd468ea4eab11c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d63b8a8f9883c8f277ada7074af36a0a53d0a703ca9efd8ecd16c25d4bd30370
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2918220B0990D4FEBA8EB6D84A97B873D2FF98344F515079D44FC32E3CE69A9468740
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 1a1bd757baf26d108e93f88d340bb07d20fd4e9a48a1ba619c7f25da1801adf4
                                                                                                                                                                                                                                  • Instruction ID: dbbea366444e10c1ba832d605773b13b6001284dfc478384470e21a79ef3b517
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a1bd757baf26d108e93f88d340bb07d20fd4e9a48a1ba619c7f25da1801adf4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82919420B0990D4FEBA8EB6D84A97B873D2FF98344F515079D44FC32E3DE69A9468740
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 99712313444e826ebc33cab510b7c348f45c038678c2ada48cbaeb86fdc6147e
                                                                                                                                                                                                                                  • Instruction ID: d56a7f49db437088c26d372614ad4e27ac23f975804c2278736623cdbec0e52b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99712313444e826ebc33cab510b7c348f45c038678c2ada48cbaeb86fdc6147e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F918320B0990D4FEBA8EB6D84A97B873D2FF98344F515079D44FC32E3DE69A9468740
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: ed3aef52484b152f74200ec29ca35925bc80e2e99880a6aadab00ad8bd6b1ea4
                                                                                                                                                                                                                                  • Instruction ID: 3d33257af6553b9335a735a51f841278dbb3a8cd9653b667035829d4284a4d31
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ed3aef52484b152f74200ec29ca35925bc80e2e99880a6aadab00ad8bd6b1ea4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF918220B0990D4FEBA8EB6D84A97B873D2FF98344F515079D44FC32E3DE69A9468740
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 8b1dec431c45e829993d889004050c61fd5ce5be8a9f7f8d6bf2daf95fbecff3
                                                                                                                                                                                                                                  • Instruction ID: 240c2c2e008bea444ef90223bde7261832a185d81c68bb83d30889c47f7211d3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b1dec431c45e829993d889004050c61fd5ce5be8a9f7f8d6bf2daf95fbecff3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89713A3271DD4D0FE798EB6CD869AB537D1EF89324B0501BAE44EC72A7ED24AC424781
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: fb41bbac48daf037ae2dd1a8d9669200f4bd25ae252e4e1ef932cc3c2fb509f0
                                                                                                                                                                                                                                  • Instruction ID: 29a6130195512e7e1d94da55cbbc370ae22513d8e88f9cf309d574e6c214ec0e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb41bbac48daf037ae2dd1a8d9669200f4bd25ae252e4e1ef932cc3c2fb509f0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B81D131B09A4D4FEBA5DF689864AF577E1EF49304F0A00BAE45EC71A3DA28ED41C701
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b44fd3d6877c324b2a705a7c9a3ecc1d85b44f5ce5a1302d43ca03f804c5eae2
                                                                                                                                                                                                                                  • Instruction ID: 98ccec5b6c6a8bd1a12e561c64e4fc87040d29c9130c455fdaf23268f29786ea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b44fd3d6877c324b2a705a7c9a3ecc1d85b44f5ce5a1302d43ca03f804c5eae2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE71A271B1D94D4FDB98EF6CC4A5AA977E2FF98314B0501BAE04EC7297CA24EC018B41
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: db74bcf40fb71a4fe3679094c51a08a7126180751d44d596aebb6dd23f4ede27
                                                                                                                                                                                                                                  • Instruction ID: 77a5dbb76db6abe228002811ede937dc8be7f1005330ca71971ca781f48eac96
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db74bcf40fb71a4fe3679094c51a08a7126180751d44d596aebb6dd23f4ede27
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46611662B1E94E4FE7ADAB6894656B523D2FF99354B4510BDD00FC72E7DE28BC028340
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 52a0a3ba930d4d8a74abe7b347b723fb5dafaa2aff377901ccc87606b62451de
                                                                                                                                                                                                                                  • Instruction ID: 6489c9ba6de1057c01a58d14fcfaaa02d948ca8de6934c327efc0b39b660f076
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52a0a3ba930d4d8a74abe7b347b723fb5dafaa2aff377901ccc87606b62451de
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B519872B1DE494FF7A8AB684462AE473D2EF94388B54057ED41EC32DBDD29F8428700
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9c21c51b35624c15c977423525771c2c475cc8cb29a947690e1865bdcd35cf51
                                                                                                                                                                                                                                  • Instruction ID: de9873583b7654d6c8310e6a87d30fa38f0ec99c6c8244cdc0ac30c4f948b675
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c21c51b35624c15c977423525771c2c475cc8cb29a947690e1865bdcd35cf51
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78511871A0E64E4FEB6DAB6898506B57BD0EF56328F1111BED48EC31E7DD18A8028381
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 8078331c18440494adb52be9a723fea1743f28d7dac75683f5d60084092c4bde
                                                                                                                                                                                                                                  • Instruction ID: f30b751810ba30bb85923f0c1b2d5df9d18dad05df21e745d12cfe0b9de3416a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8078331c18440494adb52be9a723fea1743f28d7dac75683f5d60084092c4bde
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5251B371A09A4E8FDB99EF58C454AE97BE1FF59314F0541B6E05EC72A2CF34A901CB40
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9ecf502a29af431c458ebb5f07311476a97cb292171fb60c846ee7b3408a092c
                                                                                                                                                                                                                                  • Instruction ID: 6935f8cd0c5aeb5df3ee42eb3589da99954f1e7ffa85bc535913a19ef4dc0b5a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ecf502a29af431c458ebb5f07311476a97cb292171fb60c846ee7b3408a092c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1514773B0EB890FE77DDB6848755E47BD0EF94358B0901BED08ACB1A7DD18A9858381
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b646b63c062a090e60f6407758b7cb6814f0be1f7091aa98d4b4e05bb4c12f8b
                                                                                                                                                                                                                                  • Instruction ID: 073a4c5f24bc1876568a92a650fbb0c3c11afa69281ea5c7578d424da726d6c7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b646b63c062a090e60f6407758b7cb6814f0be1f7091aa98d4b4e05bb4c12f8b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8412B22B1EE4E0FE7EC966C98A59F53BC1EF9936470501BAD05EC72D7ED18AC428341
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b82f681003f0c150b513c8c369023449da7ea22374df1fc04734ded8d5cd0668
                                                                                                                                                                                                                                  • Instruction ID: 70d8a7c860dcdabbd6ab7774053ce5d8ecfaca7a9638c0a3618e504dc102bd4e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b82f681003f0c150b513c8c369023449da7ea22374df1fc04734ded8d5cd0668
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5241F911B1FA890FE799A73C88746B07BE1DF56344F0944FAD489CB1B7D9199986C301
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 437af9dacbf76f450ce49243b8f46abaf56df01ea66315843773de629461dc7d
                                                                                                                                                                                                                                  • Instruction ID: 2f4bbb1a96b140bf2e5376d0a79fc6351754f2c15a705b591f2f8a4b57ada45a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 437af9dacbf76f450ce49243b8f46abaf56df01ea66315843773de629461dc7d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81312B22B0EE4D0FD7A9966C88659B43BD1EF9926470501FAD05EC72A7ED18BC428341
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: f10a0c65c498697259e7d34a72006ebf7307c7580e7cca123fe6a53f760cc75b
                                                                                                                                                                                                                                  • Instruction ID: 4cf25a415f020b11ef2ebb597471072ec090b9c52332295542cdda9368a0bd14
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f10a0c65c498697259e7d34a72006ebf7307c7580e7cca123fe6a53f760cc75b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7413D3070AA4E8FDBA9EB58C461BB937A1FF55308F4510B9E40ECB1E2CB29E955C701
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: f07be489e25cdf325e392a38d11ea1e9b91c69bc118831f6de7320e20eb49b52
                                                                                                                                                                                                                                  • Instruction ID: 39d6d69ff9f2b11bb8367f17eb91fa9d5b977458350cd3653d461276d89f04af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f07be489e25cdf325e392a38d11ea1e9b91c69bc118831f6de7320e20eb49b52
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75316F62A1F58A0FD79E97B884615B13BE1EF8736470541FED049CB1A7DC2EA846C340
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 0f5e494e2c2432395c23e35eca857f60afd4a52919aea7cb7a3251ab59b96aa2
                                                                                                                                                                                                                                  • Instruction ID: e552813ff99302f0da463e9bb4b4882b2d51378dae6c45e59609e6677fa184a4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f5e494e2c2432395c23e35eca857f60afd4a52919aea7cb7a3251ab59b96aa2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56312821B2EA4D4FE769A7A888B15F977A0EF59358F0101BBE04FCB1D7DC2869058351
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: db4452e6419c969d346177556066b50d0f65d6051d24b525da5201bbfc04ea91
                                                                                                                                                                                                                                  • Instruction ID: 453457461e3bd89a7ddf930f1038c0d3f849a1ddc0945f95424f6abd6b85e1e4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db4452e6419c969d346177556066b50d0f65d6051d24b525da5201bbfc04ea91
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45310831B0D90D5FFB9CFB689955AB933D1EF99328B011179D44EC32A7EE28E8024781
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9fa7882474877c3d3ff86fe9ae4ae9d81785afe381dfcd16412098645a7428aa
                                                                                                                                                                                                                                  • Instruction ID: 5212ee02e5293c12cf9a2f0560f78803181970c2c704951be650bbaa2afbc6cb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9fa7882474877c3d3ff86fe9ae4ae9d81785afe381dfcd16412098645a7428aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D313231A0E98A5FE3BDA26898A56B476D0EF45354F1A10B9C44FC31B3DF18EA81CB41
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 39aff03cbe60c30983de9bda3c904756c8c31c59c21407efeaa993be329da41f
                                                                                                                                                                                                                                  • Instruction ID: 906f006a17502a71b5808f82cb6bce5bed75f32682a146582ac4cba0b804e61e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39aff03cbe60c30983de9bda3c904756c8c31c59c21407efeaa993be329da41f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28110A23B1AD0D0BE7EC959D58669B573C1EF9837471612B9E05EC3297ED14BC828280
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b3efe01ddca95659526ff864a5c616d1cace0e509fced18235facad117beefb0
                                                                                                                                                                                                                                  • Instruction ID: 0e31f2142c4c26536dc31d396551d14e48abe8bfa8529424d5ee81b1e4dfaeeb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b3efe01ddca95659526ff864a5c616d1cace0e509fced18235facad117beefb0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE21052158F6C91FC346A7B88C259D57FE4DF8B16430D42FAE089CB5A3C91C9947C761
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3e85b433688e1fc0f131ba06bd71e96bff3ed90bf8aad1812bea6720f120af4c
                                                                                                                                                                                                                                  • Instruction ID: 1b0fff247354a7470595bf02f106a44824f6129943d173136f4f03b9426d7c2d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e85b433688e1fc0f131ba06bd71e96bff3ed90bf8aad1812bea6720f120af4c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18210893B2EE8A0FE79D976848626B567D1EF98348B0841BEA09FC71D7DD1CB5054300
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 4fe6e5772adf60f844ec40f4d3f074ffb8ca08da295c7ee28563df51687c55f9
                                                                                                                                                                                                                                  • Instruction ID: 9e3ab6d436cfcf7c40979ad4b9ce72e1f2d81d0dab0cf1bbefd2c735b876d67f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fe6e5772adf60f844ec40f4d3f074ffb8ca08da295c7ee28563df51687c55f9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49217C3061CA0D8FDB98DF1CD4556B9B7E1FF98311F10113EE48AD3262DA35E8428B41
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: cebdbd2ebd56abfc34944598977706cdced272aca70c40c624d87847b13ee249
                                                                                                                                                                                                                                  • Instruction ID: 0b9ecce24476c3ad1ad47be92a2813e1c121d9dd5ad68342c8bb7c4395606169
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cebdbd2ebd56abfc34944598977706cdced272aca70c40c624d87847b13ee249
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7011A21158FADA0FE35657B94C395E13FA49F8716430D42E7E086CB4F3D84C5A8A8361
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b455feb385eef30bb1c88c567ca4a1766372257877af551dd077663c79f50696
                                                                                                                                                                                                                                  • Instruction ID: 5c0a5d6941e72aaab4a0a1e318573c73672535a8519b8ef85598afdb284f4653
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b455feb385eef30bb1c88c567ca4a1766372257877af551dd077663c79f50696
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C521F222B3590D4BE768A79884B2AFA7291FF58358F40427AE04FC71C7DC68A9064380
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 76e5d2f00363b6469227e69a6bb6f61e11484e6bfd46426b4e8df9d8746a27eb
                                                                                                                                                                                                                                  • Instruction ID: 156dc4940b7cb1c5e46114bc7ef33abade9dc7449fac062634b3b5767f6be5dc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76e5d2f00363b6469227e69a6bb6f61e11484e6bfd46426b4e8df9d8746a27eb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E01D462B1AE4E0FD7ACEA3804655B9A392FFD8248708457DE05AC7297CF29B9064300
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 347265ba2e8d799c3d1a470933ae82d1e722ccecda7e6c369a08a603447448d3
                                                                                                                                                                                                                                  • Instruction ID: c67179826867cb0834317b7813229b0652665889ac50d9c1bfa443529a2d2fcb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 347265ba2e8d799c3d1a470933ae82d1e722ccecda7e6c369a08a603447448d3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC01F92150EB594FD756E32884652F57FD1DF85224F0D056ED089C70F3CD9846C58382
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 93b5a70d703a291785676e70cf6ded119dbf9394ab7586d8d6474a6107da2d17
                                                                                                                                                                                                                                  • Instruction ID: babe0599b75047412944f6d218f8abfd75d2045bef6aa91f74b7db9a20a586f5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93b5a70d703a291785676e70cf6ded119dbf9394ab7586d8d6474a6107da2d17
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D5F04631A0EACC2FDB1597B898685EA7FF0EF86304F0641EBE44CCB1A3DD2466448341
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 661d4936121daadac5bd82c783e91257b57969dda92c66c892dcfa0e7e256f8f
                                                                                                                                                                                                                                  • Instruction ID: 5b93be114038da023f214084531b631ffa5a01a2b7c54187c9215cd6e2cff681
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 661d4936121daadac5bd82c783e91257b57969dda92c66c892dcfa0e7e256f8f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFF09E27B4ED0E1BD258B4CD6CD10F03380EB81374B45123AC61AC3052D88969520390
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 36cc905ac16d20fd458bc507ad9e23ae9a8fb6e378e2848eb058c1594e6e29db
                                                                                                                                                                                                                                  • Instruction ID: 3a600fdf924c5b05881bf93485f823495336b8804cb91652373a5704020da44c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 36cc905ac16d20fd458bc507ad9e23ae9a8fb6e378e2848eb058c1594e6e29db
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAF02E21B29A4E07E768AF7C54152B573C1EF45319B460579D48EC71B2DE29DC424341
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3095a292635230c5b41d2fa647cf163847f43a30e8f9ea0934ccea134eb05e15
                                                                                                                                                                                                                                  • Instruction ID: c924427682b9e6849970d4b7304edd4df48b72d11455920ec2f50922b06fd3fd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3095a292635230c5b41d2fa647cf163847f43a30e8f9ea0934ccea134eb05e15
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9F0A471E1E6CC4FE7599BA488691E97FF0EF56214F4606E7E449C70A3EA2859458300
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 70cf21d9e70ce76508cf83898484feef363597d488487a1893d6b1d777935134
                                                                                                                                                                                                                                  • Instruction ID: fea82824fb36beb0032e75eb8efeb5191c16016ec155953803cf71105fed1b5a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70cf21d9e70ce76508cf83898484feef363597d488487a1893d6b1d777935134
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F4F0827150950D5FD628EB59EC565FA37A4FF85224F00013AF44D82152E6656962C750
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 7487fc331c25be0fdf61126d8ccc341b64504bd8b150b4e3fd776c75eb30a6df
                                                                                                                                                                                                                                  • Instruction ID: cad3d2eecfb971f8f4607b08e268f2e7c13abb03c0f2b29fbb67d3c92d1b16e0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7487fc331c25be0fdf61126d8ccc341b64504bd8b150b4e3fd776c75eb30a6df
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DED0A51375E74E06F9D066887CA11F163C5EB511797651373D449C3057DC1B57434101
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000001.00000002.3713730974.00007FFD9BD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD30000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffd9bd30000_Client-built.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3cc1c8425d5c8219fd63eab0b9ef2749b310c42d6fed62634394b275d1fba508
                                                                                                                                                                                                                                  • Instruction ID: 8b8377bed55aaa0633be5ca7c507932d5a32a613ed196e96a71e3c2185bcf273
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3cc1c8425d5c8219fd63eab0b9ef2749b310c42d6fed62634394b275d1fba508
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5BD0A77160B74D8FD75DB73C40151643690EF18744F1444BDD00ACB0E2D55255198200

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:16.2%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:18.7%
                                                                                                                                                                                                                                  Total number of Nodes:1289
                                                                                                                                                                                                                                  Total number of Limit Nodes:24
                                                                                                                                                                                                                                  execution_graph 3603 4027c1 3617 402a1d 3603->3617 3605 4027c7 3606 402802 3605->3606 3607 4027eb 3605->3607 3612 4026a6 3605->3612 3610 402818 3606->3610 3611 40280c 3606->3611 3608 4027f0 3607->3608 3609 4027ff 3607->3609 3620 405cf9 lstrcpynA 3608->3620 3609->3612 3621 405c57 wsprintfA 3609->3621 3614 405d1b 18 API calls 3610->3614 3613 402a1d 18 API calls 3611->3613 3613->3609 3614->3609 3618 405d1b 18 API calls 3617->3618 3619 402a31 3618->3619 3619->3605 3620->3612 3621->3612 3622 401cc2 3623 402a1d 18 API calls 3622->3623 3624 401cd2 SetWindowLongA 3623->3624 3625 4028cf 3624->3625 3626 401a43 3627 402a1d 18 API calls 3626->3627 3628 401a49 3627->3628 3629 402a1d 18 API calls 3628->3629 3630 4019f3 3629->3630 3208 401e44 3209 402a3a 18 API calls 3208->3209 3210 401e4a 3209->3210 3211 404f12 25 API calls 3210->3211 3212 401e54 3211->3212 3224 40548a CreateProcessA 3212->3224 3214 401e5a 3215 4026a6 3214->3215 3216 401eb0 CloseHandle 3214->3216 3217 401e79 WaitForSingleObject 3214->3217 3227 4060ce 3214->3227 3216->3215 3217->3214 3218 401e87 GetExitCodeProcess 3217->3218 3220 401ea4 3218->3220 3221 401e99 3218->3221 3220->3216 3222 401ea2 3220->3222 3231 405c57 wsprintfA 3221->3231 3222->3216 3225 4054c9 3224->3225 3226 4054bd CloseHandle 3224->3226 3225->3214 3226->3225 3228 4060eb PeekMessageA 3227->3228 3229 4060e1 DispatchMessageA 3228->3229 3230 4060fb 3228->3230 3229->3228 3230->3217 3231->3222 3631 402644 3632 40264a 3631->3632 3633 402652 FindClose 3632->3633 3634 4028cf 3632->3634 3633->3634 3635 406344 3636 4061c8 3635->3636 3637 406b33 3636->3637 3638 406252 GlobalAlloc 3636->3638 3639 406249 GlobalFree 3636->3639 3640 4062c0 GlobalFree 3636->3640 3641 4062c9 GlobalAlloc 3636->3641 3638->3636 3638->3637 3639->3638 3640->3641 3641->3636 3641->3637 3642 4026c6 3643 402a3a 18 API calls 3642->3643 3644 4026d4 3643->3644 3645 4026ea 3644->3645 3646 402a3a 18 API calls 3644->3646 3647 405947 2 API calls 3645->3647 3646->3645 3648 4026f0 3647->3648 3670 40596c GetFileAttributesA CreateFileA 3648->3670 3650 4026fd 3651 4027a0 3650->3651 3652 402709 GlobalAlloc 3650->3652 3655 4027a8 DeleteFileA 3651->3655 3656 4027bb 3651->3656 3653 402722 3652->3653 3654 402797 CloseHandle 3652->3654 3671 403091 SetFilePointer 3653->3671 3654->3651 3655->3656 3658 402728 3659 40307b ReadFile 3658->3659 3660 402731 GlobalAlloc 3659->3660 3661 402741 3660->3661 3662 402775 3660->3662 3664 402e9f 36 API calls 3661->3664 3663 405a13 WriteFile 3662->3663 3665 402781 GlobalFree 3663->3665 3669 40274e 3664->3669 3666 402e9f 36 API calls 3665->3666 3667 402794 3666->3667 3667->3654 3668 40276c GlobalFree 3668->3662 3669->3668 3670->3650 3671->3658 3672 402847 3673 402a1d 18 API calls 3672->3673 3674 40284d 3673->3674 3675 4026a6 3674->3675 3676 40287e 3674->3676 3678 40285b 3674->3678 3676->3675 3677 405d1b 18 API calls 3676->3677 3677->3675 3678->3675 3680 405c57 wsprintfA 3678->3680 3680->3675 3681 4022c7 3682 402a3a 18 API calls 3681->3682 3683 4022d8 3682->3683 3684 402a3a 18 API calls 3683->3684 3685 4022e1 3684->3685 3686 402a3a 18 API calls 3685->3686 3687 4022eb GetPrivateProfileStringA 3686->3687 3698 405050 3699 405072 GetDlgItem GetDlgItem GetDlgItem 3698->3699 3700 4051fb 3698->3700 3743 403f13 SendMessageA 3699->3743 3702 405203 GetDlgItem CreateThread CloseHandle 3700->3702 3703 40522b 3700->3703 3702->3703 3705 405259 3703->3705 3706 405241 ShowWindow ShowWindow 3703->3706 3707 40527a 3703->3707 3704 4050e2 3713 4050e9 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3704->3713 3708 4052b4 3705->3708 3710 405269 3705->3710 3711 40528d ShowWindow 3705->3711 3748 403f13 SendMessageA 3706->3748 3752 403f45 3707->3752 3708->3707 3714 4052c1 SendMessageA 3708->3714 3749 403eb7 3710->3749 3717 4052ad 3711->3717 3718 40529f 3711->3718 3719 405157 3713->3719 3720 40513b SendMessageA SendMessageA 3713->3720 3716 405286 3714->3716 3721 4052da CreatePopupMenu 3714->3721 3725 403eb7 SendMessageA 3717->3725 3724 404f12 25 API calls 3718->3724 3722 40516a 3719->3722 3723 40515c SendMessageA 3719->3723 3720->3719 3726 405d1b 18 API calls 3721->3726 3744 403ede 3722->3744 3723->3722 3724->3717 3725->3708 3728 4052ea AppendMenuA 3726->3728 3730 405308 GetWindowRect 3728->3730 3731 40531b TrackPopupMenu 3728->3731 3729 40517a 3732 405183 ShowWindow 3729->3732 3733 4051b7 GetDlgItem SendMessageA 3729->3733 3730->3731 3731->3716 3734 405337 3731->3734 3735 4051a6 3732->3735 3736 405199 ShowWindow 3732->3736 3733->3716 3737 4051de SendMessageA SendMessageA 3733->3737 3738 405356 SendMessageA 3734->3738 3747 403f13 SendMessageA 3735->3747 3736->3735 3737->3716 3738->3738 3739 405373 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3738->3739 3741 405395 SendMessageA 3739->3741 3741->3741 3742 4053b7 GlobalUnlock SetClipboardData CloseClipboard 3741->3742 3742->3716 3743->3704 3745 405d1b 18 API calls 3744->3745 3746 403ee9 SetDlgItemTextA 3745->3746 3746->3729 3747->3733 3748->3705 3750 403ec4 SendMessageA 3749->3750 3751 403ebe 3749->3751 3750->3707 3751->3750 3753 403f5d GetWindowLongA 3752->3753 3763 403fe6 3752->3763 3754 403f6e 3753->3754 3753->3763 3755 403f80 3754->3755 3756 403f7d GetSysColor 3754->3756 3757 403f90 SetBkMode 3755->3757 3758 403f86 SetTextColor 3755->3758 3756->3755 3759 403fa8 GetSysColor 3757->3759 3760 403fae 3757->3760 3758->3757 3759->3760 3761 403fb5 SetBkColor 3760->3761 3762 403fbf 3760->3762 3761->3762 3762->3763 3764 403fd2 DeleteObject 3762->3764 3765 403fd9 CreateBrushIndirect 3762->3765 3763->3716 3764->3765 3765->3763 3061 401751 3062 402a3a 18 API calls 3061->3062 3063 401758 3062->3063 3064 401776 3063->3064 3065 40177e 3063->3065 3121 405cf9 lstrcpynA 3064->3121 3122 405cf9 lstrcpynA 3065->3122 3068 40177c 3072 405f64 5 API calls 3068->3072 3069 401789 3123 40576b lstrlenA CharPrevA 3069->3123 3092 40179b 3072->3092 3076 4017b2 CompareFileTime 3076->3092 3077 401876 3079 404f12 25 API calls 3077->3079 3078 40184d 3080 404f12 25 API calls 3078->3080 3089 401862 3078->3089 3082 401880 3079->3082 3080->3089 3081 405cf9 lstrcpynA 3081->3092 3100 402e9f 3082->3100 3085 4018a7 SetFileTime 3086 4018b9 CloseHandle 3085->3086 3088 4018ca 3086->3088 3086->3089 3087 405d1b 18 API calls 3087->3092 3090 4018e2 3088->3090 3091 4018cf 3088->3091 3094 405d1b 18 API calls 3090->3094 3093 405d1b 18 API calls 3091->3093 3092->3076 3092->3077 3092->3078 3092->3081 3092->3087 3099 40596c GetFileAttributesA CreateFileA 3092->3099 3126 405ffd FindFirstFileA 3092->3126 3129 405947 GetFileAttributesA 3092->3129 3132 4054ef 3092->3132 3096 4018d7 lstrcatA 3093->3096 3097 4018ea 3094->3097 3096->3097 3098 4054ef MessageBoxIndirectA 3097->3098 3098->3089 3099->3092 3102 402eb5 3100->3102 3101 402ee0 3136 40307b 3101->3136 3102->3101 3149 403091 SetFilePointer 3102->3149 3106 40301b 3108 40301f 3106->3108 3113 403037 3106->3113 3107 402efd GetTickCount 3117 402f10 3107->3117 3110 40307b ReadFile 3108->3110 3109 401893 3109->3085 3109->3086 3110->3109 3111 40307b ReadFile 3111->3113 3112 40307b ReadFile 3112->3117 3113->3109 3113->3111 3114 405a13 WriteFile 3113->3114 3114->3113 3116 402f76 GetTickCount 3116->3117 3117->3109 3117->3112 3117->3116 3118 402f9f MulDiv wsprintfA 3117->3118 3139 406195 3117->3139 3147 405a13 WriteFile 3117->3147 3119 404f12 25 API calls 3118->3119 3119->3117 3121->3068 3122->3069 3124 40178f lstrcatA 3123->3124 3125 405785 lstrcatA 3123->3125 3124->3068 3125->3124 3127 406013 FindClose 3126->3127 3128 40601e 3126->3128 3127->3128 3128->3092 3130 405966 3129->3130 3131 405959 SetFileAttributesA 3129->3131 3130->3092 3131->3130 3133 405504 3132->3133 3134 405550 3133->3134 3135 405518 MessageBoxIndirectA 3133->3135 3134->3092 3135->3134 3150 4059e4 ReadFile 3136->3150 3140 4061c2 3139->3140 3141 4061ba 3139->3141 3140->3141 3142 406252 GlobalAlloc 3140->3142 3143 406249 GlobalFree 3140->3143 3144 4062c0 GlobalFree 3140->3144 3145 4062c9 GlobalAlloc 3140->3145 3141->3117 3142->3141 3146 406266 3142->3146 3143->3142 3144->3145 3145->3140 3145->3141 3146->3140 3148 405a31 3147->3148 3148->3117 3149->3101 3151 402eeb 3150->3151 3151->3106 3151->3107 3151->3109 3766 401651 3767 402a3a 18 API calls 3766->3767 3768 401657 3767->3768 3769 405ffd 2 API calls 3768->3769 3770 40165d 3769->3770 3771 401951 3772 402a1d 18 API calls 3771->3772 3773 401958 3772->3773 3774 402a1d 18 API calls 3773->3774 3775 401962 3774->3775 3776 402a3a 18 API calls 3775->3776 3777 40196b 3776->3777 3778 40197e lstrlenA 3777->3778 3779 4019b9 3777->3779 3780 401988 3778->3780 3780->3779 3784 405cf9 lstrcpynA 3780->3784 3782 4019a2 3782->3779 3783 4019af lstrlenA 3782->3783 3783->3779 3784->3782 3785 4019d2 3786 402a3a 18 API calls 3785->3786 3787 4019d9 3786->3787 3788 402a3a 18 API calls 3787->3788 3789 4019e2 3788->3789 3790 4019e9 lstrcmpiA 3789->3790 3791 4019fb lstrcmpA 3789->3791 3792 4019ef 3790->3792 3791->3792 3793 4021d2 3794 402a3a 18 API calls 3793->3794 3795 4021d8 3794->3795 3796 402a3a 18 API calls 3795->3796 3797 4021e1 3796->3797 3798 402a3a 18 API calls 3797->3798 3799 4021ea 3798->3799 3800 405ffd 2 API calls 3799->3800 3801 4021f3 3800->3801 3802 402204 lstrlenA lstrlenA 3801->3802 3806 4021f7 3801->3806 3804 404f12 25 API calls 3802->3804 3803 404f12 25 API calls 3807 4021ff 3803->3807 3805 402240 SHFileOperationA 3804->3805 3805->3806 3805->3807 3806->3803 3806->3807 3808 402254 3809 40225b 3808->3809 3812 40226e 3808->3812 3810 405d1b 18 API calls 3809->3810 3811 402268 3810->3811 3813 4054ef MessageBoxIndirectA 3811->3813 3813->3812 3814 4042d5 3815 4042e5 3814->3815 3816 40430b 3814->3816 3817 403ede 19 API calls 3815->3817 3818 403f45 8 API calls 3816->3818 3819 4042f2 SetDlgItemTextA 3817->3819 3820 404317 3818->3820 3819->3816 3821 4014d6 3822 402a1d 18 API calls 3821->3822 3823 4014dc Sleep 3822->3823 3825 4028cf 3823->3825 3232 4030d9 SetErrorMode GetVersion 3233 403110 3232->3233 3234 403116 3232->3234 3235 406092 5 API calls 3233->3235 3236 406024 3 API calls 3234->3236 3235->3234 3237 40312c lstrlenA 3236->3237 3237->3234 3238 40313b 3237->3238 3239 406092 5 API calls 3238->3239 3240 403143 3239->3240 3241 406092 5 API calls 3240->3241 3242 40314a #17 OleInitialize SHGetFileInfoA 3241->3242 3320 405cf9 lstrcpynA 3242->3320 3244 403187 GetCommandLineA 3321 405cf9 lstrcpynA 3244->3321 3246 403199 GetModuleHandleA 3247 4031b0 3246->3247 3248 405796 CharNextA 3247->3248 3249 4031c4 CharNextA 3248->3249 3254 4031d4 3249->3254 3250 40329e 3251 4032b1 GetTempPathA 3250->3251 3322 4030a8 3251->3322 3253 4032c9 3255 403323 DeleteFileA 3253->3255 3256 4032cd GetWindowsDirectoryA lstrcatA 3253->3256 3254->3250 3257 405796 CharNextA 3254->3257 3262 4032a0 3254->3262 3332 402c66 GetTickCount GetModuleFileNameA 3255->3332 3259 4030a8 12 API calls 3256->3259 3257->3254 3261 4032e9 3259->3261 3260 403337 3263 4033d1 ExitProcess CoUninitialize 3260->3263 3266 4033bd 3260->3266 3271 405796 CharNextA 3260->3271 3261->3255 3265 4032ed GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3261->3265 3417 405cf9 lstrcpynA 3262->3417 3267 403505 3263->3267 3268 4033e7 3263->3268 3269 4030a8 12 API calls 3265->3269 3360 403679 3266->3360 3273 403587 ExitProcess 3267->3273 3274 40350d GetCurrentProcess OpenProcessToken 3267->3274 3272 4054ef MessageBoxIndirectA 3268->3272 3275 40331b 3269->3275 3277 403352 3271->3277 3279 4033f5 ExitProcess 3272->3279 3280 403558 3274->3280 3281 403528 LookupPrivilegeValueA AdjustTokenPrivileges 3274->3281 3275->3255 3275->3263 3283 403398 3277->3283 3284 4033fd 3277->3284 3282 406092 5 API calls 3280->3282 3281->3280 3285 40355f 3282->3285 3418 405859 3283->3418 3287 405472 5 API calls 3284->3287 3286 403574 ExitWindowsEx 3285->3286 3289 403580 3285->3289 3286->3273 3286->3289 3290 403402 lstrcatA 3287->3290 3441 40140b 3289->3441 3293 403413 lstrcatA 3290->3293 3294 40341e lstrcatA lstrcmpiA 3290->3294 3293->3294 3294->3263 3295 40343a 3294->3295 3297 403446 3295->3297 3298 40343f 3295->3298 3302 405455 2 API calls 3297->3302 3300 4053d8 4 API calls 3298->3300 3299 4033b2 3433 405cf9 lstrcpynA 3299->3433 3303 403444 3300->3303 3304 40344b SetCurrentDirectoryA 3302->3304 3303->3304 3305 403465 3304->3305 3306 40345a 3304->3306 3435 405cf9 lstrcpynA 3305->3435 3434 405cf9 lstrcpynA 3306->3434 3309 405d1b 18 API calls 3310 4034a4 DeleteFileA 3309->3310 3311 4034b1 CopyFileA 3310->3311 3317 403473 3310->3317 3311->3317 3312 4034f9 3313 405bb4 38 API calls 3312->3313 3315 403500 3313->3315 3315->3263 3316 405d1b 18 API calls 3316->3317 3317->3309 3317->3312 3317->3316 3318 40548a 2 API calls 3317->3318 3319 4034e5 CloseHandle 3317->3319 3436 405bb4 MoveFileExA 3317->3436 3318->3317 3319->3317 3320->3244 3321->3246 3323 405f64 5 API calls 3322->3323 3324 4030b4 3323->3324 3325 4030be 3324->3325 3326 40576b 3 API calls 3324->3326 3325->3253 3327 4030c6 3326->3327 3328 405455 2 API calls 3327->3328 3329 4030cc 3328->3329 3444 40599b 3329->3444 3448 40596c GetFileAttributesA CreateFileA 3332->3448 3334 402ca6 3353 402cb6 3334->3353 3449 405cf9 lstrcpynA 3334->3449 3336 402ccc 3450 4057b2 lstrlenA 3336->3450 3340 402cdd GetFileSize 3341 402dd9 3340->3341 3359 402cf4 3340->3359 3455 402c02 3341->3455 3343 402de2 3345 402e12 GlobalAlloc 3343->3345 3343->3353 3467 403091 SetFilePointer 3343->3467 3344 40307b ReadFile 3344->3359 3466 403091 SetFilePointer 3345->3466 3348 402e45 3350 402c02 6 API calls 3348->3350 3349 402e2d 3352 402e9f 36 API calls 3349->3352 3350->3353 3351 402dfb 3354 40307b ReadFile 3351->3354 3357 402e39 3352->3357 3353->3260 3356 402e06 3354->3356 3355 402c02 6 API calls 3355->3359 3356->3345 3356->3353 3357->3353 3357->3357 3358 402e76 SetFilePointer 3357->3358 3358->3353 3359->3341 3359->3344 3359->3348 3359->3353 3359->3355 3361 406092 5 API calls 3360->3361 3362 40368d 3361->3362 3363 403693 3362->3363 3364 4036a5 3362->3364 3477 405c57 wsprintfA 3363->3477 3365 405be0 3 API calls 3364->3365 3366 4036d0 3365->3366 3368 4036ee lstrcatA 3366->3368 3370 405be0 3 API calls 3366->3370 3369 4036a3 3368->3369 3468 40393e 3369->3468 3370->3368 3373 405859 18 API calls 3374 403720 3373->3374 3375 4037a9 3374->3375 3377 405be0 3 API calls 3374->3377 3376 405859 18 API calls 3375->3376 3378 4037af 3376->3378 3379 40374c 3377->3379 3380 4037bf LoadImageA 3378->3380 3381 405d1b 18 API calls 3378->3381 3379->3375 3384 403768 lstrlenA 3379->3384 3387 405796 CharNextA 3379->3387 3382 403865 3380->3382 3383 4037e6 RegisterClassA 3380->3383 3381->3380 3386 40140b 2 API calls 3382->3386 3385 40381c SystemParametersInfoA CreateWindowExA 3383->3385 3394 4033cd 3383->3394 3388 403776 lstrcmpiA 3384->3388 3389 40379c 3384->3389 3385->3382 3393 40386b 3386->3393 3391 403766 3387->3391 3388->3389 3392 403786 GetFileAttributesA 3388->3392 3390 40576b 3 API calls 3389->3390 3396 4037a2 3390->3396 3391->3384 3397 403792 3392->3397 3393->3394 3395 40393e 19 API calls 3393->3395 3394->3263 3398 40387c 3395->3398 3478 405cf9 lstrcpynA 3396->3478 3397->3389 3400 4057b2 2 API calls 3397->3400 3401 403888 ShowWindow 3398->3401 3402 40390b 3398->3402 3400->3389 3404 406024 3 API calls 3401->3404 3479 404fe4 OleInitialize 3402->3479 3406 4038a0 3404->3406 3405 403911 3407 403915 3405->3407 3408 40392d 3405->3408 3409 4038ae GetClassInfoA 3406->3409 3411 406024 3 API calls 3406->3411 3407->3394 3414 40140b 2 API calls 3407->3414 3410 40140b 2 API calls 3408->3410 3412 4038c2 GetClassInfoA RegisterClassA 3409->3412 3413 4038d8 DialogBoxParamA 3409->3413 3410->3394 3411->3409 3412->3413 3415 40140b 2 API calls 3413->3415 3414->3394 3416 403900 3415->3416 3416->3394 3417->3251 3494 405cf9 lstrcpynA 3418->3494 3420 40586a 3421 405804 4 API calls 3420->3421 3422 405870 3421->3422 3423 4033a3 3422->3423 3424 405f64 5 API calls 3422->3424 3423->3263 3432 405cf9 lstrcpynA 3423->3432 3430 405880 3424->3430 3425 4058ab lstrlenA 3426 4058b6 3425->3426 3425->3430 3427 40576b 3 API calls 3426->3427 3429 4058bb GetFileAttributesA 3427->3429 3428 405ffd 2 API calls 3428->3430 3429->3423 3430->3423 3430->3425 3430->3428 3431 4057b2 2 API calls 3430->3431 3431->3425 3432->3299 3433->3266 3434->3305 3435->3317 3437 405bd7 3436->3437 3438 405bc8 3436->3438 3437->3317 3495 405a42 lstrcpyA 3438->3495 3442 401389 2 API calls 3441->3442 3443 401420 3442->3443 3443->3273 3445 4059a6 GetTickCount GetTempFileNameA 3444->3445 3446 4030d7 3445->3446 3447 4059d3 3445->3447 3446->3253 3447->3445 3447->3446 3448->3334 3449->3336 3451 4057bf 3450->3451 3452 402cd2 3451->3452 3453 4057c4 CharPrevA 3451->3453 3454 405cf9 lstrcpynA 3452->3454 3453->3451 3453->3452 3454->3340 3456 402c23 3455->3456 3457 402c0b 3455->3457 3460 402c33 GetTickCount 3456->3460 3461 402c2b 3456->3461 3458 402c14 DestroyWindow 3457->3458 3459 402c1b 3457->3459 3458->3459 3459->3343 3463 402c41 CreateDialogParamA ShowWindow 3460->3463 3464 402c64 3460->3464 3462 4060ce 2 API calls 3461->3462 3465 402c31 3462->3465 3463->3464 3464->3343 3465->3343 3466->3349 3467->3351 3469 403952 3468->3469 3486 405c57 wsprintfA 3469->3486 3471 4039c3 3472 405d1b 18 API calls 3471->3472 3473 4039cf SetWindowTextA 3472->3473 3474 4036fe 3473->3474 3475 4039eb 3473->3475 3474->3373 3475->3474 3476 405d1b 18 API calls 3475->3476 3476->3475 3477->3369 3478->3375 3487 403f2a 3479->3487 3481 405007 3485 40502e 3481->3485 3490 401389 3481->3490 3482 403f2a SendMessageA 3483 405040 OleUninitialize 3482->3483 3483->3405 3485->3482 3486->3471 3488 403f42 3487->3488 3489 403f33 SendMessageA 3487->3489 3488->3481 3489->3488 3492 401390 3490->3492 3491 4013fe 3491->3481 3492->3491 3493 4013cb MulDiv SendMessageA 3492->3493 3493->3492 3494->3420 3496 405a90 GetShortPathNameA 3495->3496 3497 405a6a 3495->3497 3499 405aa5 3496->3499 3500 405baf 3496->3500 3522 40596c GetFileAttributesA CreateFileA 3497->3522 3499->3500 3502 405aad wsprintfA 3499->3502 3500->3437 3501 405a74 CloseHandle GetShortPathNameA 3501->3500 3503 405a88 3501->3503 3504 405d1b 18 API calls 3502->3504 3503->3496 3503->3500 3505 405ad5 3504->3505 3523 40596c GetFileAttributesA CreateFileA 3505->3523 3507 405ae2 3507->3500 3508 405af1 GetFileSize GlobalAlloc 3507->3508 3509 405b13 3508->3509 3510 405ba8 CloseHandle 3508->3510 3511 4059e4 ReadFile 3509->3511 3510->3500 3512 405b1b 3511->3512 3512->3510 3524 4058d1 lstrlenA 3512->3524 3515 405b32 lstrcpyA 3517 405b54 3515->3517 3516 405b46 3518 4058d1 4 API calls 3516->3518 3519 405b8b SetFilePointer 3517->3519 3518->3517 3520 405a13 WriteFile 3519->3520 3521 405ba1 GlobalFree 3520->3521 3521->3510 3522->3501 3523->3507 3525 405912 lstrlenA 3524->3525 3526 40591a 3525->3526 3527 4058eb lstrcmpiA 3525->3527 3526->3515 3526->3516 3527->3526 3528 405909 CharNextA 3527->3528 3528->3525 3826 40155b 3827 401577 ShowWindow 3826->3827 3828 40157e 3826->3828 3827->3828 3829 40158c ShowWindow 3828->3829 3830 4028cf 3828->3830 3829->3830 3831 40255c 3832 402a1d 18 API calls 3831->3832 3838 402566 3832->3838 3833 4025d0 3834 4059e4 ReadFile 3834->3838 3835 4025d2 3840 405c57 wsprintfA 3835->3840 3837 4025e2 3837->3833 3839 4025f8 SetFilePointer 3837->3839 3838->3833 3838->3834 3838->3835 3838->3837 3839->3833 3840->3833 3841 40205e 3842 402a3a 18 API calls 3841->3842 3843 402065 3842->3843 3844 402a3a 18 API calls 3843->3844 3845 40206f 3844->3845 3846 402a3a 18 API calls 3845->3846 3847 402079 3846->3847 3848 402a3a 18 API calls 3847->3848 3849 402083 3848->3849 3850 402a3a 18 API calls 3849->3850 3851 40208d 3850->3851 3852 4020cc CoCreateInstance 3851->3852 3853 402a3a 18 API calls 3851->3853 3856 4020eb 3852->3856 3858 402193 3852->3858 3853->3852 3854 401423 25 API calls 3855 4021c9 3854->3855 3857 402173 MultiByteToWideChar 3856->3857 3856->3858 3857->3858 3858->3854 3858->3855 3859 40265e 3860 402664 3859->3860 3861 402668 FindNextFileA 3860->3861 3863 40267a 3860->3863 3862 4026b9 3861->3862 3861->3863 3865 405cf9 lstrcpynA 3862->3865 3865->3863 3866 401cde GetDlgItem GetClientRect 3867 402a3a 18 API calls 3866->3867 3868 401d0e LoadImageA SendMessageA 3867->3868 3869 401d2c DeleteObject 3868->3869 3870 4028cf 3868->3870 3869->3870 3871 401662 3872 402a3a 18 API calls 3871->3872 3873 401669 3872->3873 3874 402a3a 18 API calls 3873->3874 3875 401672 3874->3875 3876 402a3a 18 API calls 3875->3876 3877 40167b MoveFileA 3876->3877 3878 40168e 3877->3878 3884 401687 3877->3884 3879 4021c9 3878->3879 3881 405ffd 2 API calls 3878->3881 3880 401423 25 API calls 3880->3879 3882 40169d 3881->3882 3882->3879 3883 405bb4 38 API calls 3882->3883 3883->3884 3884->3880 3892 402364 3893 40236a 3892->3893 3894 402a3a 18 API calls 3893->3894 3895 40237c 3894->3895 3896 402a3a 18 API calls 3895->3896 3897 402386 RegCreateKeyExA 3896->3897 3898 4023b0 3897->3898 3899 4028cf 3897->3899 3900 4023c8 3898->3900 3901 402a3a 18 API calls 3898->3901 3903 402a1d 18 API calls 3900->3903 3905 4023d4 3900->3905 3902 4023c1 lstrlenA 3901->3902 3902->3900 3903->3905 3904 4023ef RegSetValueExA 3907 402405 RegCloseKey 3904->3907 3905->3904 3906 402e9f 36 API calls 3905->3906 3906->3904 3907->3899 3909 401dea 3910 402a3a 18 API calls 3909->3910 3911 401df0 3910->3911 3912 402a3a 18 API calls 3911->3912 3913 401df9 3912->3913 3914 402a3a 18 API calls 3913->3914 3915 401e02 3914->3915 3916 402a3a 18 API calls 3915->3916 3917 401e0b 3916->3917 3918 401423 25 API calls 3917->3918 3919 401e12 ShellExecuteA 3918->3919 3920 401e3f 3919->3920 3921 40466d 3922 404699 3921->3922 3923 40467d 3921->3923 3925 4046cc 3922->3925 3926 40469f SHGetPathFromIDListA 3922->3926 3932 4054d3 GetDlgItemTextA 3923->3932 3928 4046b6 SendMessageA 3926->3928 3929 4046af 3926->3929 3927 40468a SendMessageA 3927->3922 3928->3925 3930 40140b 2 API calls 3929->3930 3930->3928 3932->3927 3933 401eee 3934 402a3a 18 API calls 3933->3934 3935 401ef5 3934->3935 3936 406092 5 API calls 3935->3936 3937 401f04 3936->3937 3938 401f1c GlobalAlloc 3937->3938 3941 401f84 3937->3941 3939 401f30 3938->3939 3938->3941 3940 406092 5 API calls 3939->3940 3942 401f37 3940->3942 3943 406092 5 API calls 3942->3943 3944 401f41 3943->3944 3944->3941 3948 405c57 wsprintfA 3944->3948 3946 401f78 3949 405c57 wsprintfA 3946->3949 3948->3946 3949->3941 3950 4014f0 SetForegroundWindow 3951 4028cf 3950->3951 3952 403ff2 lstrcpynA lstrlenA 3958 4018f5 3959 40192c 3958->3959 3960 402a3a 18 API calls 3959->3960 3961 401931 3960->3961 3962 40559b 69 API calls 3961->3962 3963 40193a 3962->3963 3964 4024f7 3965 402a3a 18 API calls 3964->3965 3966 4024fe 3965->3966 3969 40596c GetFileAttributesA CreateFileA 3966->3969 3968 40250a 3969->3968 3970 4018f8 3971 402a3a 18 API calls 3970->3971 3972 4018ff 3971->3972 3973 4054ef MessageBoxIndirectA 3972->3973 3974 401908 3973->3974 3989 4014fe 3990 401506 3989->3990 3992 401519 3989->3992 3991 402a1d 18 API calls 3990->3991 3991->3992 3993 402b7f 3994 402b8e SetTimer 3993->3994 3997 402ba7 3993->3997 3994->3997 3995 402bfc 3996 402bc1 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3996->3995 3997->3995 3997->3996 3998 401000 3999 401037 BeginPaint GetClientRect 3998->3999 4000 40100c DefWindowProcA 3998->4000 4002 4010f3 3999->4002 4003 401179 4000->4003 4004 401073 CreateBrushIndirect FillRect DeleteObject 4002->4004 4005 4010fc 4002->4005 4004->4002 4006 401102 CreateFontIndirectA 4005->4006 4007 401167 EndPaint 4005->4007 4006->4007 4008 401112 6 API calls 4006->4008 4007->4003 4008->4007 4016 401b02 4017 402a3a 18 API calls 4016->4017 4018 401b09 4017->4018 4019 402a1d 18 API calls 4018->4019 4020 401b12 wsprintfA 4019->4020 4021 4028cf 4020->4021 4022 402482 4032 402b44 4022->4032 4024 40248c 4025 402a1d 18 API calls 4024->4025 4026 402495 4025->4026 4027 4026a6 4026->4027 4028 4024b8 RegEnumValueA 4026->4028 4029 4024ac RegEnumKeyA 4026->4029 4028->4027 4030 4024d1 RegCloseKey 4028->4030 4029->4030 4030->4027 4033 402a3a 18 API calls 4032->4033 4034 402b5d 4033->4034 4035 402b6b RegOpenKeyExA 4034->4035 4035->4024 3152 402283 3153 402291 3152->3153 3154 40228b 3152->3154 3156 402a3a 18 API calls 3153->3156 3158 4022a1 3153->3158 3155 402a3a 18 API calls 3154->3155 3155->3153 3156->3158 3157 4022af 3160 402a3a 18 API calls 3157->3160 3158->3157 3159 402a3a 18 API calls 3158->3159 3159->3157 3161 4022b8 WritePrivateProfileStringA 3160->3161 4036 401a03 4037 402a3a 18 API calls 4036->4037 4038 401a0c ExpandEnvironmentStringsA 4037->4038 4039 401a20 4038->4039 4041 401a33 4038->4041 4040 401a25 lstrcmpA 4039->4040 4039->4041 4040->4041 4042 404e86 4043 404e96 4042->4043 4044 404eaa 4042->4044 4045 404e9c 4043->4045 4054 404ef3 4043->4054 4046 404eb2 IsWindowVisible 4044->4046 4050 404ec9 4044->4050 4048 403f2a SendMessageA 4045->4048 4049 404ebf 4046->4049 4046->4054 4047 404ef8 CallWindowProcA 4051 404ea6 4047->4051 4048->4051 4055 4047dd SendMessageA 4049->4055 4050->4047 4060 40485d 4050->4060 4054->4047 4056 404800 GetMessagePos ScreenToClient SendMessageA 4055->4056 4057 40483c SendMessageA 4055->4057 4058 404834 4056->4058 4059 404839 4056->4059 4057->4058 4058->4050 4059->4057 4069 405cf9 lstrcpynA 4060->4069 4062 404870 4070 405c57 wsprintfA 4062->4070 4064 40487a 4065 40140b 2 API calls 4064->4065 4066 404883 4065->4066 4071 405cf9 lstrcpynA 4066->4071 4068 40488a 4068->4054 4069->4062 4070->4064 4071->4068 4072 402308 4073 402338 4072->4073 4074 40230d 4072->4074 4076 402a3a 18 API calls 4073->4076 4075 402b44 19 API calls 4074->4075 4077 402314 4075->4077 4078 40233f 4076->4078 4079 402a3a 18 API calls 4077->4079 4082 402355 4077->4082 4083 402a7a RegOpenKeyExA 4078->4083 4080 402325 RegDeleteValueA RegCloseKey 4079->4080 4080->4082 4090 402aa5 4083->4090 4092 402af1 4083->4092 4084 402acb RegEnumKeyA 4085 402add RegCloseKey 4084->4085 4084->4090 4086 406092 5 API calls 4085->4086 4089 402aed 4086->4089 4087 402b02 RegCloseKey 4087->4092 4088 402a7a 5 API calls 4088->4090 4091 402b1d RegDeleteKeyA 4089->4091 4089->4092 4090->4084 4090->4085 4090->4087 4090->4088 4091->4092 4092->4082 4093 402688 4094 402a3a 18 API calls 4093->4094 4095 40268f FindFirstFileA 4094->4095 4096 4026b2 4095->4096 4100 4026a2 4095->4100 4097 4026b9 4096->4097 4101 405c57 wsprintfA 4096->4101 4102 405cf9 lstrcpynA 4097->4102 4101->4097 4102->4100 3529 401389 3531 401390 3529->3531 3530 4013fe 3531->3530 3532 4013cb MulDiv SendMessageA 3531->3532 3532->3531 4103 401c8a 4104 402a1d 18 API calls 4103->4104 4105 401c90 IsWindow 4104->4105 4106 4019f3 4105->4106 4107 403a0b 4108 403a23 4107->4108 4109 403b5e 4107->4109 4108->4109 4110 403a2f 4108->4110 4111 403b6f GetDlgItem GetDlgItem 4109->4111 4116 403baf 4109->4116 4112 403a3a SetWindowPos 4110->4112 4113 403a4d 4110->4113 4114 403ede 19 API calls 4111->4114 4112->4113 4118 403a52 ShowWindow 4113->4118 4119 403a6a 4113->4119 4120 403b99 SetClassLongA 4114->4120 4115 403c09 4117 403f2a SendMessageA 4115->4117 4121 403b59 4115->4121 4116->4115 4125 401389 2 API calls 4116->4125 4146 403c1b 4117->4146 4118->4119 4122 403a72 DestroyWindow 4119->4122 4123 403a8c 4119->4123 4124 40140b 2 API calls 4120->4124 4127 403e67 4122->4127 4128 403a91 SetWindowLongA 4123->4128 4129 403aa2 4123->4129 4124->4116 4126 403be1 4125->4126 4126->4115 4130 403be5 SendMessageA 4126->4130 4127->4121 4136 403e98 ShowWindow 4127->4136 4128->4121 4133 403b19 4129->4133 4134 403aae GetDlgItem 4129->4134 4130->4121 4131 40140b 2 API calls 4131->4146 4132 403e69 DestroyWindow EndDialog 4132->4127 4135 403f45 8 API calls 4133->4135 4137 403ac1 SendMessageA IsWindowEnabled 4134->4137 4138 403ade 4134->4138 4135->4121 4136->4121 4137->4121 4137->4138 4140 403aeb 4138->4140 4141 403b32 SendMessageA 4138->4141 4142 403afe 4138->4142 4150 403ae3 4138->4150 4139 405d1b 18 API calls 4139->4146 4140->4141 4140->4150 4141->4133 4144 403b06 4142->4144 4145 403b1b 4142->4145 4143 403eb7 SendMessageA 4143->4133 4147 40140b 2 API calls 4144->4147 4148 40140b 2 API calls 4145->4148 4146->4121 4146->4131 4146->4132 4146->4139 4149 403ede 19 API calls 4146->4149 4151 403ede 19 API calls 4146->4151 4166 403da9 DestroyWindow 4146->4166 4147->4150 4148->4150 4149->4146 4150->4133 4150->4143 4152 403c96 GetDlgItem 4151->4152 4153 403cb3 ShowWindow EnableWindow 4152->4153 4154 403cab 4152->4154 4175 403f00 EnableWindow 4153->4175 4154->4153 4156 403cdd EnableWindow 4159 403cf1 4156->4159 4157 403cf6 GetSystemMenu EnableMenuItem SendMessageA 4158 403d26 SendMessageA 4157->4158 4157->4159 4158->4159 4159->4157 4176 403f13 SendMessageA 4159->4176 4177 405cf9 lstrcpynA 4159->4177 4162 403d54 lstrlenA 4163 405d1b 18 API calls 4162->4163 4164 403d65 SetWindowTextA 4163->4164 4165 401389 2 API calls 4164->4165 4165->4146 4166->4127 4167 403dc3 CreateDialogParamA 4166->4167 4167->4127 4168 403df6 4167->4168 4169 403ede 19 API calls 4168->4169 4170 403e01 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4169->4170 4171 401389 2 API calls 4170->4171 4172 403e47 4171->4172 4172->4121 4173 403e4f ShowWindow 4172->4173 4174 403f2a SendMessageA 4173->4174 4174->4127 4175->4156 4176->4159 4177->4162 4178 40488f GetDlgItem GetDlgItem 4179 4048e1 7 API calls 4178->4179 4187 404af9 4178->4187 4180 404984 DeleteObject 4179->4180 4181 404977 SendMessageA 4179->4181 4182 40498d 4180->4182 4181->4180 4183 4049c4 4182->4183 4186 405d1b 18 API calls 4182->4186 4188 403ede 19 API calls 4183->4188 4184 404c89 4190 404c93 SendMessageA 4184->4190 4191 404c9b 4184->4191 4185 404bdd 4185->4184 4194 404c36 SendMessageA 4185->4194 4221 404aec 4185->4221 4192 4049a6 SendMessageA SendMessageA 4186->4192 4187->4185 4197 4047dd 5 API calls 4187->4197 4212 404b6a 4187->4212 4189 4049d8 4188->4189 4193 403ede 19 API calls 4189->4193 4190->4191 4201 404cb4 4191->4201 4202 404cad ImageList_Destroy 4191->4202 4208 404cc4 4191->4208 4192->4182 4214 4049e6 4193->4214 4199 404c4b SendMessageA 4194->4199 4194->4221 4195 403f45 8 API calls 4200 404e7f 4195->4200 4196 404bcf SendMessageA 4196->4185 4197->4212 4198 404e33 4206 404e45 ShowWindow GetDlgItem ShowWindow 4198->4206 4198->4221 4205 404c5e 4199->4205 4203 404cbd GlobalFree 4201->4203 4201->4208 4202->4201 4203->4208 4204 404aba GetWindowLongA SetWindowLongA 4207 404ad3 4204->4207 4215 404c6f SendMessageA 4205->4215 4206->4221 4209 404af1 4207->4209 4210 404ad9 ShowWindow 4207->4210 4208->4198 4220 40485d 4 API calls 4208->4220 4225 404cff 4208->4225 4230 403f13 SendMessageA 4209->4230 4229 403f13 SendMessageA 4210->4229 4212->4185 4212->4196 4213 404a35 SendMessageA 4213->4214 4214->4204 4214->4213 4216 404ab4 4214->4216 4218 404a71 SendMessageA 4214->4218 4219 404a82 SendMessageA 4214->4219 4215->4184 4216->4204 4216->4207 4218->4214 4219->4214 4220->4225 4221->4195 4222 404e09 InvalidateRect 4222->4198 4223 404e1f 4222->4223 4231 404798 4223->4231 4224 404d2d SendMessageA 4228 404d43 4224->4228 4225->4224 4225->4228 4227 404db7 SendMessageA SendMessageA 4227->4228 4228->4222 4228->4227 4229->4221 4230->4187 4234 4046d3 4231->4234 4233 4047ad 4233->4198 4235 4046e9 4234->4235 4236 405d1b 18 API calls 4235->4236 4237 40474d 4236->4237 4238 405d1b 18 API calls 4237->4238 4239 404758 4238->4239 4240 405d1b 18 API calls 4239->4240 4241 40476e lstrlenA wsprintfA SetDlgItemTextA 4240->4241 4241->4233 2984 401f90 2985 401fa2 2984->2985 2986 402050 2984->2986 3002 402a3a 2985->3002 2989 401423 25 API calls 2986->2989 2995 4021c9 2989->2995 2990 402a3a 18 API calls 2991 401fb2 2990->2991 2992 401fc7 LoadLibraryExA 2991->2992 2993 401fba GetModuleHandleA 2991->2993 2992->2986 2994 401fd7 GetProcAddress 2992->2994 2993->2992 2993->2994 2996 402023 2994->2996 2997 401fe6 2994->2997 3011 404f12 2996->3011 3000 401ff6 2997->3000 3008 401423 2997->3008 3000->2995 3001 402044 FreeLibrary 3000->3001 3001->2995 3003 402a46 3002->3003 3022 405d1b 3003->3022 3006 401fa9 3006->2990 3009 404f12 25 API calls 3008->3009 3010 401431 3009->3010 3010->3000 3012 404f2d 3011->3012 3021 404fd0 3011->3021 3013 404f4a lstrlenA 3012->3013 3016 405d1b 18 API calls 3012->3016 3014 404f73 3013->3014 3015 404f58 lstrlenA 3013->3015 3018 404f86 3014->3018 3019 404f79 SetWindowTextA 3014->3019 3017 404f6a lstrcatA 3015->3017 3015->3021 3016->3013 3017->3014 3020 404f8c SendMessageA SendMessageA SendMessageA 3018->3020 3018->3021 3019->3018 3020->3021 3021->3000 3039 405d28 3022->3039 3023 405f4b 3024 402a67 3023->3024 3056 405cf9 lstrcpynA 3023->3056 3024->3006 3040 405f64 3024->3040 3026 405dc9 GetVersion 3026->3039 3027 405f22 lstrlenA 3027->3039 3029 405d1b 10 API calls 3029->3027 3032 405e41 GetSystemDirectoryA 3032->3039 3033 405e54 GetWindowsDirectoryA 3033->3039 3034 405f64 5 API calls 3034->3039 3035 405d1b 10 API calls 3035->3039 3036 405ecb lstrcatA 3036->3039 3037 405e88 SHGetSpecialFolderLocation 3038 405ea0 SHGetPathFromIDListA CoTaskMemFree 3037->3038 3037->3039 3038->3039 3039->3023 3039->3026 3039->3027 3039->3029 3039->3032 3039->3033 3039->3034 3039->3035 3039->3036 3039->3037 3049 405be0 RegOpenKeyExA 3039->3049 3054 405c57 wsprintfA 3039->3054 3055 405cf9 lstrcpynA 3039->3055 3041 405f70 3040->3041 3043 405fcd CharNextA 3041->3043 3044 405fd8 3041->3044 3047 405fbb CharNextA 3041->3047 3048 405fc8 CharNextA 3041->3048 3057 405796 3041->3057 3042 405fdc CharPrevA 3042->3044 3043->3041 3043->3044 3044->3042 3045 405ff7 3044->3045 3045->3006 3047->3041 3048->3043 3050 405c51 3049->3050 3051 405c13 RegQueryValueExA 3049->3051 3050->3039 3052 405c34 RegCloseKey 3051->3052 3052->3050 3054->3039 3055->3039 3056->3024 3058 40579c 3057->3058 3059 4057af 3058->3059 3060 4057a2 CharNextA 3058->3060 3059->3041 3060->3058 4242 402410 4243 402b44 19 API calls 4242->4243 4244 40241a 4243->4244 4245 402a3a 18 API calls 4244->4245 4246 402423 4245->4246 4247 40242d RegQueryValueExA 4246->4247 4251 4026a6 4246->4251 4248 402453 RegCloseKey 4247->4248 4249 40244d 4247->4249 4248->4251 4249->4248 4253 405c57 wsprintfA 4249->4253 4253->4248 4254 401490 4255 404f12 25 API calls 4254->4255 4256 401497 4255->4256 4257 406690 4261 4061c8 4257->4261 4258 406b33 4259 406252 GlobalAlloc 4259->4258 4259->4261 4260 406249 GlobalFree 4260->4259 4261->4258 4261->4259 4261->4260 4261->4261 4262 4062c0 GlobalFree 4261->4262 4263 4062c9 GlobalAlloc 4261->4263 4262->4263 4263->4258 4263->4261 4264 401595 4265 402a3a 18 API calls 4264->4265 4266 40159c SetFileAttributesA 4265->4266 4267 4015ae 4266->4267 4268 402616 4269 40261d 4268->4269 4272 40287c 4268->4272 4270 402a1d 18 API calls 4269->4270 4271 402628 4270->4271 4273 40262f SetFilePointer 4271->4273 4273->4272 4274 40263f 4273->4274 4276 405c57 wsprintfA 4274->4276 4276->4272 4277 401717 4278 402a3a 18 API calls 4277->4278 4279 40171e SearchPathA 4278->4279 4280 401739 4279->4280 4281 402519 4282 40252e 4281->4282 4283 40251e 4281->4283 4285 402a3a 18 API calls 4282->4285 4284 402a1d 18 API calls 4283->4284 4286 402527 4284->4286 4287 402535 lstrlenA 4285->4287 4288 405a13 WriteFile 4286->4288 4289 402557 4286->4289 4287->4286 4288->4289 4290 40431c 4291 404348 4290->4291 4292 404359 4290->4292 4351 4054d3 GetDlgItemTextA 4291->4351 4294 404365 GetDlgItem 4292->4294 4301 4043c4 4292->4301 4299 404379 4294->4299 4295 404353 4296 405f64 5 API calls 4295->4296 4296->4292 4297 4044a8 4300 404652 4297->4300 4353 4054d3 GetDlgItemTextA 4297->4353 4298 40438d SetWindowTextA 4303 403ede 19 API calls 4298->4303 4299->4298 4307 405804 4 API calls 4299->4307 4306 403f45 8 API calls 4300->4306 4301->4297 4301->4300 4304 405d1b 18 API calls 4301->4304 4308 4043a9 4303->4308 4309 404438 SHBrowseForFolderA 4304->4309 4305 4044d8 4310 405859 18 API calls 4305->4310 4311 404666 4306->4311 4312 404383 4307->4312 4313 403ede 19 API calls 4308->4313 4309->4297 4314 404450 CoTaskMemFree 4309->4314 4315 4044de 4310->4315 4312->4298 4318 40576b 3 API calls 4312->4318 4316 4043b7 4313->4316 4317 40576b 3 API calls 4314->4317 4354 405cf9 lstrcpynA 4315->4354 4352 403f13 SendMessageA 4316->4352 4320 40445d 4317->4320 4318->4298 4323 404494 SetDlgItemTextA 4320->4323 4327 405d1b 18 API calls 4320->4327 4322 4043bd 4325 406092 5 API calls 4322->4325 4323->4297 4324 4044f5 4326 406092 5 API calls 4324->4326 4325->4301 4334 4044fc 4326->4334 4328 40447c lstrcmpiA 4327->4328 4328->4323 4331 40448d lstrcatA 4328->4331 4329 404538 4355 405cf9 lstrcpynA 4329->4355 4331->4323 4332 40453f 4333 405804 4 API calls 4332->4333 4335 404545 GetDiskFreeSpaceA 4333->4335 4334->4329 4337 4057b2 2 API calls 4334->4337 4339 404590 4334->4339 4338 404569 MulDiv 4335->4338 4335->4339 4337->4334 4338->4339 4340 404601 4339->4340 4341 404798 21 API calls 4339->4341 4342 404624 4340->4342 4344 40140b 2 API calls 4340->4344 4343 4045ee 4341->4343 4356 403f00 EnableWindow 4342->4356 4346 404603 SetDlgItemTextA 4343->4346 4347 4045f3 4343->4347 4344->4342 4346->4340 4349 4046d3 21 API calls 4347->4349 4348 404640 4348->4300 4357 4042b1 4348->4357 4349->4340 4351->4295 4352->4322 4353->4305 4354->4324 4355->4332 4356->4348 4358 4042c4 SendMessageA 4357->4358 4359 4042bf 4357->4359 4358->4300 4359->4358 4360 40149d 4361 4014ab PostQuitMessage 4360->4361 4362 40226e 4360->4362 4361->4362 3592 40359f 3593 4035b7 3592->3593 3594 4035a9 CloseHandle 3592->3594 3599 4035e4 3593->3599 3594->3593 3597 40559b 69 API calls 3598 4035c8 3597->3598 3600 4035f2 3599->3600 3601 4035bc 3600->3601 3602 4035f7 FreeLibrary GlobalFree 3600->3602 3601->3597 3602->3601 3602->3602 4363 401b23 4364 401b30 4363->4364 4365 401b74 4363->4365 4366 401bb8 4364->4366 4371 401b47 4364->4371 4367 401b78 4365->4367 4368 401b9d GlobalAlloc 4365->4368 4370 405d1b 18 API calls 4366->4370 4376 40226e 4366->4376 4367->4376 4384 405cf9 lstrcpynA 4367->4384 4369 405d1b 18 API calls 4368->4369 4369->4366 4372 402268 4370->4372 4382 405cf9 lstrcpynA 4371->4382 4378 4054ef MessageBoxIndirectA 4372->4378 4374 401b8a GlobalFree 4374->4376 4377 401b56 4383 405cf9 lstrcpynA 4377->4383 4378->4376 4380 401b65 4385 405cf9 lstrcpynA 4380->4385 4382->4377 4383->4380 4384->4374 4385->4376 4386 404027 4387 40403d 4386->4387 4392 404149 4386->4392 4390 403ede 19 API calls 4387->4390 4388 4041b8 4389 40428c 4388->4389 4391 4041c2 GetDlgItem 4388->4391 4395 403f45 8 API calls 4389->4395 4393 404093 4390->4393 4397 4041d8 4391->4397 4398 40424a 4391->4398 4392->4388 4392->4389 4394 40418d GetDlgItem SendMessageA 4392->4394 4396 403ede 19 API calls 4393->4396 4417 403f00 EnableWindow 4394->4417 4400 404287 4395->4400 4401 4040a0 CheckDlgButton 4396->4401 4397->4398 4402 4041fe 6 API calls 4397->4402 4398->4389 4403 40425c 4398->4403 4415 403f00 EnableWindow 4401->4415 4402->4398 4406 404262 SendMessageA 4403->4406 4407 404273 4403->4407 4404 4041b3 4409 4042b1 SendMessageA 4404->4409 4406->4407 4407->4400 4408 404279 SendMessageA 4407->4408 4408->4400 4409->4388 4410 4040be GetDlgItem 4416 403f13 SendMessageA 4410->4416 4412 4040d4 SendMessageA 4413 4040f2 GetSysColor 4412->4413 4414 4040fb SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4412->4414 4413->4414 4414->4400 4415->4410 4416->4412 4417->4404 4418 401ca7 4419 402a1d 18 API calls 4418->4419 4420 401cae 4419->4420 4421 402a1d 18 API calls 4420->4421 4422 401cb6 GetDlgItem 4421->4422 4423 402513 4422->4423 3533 40192a 3534 40192c 3533->3534 3535 402a3a 18 API calls 3534->3535 3536 401931 3535->3536 3539 40559b 3536->3539 3540 405859 18 API calls 3539->3540 3541 4055bb 3540->3541 3542 4055c3 DeleteFileA 3541->3542 3543 4055da 3541->3543 3547 40193a 3542->3547 3545 405708 3543->3545 3576 405cf9 lstrcpynA 3543->3576 3545->3547 3550 405ffd 2 API calls 3545->3550 3546 405600 3548 405613 3546->3548 3549 405606 lstrcatA 3546->3549 3552 4057b2 2 API calls 3548->3552 3551 405619 3549->3551 3554 40572c 3550->3554 3553 405627 lstrcatA 3551->3553 3555 405632 lstrlenA FindFirstFileA 3551->3555 3552->3551 3553->3555 3554->3547 3556 40576b 3 API calls 3554->3556 3555->3545 3574 405656 3555->3574 3558 405736 3556->3558 3557 405796 CharNextA 3557->3574 3559 405553 5 API calls 3558->3559 3560 405742 3559->3560 3561 405746 3560->3561 3562 40575c 3560->3562 3561->3547 3567 404f12 25 API calls 3561->3567 3563 404f12 25 API calls 3562->3563 3563->3547 3564 4056e7 FindNextFileA 3566 4056ff FindClose 3564->3566 3564->3574 3566->3545 3568 405753 3567->3568 3569 405bb4 38 API calls 3568->3569 3569->3547 3571 40559b 62 API calls 3571->3574 3572 404f12 25 API calls 3572->3564 3573 404f12 25 API calls 3573->3574 3574->3557 3574->3564 3574->3571 3574->3572 3574->3573 3575 405bb4 38 API calls 3574->3575 3577 405cf9 lstrcpynA 3574->3577 3578 405553 3574->3578 3575->3574 3576->3546 3577->3574 3579 405947 2 API calls 3578->3579 3580 40555f 3579->3580 3581 405580 3580->3581 3582 405576 DeleteFileA 3580->3582 3583 40556e RemoveDirectoryA 3580->3583 3581->3574 3584 40557c 3582->3584 3583->3584 3584->3581 3585 40558c SetFileAttributesA 3584->3585 3585->3581 4431 4028aa SendMessageA 4432 4028c4 InvalidateRect 4431->4432 4433 4028cf 4431->4433 4432->4433 3162 4015b3 3163 402a3a 18 API calls 3162->3163 3164 4015ba 3163->3164 3181 405804 CharNextA CharNextA 3164->3181 3166 40161c 3168 401621 3166->3168 3169 40164a 3166->3169 3167 405796 CharNextA 3177 4015c2 3167->3177 3170 401423 25 API calls 3168->3170 3171 401423 25 API calls 3169->3171 3172 401628 3170->3172 3179 401642 3171->3179 3195 405cf9 lstrcpynA 3172->3195 3176 401633 SetCurrentDirectoryA 3176->3179 3177->3166 3177->3167 3178 401604 GetFileAttributesA 3177->3178 3187 405472 3177->3187 3190 4053d8 CreateDirectoryA 3177->3190 3196 405455 CreateDirectoryA 3177->3196 3178->3177 3182 40581f 3181->3182 3185 40582f 3181->3185 3183 40582a CharNextA 3182->3183 3182->3185 3186 40584f 3183->3186 3184 405796 CharNextA 3184->3185 3185->3184 3185->3186 3186->3177 3199 406092 GetModuleHandleA 3187->3199 3191 405425 3190->3191 3192 405429 GetLastError 3190->3192 3191->3177 3192->3191 3193 405438 SetFileSecurityA 3192->3193 3193->3191 3194 40544e GetLastError 3193->3194 3194->3191 3195->3176 3197 405465 3196->3197 3198 405469 GetLastError 3196->3198 3197->3177 3198->3197 3200 4060b8 GetProcAddress 3199->3200 3201 4060ae 3199->3201 3203 405479 3200->3203 3205 406024 GetSystemDirectoryA 3201->3205 3203->3177 3204 4060b4 3204->3200 3204->3203 3206 406046 wsprintfA LoadLibraryExA 3205->3206 3206->3204 4434 4016b3 4435 402a3a 18 API calls 4434->4435 4436 4016b9 GetFullPathNameA 4435->4436 4437 4016f1 4436->4437 4438 4016d0 4436->4438 4439 401705 GetShortPathNameA 4437->4439 4440 4028cf 4437->4440 4438->4437 4441 405ffd 2 API calls 4438->4441 4439->4440 4442 4016e1 4441->4442 4442->4437 4444 405cf9 lstrcpynA 4442->4444 4444->4437 4445 403637 4446 403642 4445->4446 4447 403646 4446->4447 4448 403649 GlobalAlloc 4446->4448 4448->4447 4456 4014b7 4457 4014bd 4456->4457 4458 401389 2 API calls 4457->4458 4459 4014c5 4458->4459 4460 401d38 GetDC GetDeviceCaps 4461 402a1d 18 API calls 4460->4461 4462 401d56 MulDiv ReleaseDC 4461->4462 4463 402a1d 18 API calls 4462->4463 4464 401d75 4463->4464 4465 405d1b 18 API calls 4464->4465 4466 401dae CreateFontIndirectA 4465->4466 4467 402513 4466->4467 3586 40173e 3587 402a3a 18 API calls 3586->3587 3588 401745 3587->3588 3589 40599b 2 API calls 3588->3589 3590 40174c 3589->3590 3591 40599b 2 API calls 3590->3591 3591->3590 4468 401ebe 4469 402a3a 18 API calls 4468->4469 4470 401ec5 4469->4470 4471 405ffd 2 API calls 4470->4471 4472 401ecb 4471->4472 4474 401edd 4472->4474 4475 405c57 wsprintfA 4472->4475 4475->4474 4476 40193f 4477 402a3a 18 API calls 4476->4477 4478 401946 lstrlenA 4477->4478 4479 402513 4478->4479

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 4030d9-40310e SetErrorMode GetVersion 1 403110-403118 call 406092 0->1 2 403121 0->2 1->2 8 40311a 1->8 3 403126-403139 call 406024 lstrlenA 2->3 9 40313b-4031ae call 406092 * 2 #17 OleInitialize SHGetFileInfoA call 405cf9 GetCommandLineA call 405cf9 GetModuleHandleA 3->9 8->2 18 4031b0-4031b5 9->18 19 4031ba-4031cf call 405796 CharNextA 9->19 18->19 22 403294-403298 19->22 23 4031d4-4031d7 22->23 24 40329e 22->24 25 4031d9-4031dd 23->25 26 4031df-4031e7 23->26 27 4032b1-4032cb GetTempPathA call 4030a8 24->27 25->25 25->26 28 4031e9-4031ea 26->28 29 4031ef-4031f2 26->29 36 403323-40333d DeleteFileA call 402c66 27->36 37 4032cd-4032eb GetWindowsDirectoryA lstrcatA call 4030a8 27->37 28->29 31 403284-403291 call 405796 29->31 32 4031f8-4031fc 29->32 31->22 47 403293 31->47 34 403214-403241 32->34 35 4031fe-403204 32->35 43 403243-403249 34->43 44 403254-403282 34->44 41 403206-403208 35->41 42 40320a 35->42 52 4033d1-4033e1 ExitProcess CoUninitialize 36->52 53 403343-403349 36->53 37->36 55 4032ed-40331d GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4030a8 37->55 41->34 41->42 42->34 48 40324b-40324d 43->48 49 40324f 43->49 44->31 51 4032a0-4032ac call 405cf9 44->51 47->22 48->44 48->49 49->44 51->27 58 403505-40350b 52->58 59 4033e7-4033f7 call 4054ef ExitProcess 52->59 56 4033c1-4033c8 call 403679 53->56 57 40334b-403356 call 405796 53->57 55->36 55->52 67 4033cd 56->67 74 403358-403381 57->74 75 40338c-403396 57->75 64 403587-40358f 58->64 65 40350d-403526 GetCurrentProcess OpenProcessToken 58->65 69 403591 64->69 70 403595-403599 ExitProcess 64->70 72 403558-403566 call 406092 65->72 73 403528-403552 LookupPrivilegeValueA AdjustTokenPrivileges 65->73 67->52 69->70 81 403574-40357e ExitWindowsEx 72->81 82 403568-403572 72->82 73->72 77 403383-403385 74->77 78 403398-4033a5 call 405859 75->78 79 4033fd-403411 call 405472 lstrcatA 75->79 77->75 83 403387-40338a 77->83 78->52 93 4033a7-4033bd call 405cf9 * 2 78->93 91 403413-403419 lstrcatA 79->91 92 40341e-403438 lstrcatA lstrcmpiA 79->92 81->64 86 403580-403582 call 40140b 81->86 82->81 82->86 83->75 83->77 86->64 91->92 92->52 94 40343a-40343d 92->94 93->56 96 403446 call 405455 94->96 97 40343f-403444 call 4053d8 94->97 104 40344b-403458 SetCurrentDirectoryA 96->104 97->104 105 403465-40348d call 405cf9 104->105 106 40345a-403460 call 405cf9 104->106 110 403493-4034af call 405d1b DeleteFileA 105->110 106->105 113 4034f0-4034f7 110->113 114 4034b1-4034c1 CopyFileA 110->114 113->110 115 4034f9-403500 call 405bb4 113->115 114->113 116 4034c3-4034e3 call 405bb4 call 405d1b call 40548a 114->116 115->52 116->113 125 4034e5-4034ec CloseHandle 116->125 125->113
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNELBASE ref: 004030FE
                                                                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 00403104
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040312D
                                                                                                                                                                                                                                  • #17.COMCTL32(00000007,00000009), ref: 0040314F
                                                                                                                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 00403156
                                                                                                                                                                                                                                  • SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000), ref: 00403172
                                                                                                                                                                                                                                  • GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403187
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" ,00000000), ref: 0040319A
                                                                                                                                                                                                                                  • CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" ,00000020), ref: 004031C5
                                                                                                                                                                                                                                  • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032C2
                                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032D3
                                                                                                                                                                                                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032DF
                                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032F3
                                                                                                                                                                                                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004032FB
                                                                                                                                                                                                                                  • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040330C
                                                                                                                                                                                                                                  • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403314
                                                                                                                                                                                                                                  • DeleteFileA.KERNELBASE(1033), ref: 00403328
                                                                                                                                                                                                                                    • Part of subcall function 00406092: GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
                                                                                                                                                                                                                                    • Part of subcall function 00406092: GetProcAddress.KERNEL32(00000000,?), ref: 004060BF
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32(?), ref: 004033D1
                                                                                                                                                                                                                                  • CoUninitialize.COMBASE(?), ref: 004033D6
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 004033F7
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403514
                                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 0040351B
                                                                                                                                                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403533
                                                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403552
                                                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 00403576
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00403599
                                                                                                                                                                                                                                    • Part of subcall function 004054EF: MessageBoxIndirectA.USER32(00409218), ref: 0040554A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                                                                                                                                                                                                                  • String ID: "$"C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe$C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kt$~nsu
                                                                                                                                                                                                                                  • API String ID: 3329125770-783158399
                                                                                                                                                                                                                                  • Opcode ID: 4f4e7a4209cacf2233f42e90a73ac4821f0654123dbc60adf3f7537713659d44
                                                                                                                                                                                                                                  • Instruction ID: e7c85c4fe1f62676e3f8a08d8ca43f8bf3783ba147aef7bb7f1979754dcbcc24
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f4e7a4209cacf2233f42e90a73ac4821f0654123dbc60adf3f7537713659d44
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7C1E5706083417AE711AF71AD8DA2B7EA8EB85306F04457FF541B61D2C77C5A05CB2E

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 267 405d1b-405d26 268 405d28-405d37 267->268 269 405d39-405d4e 267->269 268->269 270 405f41-405f45 269->270 271 405d54-405d5f 269->271 273 405d71-405d7b 270->273 274 405f4b-405f55 270->274 271->270 272 405d65-405d6c 271->272 272->270 273->274 275 405d81-405d88 273->275 276 405f60-405f61 274->276 277 405f57-405f5b call 405cf9 274->277 278 405f34 275->278 279 405d8e-405dc3 275->279 277->276 281 405f36-405f3c 278->281 282 405f3e-405f40 278->282 283 405dc9-405dd4 GetVersion 279->283 284 405ede-405ee1 279->284 281->270 282->270 285 405dd6-405dda 283->285 286 405dee 283->286 287 405f11-405f14 284->287 288 405ee3-405ee6 284->288 285->286 292 405ddc-405de0 285->292 289 405df5-405dfc 286->289 290 405f22-405f32 lstrlenA 287->290 291 405f16-405f1d call 405d1b 287->291 293 405ef6-405f02 call 405cf9 288->293 294 405ee8-405ef4 call 405c57 288->294 295 405e01-405e03 289->295 296 405dfe-405e00 289->296 290->270 291->290 292->286 299 405de2-405de6 292->299 304 405f07-405f0d 293->304 294->304 302 405e05-405e28 call 405be0 295->302 303 405e3c-405e3f 295->303 296->295 299->286 305 405de8-405dec 299->305 315 405ec5-405ec9 302->315 316 405e2e-405e37 call 405d1b 302->316 308 405e41-405e4d GetSystemDirectoryA 303->308 309 405e4f-405e52 303->309 304->290 307 405f0f 304->307 305->289 311 405ed6-405edc call 405f64 307->311 312 405ec0-405ec3 308->312 313 405e54-405e62 GetWindowsDirectoryA 309->313 314 405ebc-405ebe 309->314 311->290 312->311 312->315 313->314 314->312 317 405e64-405e6e 314->317 315->311 320 405ecb-405ed1 lstrcatA 315->320 316->312 322 405e70-405e73 317->322 323 405e88-405e9e SHGetSpecialFolderLocation 317->323 320->311 322->323 327 405e75-405e7c 322->327 324 405ea0-405eb7 SHGetPathFromIDListA CoTaskMemFree 323->324 325 405eb9 323->325 324->312 324->325 325->314 328 405e84-405e86 327->328 328->312 328->323
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersion.KERNEL32(?,0041F4E8,00000000,00404F4A,0041F4E8,00000000), ref: 00405DCC
                                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(004226A0,00000400), ref: 00405E47
                                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(004226A0,00000400), ref: 00405E5A
                                                                                                                                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(?,0040E8C0), ref: 00405E96
                                                                                                                                                                                                                                  • SHGetPathFromIDListA.SHELL32(0040E8C0,004226A0), ref: 00405EA4
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(0040E8C0), ref: 00405EAF
                                                                                                                                                                                                                                  • lstrcatA.KERNEL32(004226A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00405ED1
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(004226A0,?,0041F4E8,00000000,00404F4A,0041F4E8,00000000), ref: 00405F23
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E16
                                                                                                                                                                                                                                  • KAo, xrefs: 00405D28
                                                                                                                                                                                                                                  • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00405ECB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                                                                                                                                                  • String ID: KAo$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                                  • API String ID: 900638850-3339053753
                                                                                                                                                                                                                                  • Opcode ID: fb8208971b7bef3eab874112c295b4c22afd955e6dbc7abb81a1d2e78964ecc6
                                                                                                                                                                                                                                  • Instruction ID: 70d043a0125fa0970afc212ad974551980140434863585fcf13b89b4fbf53fe2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb8208971b7bef3eab874112c295b4c22afd955e6dbc7abb81a1d2e78964ecc6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AD61F471A04A01ABDF205F64DC88B7F3BA8DB41305F50803BE941B62D0D27D4A82DF5E

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 329 40559b-4055c1 call 405859 332 4055c3-4055d5 DeleteFileA 329->332 333 4055da-4055e1 329->333 334 405764-405768 332->334 335 4055e3-4055e5 333->335 336 4055f4-405604 call 405cf9 333->336 337 405712-405717 335->337 338 4055eb-4055ee 335->338 344 405613-405614 call 4057b2 336->344 345 405606-405611 lstrcatA 336->345 337->334 340 405719-40571c 337->340 338->336 338->337 342 405726-40572e call 405ffd 340->342 343 40571e-405724 340->343 342->334 353 405730-405744 call 40576b call 405553 342->353 343->334 347 405619-40561c 344->347 345->347 349 405627-40562d lstrcatA 347->349 350 40561e-405625 347->350 352 405632-405650 lstrlenA FindFirstFileA 349->352 350->349 350->352 354 405656-40566d call 405796 352->354 355 405708-40570c 352->355 368 405746-405749 353->368 369 40575c-40575f call 404f12 353->369 362 405678-40567b 354->362 363 40566f-405673 354->363 355->337 357 40570e 355->357 357->337 366 40567d-405682 362->366 367 40568e-40569c call 405cf9 362->367 363->362 365 405675 363->365 365->362 371 405684-405686 366->371 372 4056e7-4056f9 FindNextFileA 366->372 380 4056b3-4056be call 405553 367->380 381 40569e-4056a6 367->381 368->343 374 40574b-40575a call 404f12 call 405bb4 368->374 369->334 371->367 377 405688-40568c 371->377 372->354 375 4056ff-405702 FindClose 372->375 374->334 375->355 377->367 377->372 389 4056c0-4056c3 380->389 390 4056df-4056e2 call 404f12 380->390 381->372 382 4056a8-4056ac call 40559b 381->382 388 4056b1 382->388 388->372 391 4056c5-4056d5 call 404f12 call 405bb4 389->391 392 4056d7-4056dd 389->392 390->372 391->372 392->372
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileA.KERNELBASE(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055C4
                                                                                                                                                                                                                                  • lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040560C
                                                                                                                                                                                                                                  • lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040562D
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405633
                                                                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(00420D10,?,?,?,00409014,?,00420D10,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405644
                                                                                                                                                                                                                                  • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004056F1
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00405702
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004055A8
                                                                                                                                                                                                                                  • "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" , xrefs: 0040559B
                                                                                                                                                                                                                                  • \*.*, xrefs: 00405606
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                                                                                  • API String ID: 2035342205-2696634726
                                                                                                                                                                                                                                  • Opcode ID: f4a0432186cec9e524a36939f8e9c58fb2d449d925f7b508e3eb0abb68d19267
                                                                                                                                                                                                                                  • Instruction ID: 44541a5d5af4c0b2911f4644f2fa5328a4f1ed3919081d24b86541679c9c03d6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4a0432186cec9e524a36939f8e9c58fb2d449d925f7b508e3eb0abb68d19267
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F51CF30804A04BADF217A658C85BBF7AB8DF82318F54847BF445761D2C73D4982EE6E

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 603 406344-406349 604 4063ba-4063d8 603->604 605 40634b-40637a 603->605 606 4069b0-4069c5 604->606 607 406381-406385 605->607 608 40637c-40637f 605->608 609 4069c7-4069dd 606->609 610 4069df-4069f5 606->610 612 406387-40638b 607->612 613 40638d 607->613 611 406391-406394 608->611 616 4069f8-4069ff 609->616 610->616 614 4063b2-4063b5 611->614 615 406396-40639f 611->615 612->611 613->611 619 406587-4065a5 614->619 617 4063a1 615->617 618 4063a4-4063b0 615->618 620 406a01-406a05 616->620 621 406a26-406a32 616->621 617->618 622 40641a-406448 618->622 626 4065a7-4065bb 619->626 627 4065bd-4065cf 619->627 623 406bb4-406bbe 620->623 624 406a0b-406a23 620->624 630 4061c8-4061d1 621->630 631 406464-40647e 622->631 632 40644a-406462 622->632 629 406bca-406bdd 623->629 624->621 628 4065d2-4065dc 626->628 627->628 633 4065de 628->633 634 40657f-406585 628->634 638 406be2-406be6 629->638 635 4061d7 630->635 636 406bdf 630->636 637 406481-40648b 631->637 632->637 654 406564-40657c 633->654 655 406b66-406b70 633->655 634->619 644 406523-40652d 634->644 640 406283-406287 635->640 641 4062f3-4062f7 635->641 642 4061de-4061e2 635->642 643 40631e-40633f 635->643 636->638 645 406491 637->645 646 406402-406408 637->646 656 406b33-406b3d 640->656 657 40628d-4062a6 640->657 648 406b42-406b4c 641->648 649 4062fd-406311 641->649 642->629 647 4061e8-4061f5 642->647 643->606 650 406b72-406b7c 644->650 651 406533-4066fc 644->651 663 4063e7-4063ff 645->663 664 406b4e-406b58 645->664 652 4064bb-4064c1 646->652 653 40640e-406414 646->653 647->636 662 4061fb-406241 647->662 648->629 665 406314-40631c 649->665 650->629 651->630 660 4064c3-4064e1 652->660 661 40651f 652->661 653->622 653->661 654->634 655->629 656->629 659 4062a9-4062ad 657->659 659->640 667 4062af-4062b5 659->667 668 4064e3-4064f7 660->668 669 4064f9-40650b 660->669 661->644 670 406243-406247 662->670 671 406269-40626b 662->671 663->646 664->629 665->641 665->643 672 4062b7-4062be 667->672 673 4062df-4062f1 667->673 674 40650e-406518 668->674 669->674 675 406252-406260 GlobalAlloc 670->675 676 406249-40624c GlobalFree 670->676 677 406279-406281 671->677 678 40626d-406277 671->678 679 4062c0-4062c3 GlobalFree 672->679 680 4062c9-4062d9 GlobalAlloc 672->680 673->665 674->652 681 40651a 674->681 675->636 682 406266 675->682 676->675 677->659 678->677 678->678 679->680 680->636 680->673 684 4064a0-4064b8 681->684 685 406b5a-406b64 681->685 682->671 684->652 685->629
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: e28a8ad83f22bfe4c4d455a141f03dc38bf257c2203b46f6b1d5cba347f55b6d
                                                                                                                                                                                                                                  • Instruction ID: a8746b25a1c6b49bbeafbf020c2dfcaa04563a9eac1a8e827fb2969916571183
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e28a8ad83f22bfe4c4d455a141f03dc38bf257c2203b46f6b1d5cba347f55b6d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70F17670D00229CBCF18CFA8C8946ADBBB1FF44305F25816ED856BB281D7786A96CF44
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(74DF3410,00421558,C:\,0040589C,C:\,C:\,00000000,C:\,C:\,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 00406008
                                                                                                                                                                                                                                  • FindClose.KERNELBASE(00000000), ref: 00406014
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                  • String ID: C:\
                                                                                                                                                                                                                                  • API String ID: 2295610775-3404278061
                                                                                                                                                                                                                                  • Opcode ID: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
                                                                                                                                                                                                                                  • Instruction ID: 1297c1e42099762feae64532f60583430090df1d404adb2e37743a0561846f6f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8CD012319491206BC3105B38AD0C85B7A599F593317118A33F567F52F0C7788C7296E9

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 126 403679-403691 call 406092 129 403693-4036a3 call 405c57 126->129 130 4036a5-4036d6 call 405be0 126->130 139 4036f9-403722 call 40393e call 405859 129->139 135 4036d8-4036e9 call 405be0 130->135 136 4036ee-4036f4 lstrcatA 130->136 135->136 136->139 144 403728-40372d 139->144 145 4037a9-4037b1 call 405859 139->145 144->145 146 40372f-403753 call 405be0 144->146 151 4037b3-4037ba call 405d1b 145->151 152 4037bf-4037e4 LoadImageA 145->152 146->145 153 403755-403757 146->153 151->152 155 403865-40386d call 40140b 152->155 156 4037e6-403816 RegisterClassA 152->156 157 403768-403774 lstrlenA 153->157 158 403759-403766 call 405796 153->158 170 403877-403882 call 40393e 155->170 171 40386f-403872 155->171 159 403934 156->159 160 40381c-403860 SystemParametersInfoA CreateWindowExA 156->160 164 403776-403784 lstrcmpiA 157->164 165 40379c-4037a4 call 40576b call 405cf9 157->165 158->157 163 403936-40393d 159->163 160->155 164->165 169 403786-403790 GetFileAttributesA 164->169 165->145 174 403792-403794 169->174 175 403796-403797 call 4057b2 169->175 179 403888-4038a2 ShowWindow call 406024 170->179 180 40390b-403913 call 404fe4 170->180 171->163 174->165 174->175 175->165 187 4038a4-4038a9 call 406024 179->187 188 4038ae-4038c0 GetClassInfoA 179->188 185 403915-40391b 180->185 186 40392d-40392f call 40140b 180->186 185->171 189 403921-403928 call 40140b 185->189 186->159 187->188 192 4038c2-4038d2 GetClassInfoA RegisterClassA 188->192 193 4038d8-403909 DialogBoxParamA call 40140b call 4035c9 188->193 189->171 192->193 193->163
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00406092: GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
                                                                                                                                                                                                                                    • Part of subcall function 00406092: GetProcAddress.KERNEL32(00000000,?), ref: 004060BF
                                                                                                                                                                                                                                  • lstrcatA.KERNEL32(1033,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" ,00000000), ref: 004036F4
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(004226A0,?,?,?,004226A0,00000000,00429400,1033,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000,00000002,74DF3410), ref: 00403769
                                                                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,.exe), ref: 0040377C
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(004226A0), ref: 00403787
                                                                                                                                                                                                                                  • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00429400), ref: 004037D0
                                                                                                                                                                                                                                    • Part of subcall function 00405C57: wsprintfA.USER32 ref: 00405C64
                                                                                                                                                                                                                                  • RegisterClassA.USER32(00422EA0), ref: 0040380D
                                                                                                                                                                                                                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403825
                                                                                                                                                                                                                                  • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040385A
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403890
                                                                                                                                                                                                                                  • GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004038BC
                                                                                                                                                                                                                                  • GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004038C9
                                                                                                                                                                                                                                  • RegisterClassA.USER32(00422EA0), ref: 004038D2
                                                                                                                                                                                                                                  • DialogBoxParamA.USER32(?,00000000,00403A0B,00000000), ref: 004038F1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                                                                                                                                                  • API String ID: 1975747703-3157804261
                                                                                                                                                                                                                                  • Opcode ID: 5c13432dcba976acc153c6c4cb0ae4a4ceee92b52a3611d71cd5da1aeea12791
                                                                                                                                                                                                                                  • Instruction ID: cdcda0c5d6d895e27caec97b3fe99e3f57ebd92391a3aca4eab7d54baf018be6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c13432dcba976acc153c6c4cb0ae4a4ceee92b52a3611d71cd5da1aeea12791
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA61C8B16442007ED620BF669D45F373AACEB44759F40447FF941B22E2C77CAD029A2D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 200 402c66-402cb4 GetTickCount GetModuleFileNameA call 40596c 203 402cc0-402cee call 405cf9 call 4057b2 call 405cf9 GetFileSize 200->203 204 402cb6-402cbb 200->204 212 402cf4 203->212 213 402ddb-402de9 call 402c02 203->213 205 402e98-402e9c 204->205 215 402cf9-402d10 212->215 219 402deb-402dee 213->219 220 402e3e-402e43 213->220 217 402d12 215->217 218 402d14-402d1d call 40307b 215->218 217->218 227 402d23-402d2a 218->227 228 402e45-402e4d call 402c02 218->228 222 402df0-402e08 call 403091 call 40307b 219->222 223 402e12-402e3c GlobalAlloc call 403091 call 402e9f 219->223 220->205 222->220 251 402e0a-402e10 222->251 223->220 249 402e4f-402e60 223->249 229 402da6-402daa 227->229 230 402d2c-402d40 call 405927 227->230 228->220 237 402db4-402dba 229->237 238 402dac-402db3 call 402c02 229->238 230->237 247 402d42-402d49 230->247 240 402dc9-402dd3 237->240 241 402dbc-402dc6 call 406107 237->241 238->237 240->215 248 402dd9 240->248 241->240 247->237 253 402d4b-402d52 247->253 248->213 254 402e62 249->254 255 402e68-402e6d 249->255 251->220 251->223 253->237 256 402d54-402d5b 253->256 254->255 257 402e6e-402e74 255->257 256->237 258 402d5d-402d64 256->258 257->257 259 402e76-402e91 SetFilePointer call 405927 257->259 258->237 260 402d66-402d86 258->260 263 402e96 259->263 260->220 262 402d8c-402d90 260->262 264 402d92-402d96 262->264 265 402d98-402da0 262->265 263->205 264->248 264->265 265->237 266 402da2-402da4 265->266 266->237
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402C77
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe,00000400), ref: 00402C93
                                                                                                                                                                                                                                    • Part of subcall function 0040596C: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe,80000000,00000003), ref: 00405970
                                                                                                                                                                                                                                    • Part of subcall function 0040596C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe,C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe,80000000,00000003), ref: 00402CDF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C6D
                                                                                                                                                                                                                                  • Inst, xrefs: 00402D4B
                                                                                                                                                                                                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
                                                                                                                                                                                                                                  • "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" , xrefs: 00402C66
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp, xrefs: 00402CC1, 00402CC6, 00402CCC
                                                                                                                                                                                                                                  • Null, xrefs: 00402D5D
                                                                                                                                                                                                                                  • soft, xrefs: 00402D54
                                                                                                                                                                                                                                  • Error launching installer, xrefs: 00402CB6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" $C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                                                                                                                                  • API String ID: 4283519449-965790605
                                                                                                                                                                                                                                  • Opcode ID: 3f665217ac2245ad92c498c6fa1e551097c863ebe5e03bc44dd447b4a8322165
                                                                                                                                                                                                                                  • Instruction ID: 1839f4375b44da3097aca9d4a8c6c84b0463c2d100b7a2d698c12080187f488f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f665217ac2245ad92c498c6fa1e551097c863ebe5e03bc44dd447b4a8322165
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF51B6B1A41214ABDF109F65DE89B9E7AB4EF00355F14403BF904B62D1C7BC9E418B9D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 398 401751-401774 call 402a3a call 4057d8 403 401776-40177c call 405cf9 398->403 404 40177e-401790 call 405cf9 call 40576b lstrcatA 398->404 409 401795-40179b call 405f64 403->409 404->409 414 4017a0-4017a4 409->414 415 4017a6-4017b0 call 405ffd 414->415 416 4017d7-4017da 414->416 423 4017c2-4017d4 415->423 424 4017b2-4017c0 CompareFileTime 415->424 417 4017e2-4017fe call 40596c 416->417 418 4017dc-4017dd call 405947 416->418 426 401800-401803 417->426 427 401876-40189f call 404f12 call 402e9f 417->427 418->417 423->416 424->423 428 401805-401847 call 405cf9 * 2 call 405d1b call 405cf9 call 4054ef 426->428 429 401858-401862 call 404f12 426->429 439 4018a1-4018a5 427->439 440 4018a7-4018b3 SetFileTime 427->440 428->414 461 40184d-40184e 428->461 441 40186b-401871 429->441 439->440 443 4018b9-4018c4 CloseHandle 439->443 440->443 444 4028d8 441->444 446 4018ca-4018cd 443->446 447 4028cf-4028d2 443->447 448 4028da-4028de 444->448 451 4018e2-4018e5 call 405d1b 446->451 452 4018cf-4018e0 call 405d1b lstrcatA 446->452 447->444 458 4018ea-402273 call 4054ef 451->458 452->458 458->447 458->448 461->441 463 401850-401851 461->463 463->429
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,00000000,00000000,00000031), ref: 00401790
                                                                                                                                                                                                                                  • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,00000000,00000000,00000031), ref: 004017BA
                                                                                                                                                                                                                                    • Part of subcall function 00405CF9: lstrcpynA.KERNEL32(?,?,00000400,00403187,00422F00,NSIS Error), ref: 00405D06
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: lstrcatA.KERNEL32(0041F4E8,00402FCF,00402FCF,0041F4E8,00000000,0040E8C0,00000000), ref: 00404F6E
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 00404F80
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD$C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD$C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\
                                                                                                                                                                                                                                  • API String ID: 1941528284-3469538721
                                                                                                                                                                                                                                  • Opcode ID: 44ecab9e1ef5e24c1ff596ae454948ee53cb588ab7073804ea6e55edc91cb487
                                                                                                                                                                                                                                  • Instruction ID: dfa66b7161a0f16b13ad00a25904a83b243dedeb6ee7557d1be3b523159fd244
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 44ecab9e1ef5e24c1ff596ae454948ee53cb588ab7073804ea6e55edc91cb487
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5641D572910515BACF107BB5CC85EAF3679EF45329B20823BF521F20E2D63C4A419B6D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 465 4053d8-405423 CreateDirectoryA 466 405425-405427 465->466 467 405429-405436 GetLastError 465->467 468 405450-405452 466->468 467->468 469 405438-40544c SetFileSecurityA 467->469 469->466 470 40544e GetLastError 469->470 470->468
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040541B
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040542F
                                                                                                                                                                                                                                  • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405444
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040544E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$ds@$ts@
                                                                                                                                                                                                                                  • API String ID: 3449924974-3456956737
                                                                                                                                                                                                                                  • Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                                                                                                                                                                                                  • Instruction ID: 5d613d5f07efa900d759e60f8f8ec78c4c71b6ffd2fe208e339ff175f81ef67f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F3010871D14259EADF119FA0D9487EFBFB8EB04315F00417AE904B6280D378A644CFAA

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 471 406024-406044 GetSystemDirectoryA 472 406046 471->472 473 406048-40604a 471->473 472->473 474 40605a-40605c 473->474 475 40604c-406054 473->475 477 40605d-40608f wsprintfA LoadLibraryExA 474->477 475->474 476 406056-406058 475->476 476->477
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040603B
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 00406074
                                                                                                                                                                                                                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406088
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                                  • String ID: %s%s.dll$UXTHEME$\
                                                                                                                                                                                                                                  • API String ID: 2200240437-4240819195
                                                                                                                                                                                                                                  • Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                                                                                                                                                                                                  • Instruction ID: 72752c577983536edbae7b7a4b2c1439e1101fa4b93fa8d0208d5a4e16dde88a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6F0FC30A40109AADB14E764DC0DFEB365CAB09305F140576A546E11D1D578E9258B69

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 478 402e9f-402eb3 479 402eb5 478->479 480 402ebc-402ec4 478->480 479->480 481 402ec6 480->481 482 402ecb-402ed0 480->482 481->482 483 402ee0-402eed call 40307b 482->483 484 402ed2-402edb call 403091 482->484 488 403032 483->488 489 402ef3-402ef7 483->489 484->483 492 403034-403035 488->492 490 40301b-40301d 489->490 491 402efd-402f1d GetTickCount call 406175 489->491 493 403066-40306a 490->493 494 40301f-403022 490->494 502 403071 491->502 504 402f23-402f2b 491->504 496 403074-403078 492->496 497 403037-40303d 493->497 498 40306c 493->498 499 403024 494->499 500 403027-403030 call 40307b 494->500 505 403042-403050 call 40307b 497->505 506 40303f 497->506 498->502 499->500 500->488 511 40306e 500->511 502->496 508 402f30-402f3e call 40307b 504->508 509 402f2d 504->509 505->488 514 403052-403057 call 405a13 505->514 506->505 508->488 517 402f44-402f4d 508->517 509->508 511->502 518 40305c-40305e 514->518 519 402f53-402f70 call 406195 517->519 520 403060-403063 518->520 521 403017-403019 518->521 524 403013-403015 519->524 525 402f76-402f8d GetTickCount 519->525 520->493 521->492 524->492 526 402fd2-402fd4 525->526 527 402f8f-402f97 525->527 530 402fd6-402fda 526->530 531 403007-40300b 526->531 528 402f99-402f9d 527->528 529 402f9f-402fcf MulDiv wsprintfA call 404f12 527->529 528->526 528->529 529->526 534 402fdc-402fe1 call 405a13 530->534 535 402fef-402ff5 530->535 531->504 532 403011 531->532 532->502 539 402fe6-402fe8 534->539 538 402ffb-402fff 535->538 538->519 540 403005 538->540 539->521 541 402fea-402fed 539->541 540->502 541->538
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountTick$wsprintf
                                                                                                                                                                                                                                  • String ID: ... %d%%
                                                                                                                                                                                                                                  • API String ID: 551687249-2449383134
                                                                                                                                                                                                                                  • Opcode ID: fb8bdaecb8610db7079700bd5469a99c5e74861b297f6c97a10e9c8668abb65b
                                                                                                                                                                                                                                  • Instruction ID: 4ab2a5a1bcd3fb7fa9d72e81aa521510b391fe67da8672e6f00875cd24a8b3cf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb8bdaecb8610db7079700bd5469a99c5e74861b297f6c97a10e9c8668abb65b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D518F729022199BDF10DF65DA08A9F7BB8AF40795F14413BF800B72C4C7789E51DBAA

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 542 40599b-4059a5 543 4059a6-4059d1 GetTickCount GetTempFileNameA 542->543 544 4059e0-4059e2 543->544 545 4059d3-4059d5 543->545 546 4059da-4059dd 544->546 545->543 547 4059d7 545->547 547->546
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 004059AF
                                                                                                                                                                                                                                  • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059C9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 0040599E
                                                                                                                                                                                                                                  • "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" , xrefs: 0040599B
                                                                                                                                                                                                                                  • nsa, xrefs: 004059A6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountFileNameTempTick
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                                  • API String ID: 1716503409-337437966
                                                                                                                                                                                                                                  • Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                                                                                                                                                                                                  • Instruction ID: 3a3981258a6ccd3f3c7180c2fb01dffc681fdc90015df490a153c8b64b3610b8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DF08276708214ABEB108F55EC04B9B7B9CDF91760F10C03BFA48DA190D6B599548B99

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 548 405859-405874 call 405cf9 call 405804 553 405876-405878 548->553 554 40587a-405887 call 405f64 548->554 555 4058cc-4058ce 553->555 558 405893-405895 554->558 559 405889-40588d 554->559 561 4058ab-4058b4 lstrlenA 558->561 559->553 560 40588f-405891 559->560 560->553 560->558 562 4058b6-4058ca call 40576b GetFileAttributesA 561->562 563 405897-40589e call 405ffd 561->563 562->555 568 4058a0-4058a3 563->568 569 4058a5-4058a6 call 4057b2 563->569 568->553 568->569 569->561
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00405CF9: lstrcpynA.KERNEL32(?,?,00000400,00403187,00422F00,NSIS Error), ref: 00405D06
                                                                                                                                                                                                                                    • Part of subcall function 00405804: CharNextA.USER32(?,?,C:\,?,00405870,C:\,C:\,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405812
                                                                                                                                                                                                                                    • Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 00405817
                                                                                                                                                                                                                                    • Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 0040582B
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058AC
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 004058BC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                                  • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                  • API String ID: 3248276644-3049482934
                                                                                                                                                                                                                                  • Opcode ID: 2f5f7bd10b83e5c994280ddce28bb3e0edcf250d71028fabecdb2709bf5dd46b
                                                                                                                                                                                                                                  • Instruction ID: 1d2993da53655c0900dfa7f8eb6ffa86a16769ab8224128061af08a25d69d353
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f5f7bd10b83e5c994280ddce28bb3e0edcf250d71028fabecdb2709bf5dd46b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16F0F427105E5165DA22323B1C05B9F1A44CD86354718C53BFC51F22D2DA3CC8629DBE

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 571 401f90-401f9c 572 401fa2-401fb8 call 402a3a * 2 571->572 573 402057-402059 571->573 582 401fc7-401fd5 LoadLibraryExA 572->582 583 401fba-401fc5 GetModuleHandleA 572->583 574 4021c4-4021c9 call 401423 573->574 581 4028cf-4028de 574->581 585 401fd7-401fe4 GetProcAddress 582->585 586 402050-402052 582->586 583->582 583->585 588 402023-402028 call 404f12 585->588 589 401fe6-401fec 585->589 586->574 593 40202d-402030 588->593 591 402005-402019 589->591 592 401fee-401ffa call 401423 589->592 597 40201e-402021 591->597 592->593 602 401ffc-402003 592->602 593->581 595 402036-40203e call 403619 593->595 595->581 601 402044-40204b FreeLibrary 595->601 597->593 601->581 602->593
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FBB
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: lstrcatA.KERNEL32(0041F4E8,00402FCF,00402FCF,0041F4E8,00000000,0040E8C0,00000000), ref: 00404F6E
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 00404F80
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE
                                                                                                                                                                                                                                  • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2987980305-0
                                                                                                                                                                                                                                  • Opcode ID: c9236aab3ecf390f27b0d2df40a3eeaa529cc51138fd025aa611fd94b365db02
                                                                                                                                                                                                                                  • Instruction ID: 033e4e5f5e4c037d50d2464c5542d6b5672e4837e9f8cb01fb8d89ff16108e1c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c9236aab3ecf390f27b0d2df40a3eeaa529cc51138fd025aa611fd94b365db02
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A212B72904211FBDF217FA48E49AAE76B1AB45318F30423BF701B62D0C7BD49459A6E

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 686 4015b3-4015c6 call 402a3a call 405804 691 4015c8-4015db call 405796 686->691 692 40161c-40161f 686->692 700 4015f3-4015f4 call 405455 691->700 701 4015dd-4015e0 691->701 694 401621-40163c call 401423 call 405cf9 SetCurrentDirectoryA 692->694 695 40164a-4021c9 call 401423 692->695 708 4028cf-4028de 694->708 711 401642-401645 694->711 695->708 707 4015f9-4015fb 700->707 701->700 705 4015e2-4015e9 call 405472 701->705 705->700 716 4015eb-4015ec call 4053d8 705->716 712 401612-40161a 707->712 713 4015fd-401602 707->713 711->708 712->691 712->692 717 401604-40160d GetFileAttributesA 713->717 718 40160f 713->718 721 4015f1 716->721 717->712 717->718 718->712 721->707
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00405804: CharNextA.USER32(?,?,C:\,?,00405870,C:\,C:\,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405812
                                                                                                                                                                                                                                    • Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 00405817
                                                                                                                                                                                                                                    • Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 0040582B
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                                                                                                                                                                                                    • Part of subcall function 004053D8: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040541B
                                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,00000000,00000000,000000F0), ref: 00401634
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD, xrefs: 00401629
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD
                                                                                                                                                                                                                                  • API String ID: 1892508949-2353090577
                                                                                                                                                                                                                                  • Opcode ID: dc3f2b08dd0b23deb2200b8cff6eb9b6ab41173e829b03834ce904b4ad95c354
                                                                                                                                                                                                                                  • Instruction ID: 4fb2b9239308f527e4829455642bf5c86be9504270dcf99fcce102751257b2ff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc3f2b08dd0b23deb2200b8cff6eb9b6ab41173e829b03834ce904b4ad95c354
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1611E736508141ABEF217F650D415BF27B0EA92325738467FE592B62E2C63C4942A63F

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 722 40548a-4054bb CreateProcessA 723 4054c9-4054ca 722->723 724 4054bd-4054c6 CloseHandle 722->724 724->723
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004054B3
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004054C0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Error launching installer, xrefs: 0040549D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                                  • String ID: Error launching installer
                                                                                                                                                                                                                                  • API String ID: 3712363035-66219284
                                                                                                                                                                                                                                  • Opcode ID: 8c32d595c10ae78cfc35805ab98709760fd6cf99201592758dbf5461ff55bb51
                                                                                                                                                                                                                                  • Instruction ID: 90ee3f3d0c484d323fd0424032eb65db2415cafeee3384e03f1d9bc4b04e7a5d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c32d595c10ae78cfc35805ab98709760fd6cf99201592758dbf5461ff55bb51
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FFE04FB4A002097FEB009B60EC05F7B7BBCEB00348F408561BD11F21A0E374A9508A78
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b4bbaf917c5b2b4b29eca7dd879fe0279583c9caa0a8680a3fb668f2eecfa979
                                                                                                                                                                                                                                  • Instruction ID: ac331763182a67db8ffe8b732b67c8974d54266b30473341b06133cd37c0d4bc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4bbaf917c5b2b4b29eca7dd879fe0279583c9caa0a8680a3fb668f2eecfa979
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ECA13171E00229CBDF28DFA8C8547ADBBB1FB44305F11816ED816BB281C7786A96CF44
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: db4b2f824491321a50731860d46817135270c8e97721ba662834ece50dc26027
                                                                                                                                                                                                                                  • Instruction ID: e89747aace1fce0fcb13a8d80e6f88749465aa03c559881c8099c8d07fdfb4d2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db4b2f824491321a50731860d46817135270c8e97721ba662834ece50dc26027
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE911070E04228CBDF28DF98C8547ADBBB1FB44305F15816ED816BB281C778AA96DF44
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: adca5b2b6989107afceee3a061708c38461c5fc9fc0daf484043dfdf7e09805a
                                                                                                                                                                                                                                  • Instruction ID: d456333056e0522eb9a81365918d8492ce98a85054e5b278218ea4b7938feab7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: adca5b2b6989107afceee3a061708c38461c5fc9fc0daf484043dfdf7e09805a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1814671D04228CFDF24CFA8C8847ADBBB1FB44305F25816AD416BB281C778AA96DF44
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 5bfff9db2859b877ca6a77ec9405565887134ef839be144d68b3806b8d7c08ac
                                                                                                                                                                                                                                  • Instruction ID: 4327eab70650ef0c96a691b493921a8ab8e5ba0d824f916f670fcb6a13d6a8f8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5bfff9db2859b877ca6a77ec9405565887134ef839be144d68b3806b8d7c08ac
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11816671D04228DBDF24CFA8C8447ADBBB1FB44315F2181AED856BB281C7786A96DF44
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 2f3dabd0af62f4e8bfcd4b659d73a5ba33a7939e144f292b7bb16ba2439e66e8
                                                                                                                                                                                                                                  • Instruction ID: 63ee65aff5d1ea53a99bb7455827a561e54e570c364fe5978cc4b9ff32097947
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f3dabd0af62f4e8bfcd4b659d73a5ba33a7939e144f292b7bb16ba2439e66e8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9711271D04228CBDF24CFA8C8547ADBBF1FB48305F15806AD856BB281D7786A96DF44
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 83d4d9fa97144311a3e66a470cde7927608ab55fe6dc8c436fded4a10c430ead
                                                                                                                                                                                                                                  • Instruction ID: 2ec41c1936be718984cf19d05ce660ecedc56656b80368bbb2ce29215557a5c8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83d4d9fa97144311a3e66a470cde7927608ab55fe6dc8c436fded4a10c430ead
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53712571E04228CBDF28CF98C854BADBBB1FB44305F15816ED856BB281C7785996DF44
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 1b21a4910564614c6641403ac362d6aa440f40f6368f9ee5d1983abbc3d5a3b8
                                                                                                                                                                                                                                  • Instruction ID: 94740bf10ed9628fc2a816943eb7322e71ed29eec5e37d1a6fe0f7c23d4f3e83
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b21a4910564614c6641403ac362d6aa440f40f6368f9ee5d1983abbc3d5a3b8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D714571E04228CBDF28CF98C854BADBBB1FB44305F11806ED856BB281C7786A96DF44
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: lstrcatA.KERNEL32(0041F4E8,00402FCF,00402FCF,0041F4E8,00000000,0040E8C0,00000000), ref: 00404F6E
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 00404F80
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
                                                                                                                                                                                                                                    • Part of subcall function 00404F12: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE
                                                                                                                                                                                                                                    • Part of subcall function 0040548A: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004054B3
                                                                                                                                                                                                                                    • Part of subcall function 0040548A: CloseHandle.KERNEL32(?), ref: 004054C0
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
                                                                                                                                                                                                                                  • GetExitCodeProcess.KERNELBASE(?,?), ref: 00401E8E
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3521207402-0
                                                                                                                                                                                                                                  • Opcode ID: 7baa4545988b071bf1f27952e090968b1b6e0d745a44be253271fef70d106577
                                                                                                                                                                                                                                  • Instruction ID: 49f7d359c4d218189077cc8fb8a526ed56d4096950e75cb47e310611910bd6fc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7baa4545988b071bf1f27952e090968b1b6e0d745a44be253271fef70d106577
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4016D31904104EBDF11AFA1C984A9E77B2EF00354F10817BFA01B52E1C7785A85AB9A
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00405947: GetFileAttributesA.KERNELBASE(?,?,0040555F,?,?,00000000,00405742,?,?,?,?), ref: 0040594C
                                                                                                                                                                                                                                    • Part of subcall function 00405947: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405960
                                                                                                                                                                                                                                  • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405742), ref: 0040556E
                                                                                                                                                                                                                                  • DeleteFileA.KERNELBASE(?,?,?,00000000,00405742), ref: 00405576
                                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000000), ref: 0040558E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1655745494-0
                                                                                                                                                                                                                                  • Opcode ID: 17f562840c1773a82e66d36c699c3ba4858698b3520e1b3e97930180dfe60130
                                                                                                                                                                                                                                  • Instruction ID: 364b991763a9b947ff98ca2783b3bb2cd1a0068a6ee853e10d07d538a8c3989e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17f562840c1773a82e66d36c699c3ba4858698b3520e1b3e97930180dfe60130
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CE0E531519A91B6C61057309C08F5F2AD6EFCA338F040A36F891B21C4C33C88068E7E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                  • Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
                                                                                                                                                                                                                                  • Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004060BF
                                                                                                                                                                                                                                    • Part of subcall function 00406024: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040603B
                                                                                                                                                                                                                                    • Part of subcall function 00406024: wsprintfA.USER32 ref: 00406074
                                                                                                                                                                                                                                    • Part of subcall function 00406024: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406088
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2547128583-0
                                                                                                                                                                                                                                  • Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                                                                                                                                                                                                  • Instruction ID: f390ed2799c289b087c769a87f24dfac638062b8da6604b2acd18c4b1555f769
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4E08632644111A6D320A7709D0493B72EC9E84710302483EF906F2191D738AC259669
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe,80000000,00000003), ref: 00405970
                                                                                                                                                                                                                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AttributesCreate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 415043291-0
                                                                                                                                                                                                                                  • Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                                                                                                                                                                                                  • Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,?,0040555F,?,?,00000000,00405742,?,?,?,?), ref: 0040594C
                                                                                                                                                                                                                                  • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405960
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                                                                                                                                                                                                  • Instruction ID: 96e5362f07f59601f7516fe8bcac2aa0a8151a45168581d09323fa3b8cc485cf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7D01272908121AFC2102738ED0C89BBF65EB543717058B35FDB9F22F0D7304C568AA6
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(FFFFFFFF,004033D6,?), ref: 004035AA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\, xrefs: 004035BE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\
                                                                                                                                                                                                                                  • API String ID: 2962429428-367517261
                                                                                                                                                                                                                                  • Opcode ID: 596cad97df7a130adaf378ac47e28dabc4cf3a27c081830e49709f32aaba56d5
                                                                                                                                                                                                                                  • Instruction ID: f4b59f51dd056b556ace1dccfc0996fbca79989fe12c672f2328a55b3cb2227a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 596cad97df7a130adaf378ac47e28dabc4cf3a27c081830e49709f32aaba56d5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FBC08030504640B7D1247F79AD4B5193A145B40335FA04376F8B4F00F1C73C5B45555D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000,004030CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 0040545B
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00405469
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1375471231-0
                                                                                                                                                                                                                                  • Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                                                                                                                                                                                                  • Instruction ID: ace853db513f64caea17b5c73fb52fb3118c2a3fabff3065b7385b8b337d2f64
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9DC08C30B18101EAC6100B30AE087073D50AB00742F1444356206E10E0C6309050CD2F
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004022BC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PrivateProfileStringWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 390214022-0
                                                                                                                                                                                                                                  • Opcode ID: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
                                                                                                                                                                                                                                  • Instruction ID: ed5e863b5af70a22674a87f6432e4eb84017b1e79b4e81bbc09640d5f5368664
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8AE04F31B001746FDB217AF14E8EE7F11989B84348B64417EF601B62C3DDBC4D434AA9
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,0040305C,00000000,0040A8C0,00000020,0040A8C0,00000020,000000FF,00000004,00000000), ref: 00405A27
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                                                  • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                                                                                                                                                                  • Instruction ID: edb1125888c6416cb1e0b95ca9609c2ac4c4c792cbd4e8f88826aa2405e91300
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7E0EC3261425EEFDF109E659C40AEB7B6DEB053A4F048532FD25E2150E271E8219FB5
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040308E,00000000,00000000,00402EEB,000000FF,00000004,00000000,00000000,00000000), ref: 004059F8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                                                                                                  • Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                                                                                                                                                                                                  • Instruction ID: 6c2e581bc83b2d89c4a498056592e8f52b2bea012b9e1656670f40d352b29975
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4DE0EC3272429AABDF109E559C44EEF7BACEB05360F048932FD15E3190D235ED219FA9
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00405BBE
                                                                                                                                                                                                                                    • Part of subcall function 00405A42: lstrcpyA.KERNEL32(00421A98,NUL,?,00000000,?,00000000,00405BD5,?,?), ref: 00405A51
                                                                                                                                                                                                                                    • Part of subcall function 00405A42: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405BD5,?,?), ref: 00405A75
                                                                                                                                                                                                                                    • Part of subcall function 00405A42: GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405A7E
                                                                                                                                                                                                                                    • Part of subcall function 00405A42: GetShortPathNameA.KERNEL32(00421E98,00421E98,00000400), ref: 00405A9B
                                                                                                                                                                                                                                    • Part of subcall function 00405A42: wsprintfA.USER32 ref: 00405AB9
                                                                                                                                                                                                                                    • Part of subcall function 00405A42: GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405AF4
                                                                                                                                                                                                                                    • Part of subcall function 00405A42: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B03
                                                                                                                                                                                                                                    • Part of subcall function 00405A42: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B3B
                                                                                                                                                                                                                                    • Part of subcall function 00405A42: SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405B91
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$NamePathShortlstrcpy$AllocCloseGlobalHandleMovePointerSizewsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2305538632-0
                                                                                                                                                                                                                                  • Opcode ID: 200995f69a62734c116fa759da9e398c1731b90633fe871f8e3bc0a5ec9d069e
                                                                                                                                                                                                                                  • Instruction ID: 84c318f3e4a96c22bc0b86da1b6d9270b2a2b8de3931848374d89fd7c22897fb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 200995f69a62734c116fa759da9e398c1731b90633fe871f8e3bc0a5ec9d069e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0DD09E35208601AEDA115B50DD05A5B7BB5EB90355F10C52AF289504B0E73594519F09
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 0040309F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 973152223-0
                                                                                                                                                                                                                                  • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                                                                                                                                                  • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003F9), ref: 004048A7
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000408), ref: 004048B2
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 004048FC
                                                                                                                                                                                                                                  • LoadBitmapA.USER32(0000006E), ref: 0040490F
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000FC,00404E86), ref: 00404928
                                                                                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040493C
                                                                                                                                                                                                                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 0040494E
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001109,00000002), ref: 00404964
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404970
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404982
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00404985
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049B0
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049BC
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A51
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A7C
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A90
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00404ABF
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404ACD
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000005), ref: 00404ADE
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404BDB
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C40
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C55
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C79
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C99
                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(?), ref: 00404CAE
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 00404CBE
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D37
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001102,?,?), ref: 00404DE0
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404DEF
                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00404E0F
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000000), ref: 00404E5D
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003FE), ref: 00404E68
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00404E6F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                                  • String ID: $KAo$M$N
                                                                                                                                                                                                                                  • API String ID: 1638840714-3073395132
                                                                                                                                                                                                                                  • Opcode ID: 8b0289ef19e9e7d4f6956f04046df2f7fedd754f5cc9c605ccbb11d5e9afe659
                                                                                                                                                                                                                                  • Instruction ID: e7c54df8ad39b376662a796d960b289492e5a6982c1727c2c37b81bede79f7f2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b0289ef19e9e7d4f6956f04046df2f7fedd754f5cc9c605ccbb11d5e9afe659
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 43025EB0A00209AFEF109F54DC85AAE7BB5FB84315F10817AF611B62E1D7789E42DF58
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000403), ref: 004050AF
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004050BE
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004050FB
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000002), ref: 00405102
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405123
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405134
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405147
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405155
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405168
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040518A
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000008), ref: 0040519E
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004051BF
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004051CF
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004051E8
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004051F4
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003F8), ref: 004050CD
                                                                                                                                                                                                                                    • Part of subcall function 00403F13: SendMessageA.USER32(00000028,?,00000001,00403D44), ref: 00403F21
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 00405210
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00004FE4,00000000), ref: 0040521E
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00405225
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00405248
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000008), ref: 0040524F
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000008), ref: 00405295
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052C9
                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 004052DA
                                                                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004052EF
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,000000FF), ref: 0040530F
                                                                                                                                                                                                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405328
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405364
                                                                                                                                                                                                                                  • OpenClipboard.USER32(00000000), ref: 00405374
                                                                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 0040537A
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000042,?), ref: 00405383
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 0040538D
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053A1
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004053BA
                                                                                                                                                                                                                                  • SetClipboardData.USER32(00000001,00000000), ref: 004053C5
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 004053CB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 590372296-0
                                                                                                                                                                                                                                  • Opcode ID: d6ecd7d14b8e00b748d1229dc10f545a94969e68e0fceeae392a714a00d68d17
                                                                                                                                                                                                                                  • Instruction ID: d5cc627e10ac9a037e5b70d1472d8d3a221fef050c439e23246209dc4a3cc6f1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d6ecd7d14b8e00b748d1229dc10f545a94969e68e0fceeae392a714a00d68d17
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53A159B1900208BFDB219FA0DD85AAE7F79FB48355F10407AFA01B61A0C7B55E41DF69
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003FB), ref: 0040436B
                                                                                                                                                                                                                                  • SetWindowTextA.USER32(00000000,?), ref: 00404395
                                                                                                                                                                                                                                  • SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 00404446
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404451
                                                                                                                                                                                                                                  • lstrcmpiA.KERNEL32(004226A0,0041FD08), ref: 00404483
                                                                                                                                                                                                                                  • lstrcatA.KERNEL32(?,004226A0), ref: 0040448F
                                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044A1
                                                                                                                                                                                                                                    • Part of subcall function 004054D3: GetDlgItemTextA.USER32(?,?,00000400,004044D8), ref: 004054E6
                                                                                                                                                                                                                                    • Part of subcall function 00405F64: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" ,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FBC
                                                                                                                                                                                                                                    • Part of subcall function 00405F64: CharNextA.USER32(?,?,?,00000000), ref: 00405FC9
                                                                                                                                                                                                                                    • Part of subcall function 00405F64: CharNextA.USER32(?,"C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" ,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FCE
                                                                                                                                                                                                                                    • Part of subcall function 00405F64: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FDE
                                                                                                                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 0040455F
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040457A
                                                                                                                                                                                                                                    • Part of subcall function 004046D3: lstrlenA.KERNEL32(0041FD08,0041FD08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045EE,000000DF,00000000,00000400,?), ref: 00404771
                                                                                                                                                                                                                                    • Part of subcall function 004046D3: wsprintfA.USER32 ref: 00404779
                                                                                                                                                                                                                                    • Part of subcall function 004046D3: SetDlgItemTextA.USER32(?,0041FD08), ref: 0040478C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: A$KAo
                                                                                                                                                                                                                                  • API String ID: 2624150263-3292651041
                                                                                                                                                                                                                                  • Opcode ID: 1558e11706ab6d26c01ec83b0c58713cad93a9e9ab837f02d5dc5529ec40a987
                                                                                                                                                                                                                                  • Instruction ID: 222947b4accbc62cc0073c5541b0f9589876626f1104fcc3d8441c992cea6716
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1558e11706ab6d26c01ec83b0c58713cad93a9e9ab837f02d5dc5529ec40a987
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71A17EB1900209ABDB11AFA5CC45BEFB6B8EF84315F14843BF711B62D1D77C8A418B69
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD, xrefs: 0040211D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD
                                                                                                                                                                                                                                  • API String ID: 123533781-2353090577
                                                                                                                                                                                                                                  • Opcode ID: 98c6856de954bf32f67bc9aae575288044ef0a57168b27d926b9bae310f30c25
                                                                                                                                                                                                                                  • Instruction ID: 15b8319daa3a69dadbe16bc3493db081a7dc62ee607a685d27ecc12527328b4b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 98c6856de954bf32f67bc9aae575288044ef0a57168b27d926b9bae310f30c25
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 785138B1A00208BFCF10DFA4C988A9D7BB5FF48319F20856AF515EB2D1DB799941CB54
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1974802433-0
                                                                                                                                                                                                                                  • Opcode ID: a8d2051a0b43e45e0548476364d3f5ec7a3e7dc7c9238cb7b637b6be69fa9f30
                                                                                                                                                                                                                                  • Instruction ID: a95b2630499809d01a6e7b037cab792d100f7a465f9f887e4e98b5ff960ae470
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8d2051a0b43e45e0548476364d3f5ec7a3e7dc7c9238cb7b637b6be69fa9f30
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79F0A7726082009BE701E7A49949AEE7778DB61314F60057BE241A21C1D7B84985AB3A
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A47
                                                                                                                                                                                                                                  • ShowWindow.USER32(?), ref: 00403A64
                                                                                                                                                                                                                                  • DestroyWindow.USER32 ref: 00403A78
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A94
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00403AB5
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AC9
                                                                                                                                                                                                                                  • IsWindowEnabled.USER32(00000000), ref: 00403AD0
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 00403B7E
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 00403B88
                                                                                                                                                                                                                                  • SetClassLongA.USER32(?,000000F2,?), ref: 00403BA2
                                                                                                                                                                                                                                  • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403BF3
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000003), ref: 00403C99
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?), ref: 00403CBA
                                                                                                                                                                                                                                  • EnableWindow.USER32(?,?), ref: 00403CCC
                                                                                                                                                                                                                                  • EnableWindow.USER32(?,?), ref: 00403CE7
                                                                                                                                                                                                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CFD
                                                                                                                                                                                                                                  • EnableMenuItem.USER32(00000000), ref: 00403D04
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D1C
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D2F
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(0041FD08,?,0041FD08,00422F00), ref: 00403D58
                                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,0041FD08), ref: 00403D67
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,0000000A), ref: 00403E9B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 184305955-0
                                                                                                                                                                                                                                  • Opcode ID: 3ac918ef0a42e48e667534ebe08b1c5e2c6f4e88b6f53ea8c8a8fe3e2e231469
                                                                                                                                                                                                                                  • Instruction ID: e8e4c14712e0ebd1bd3c96694815290efe84e81baa174b168cbdfcdac135d6c4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ac918ef0a42e48e667534ebe08b1c5e2c6f4e88b6f53ea8c8a8fe3e2e231469
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29C1DF71A04205BBDB20AF61EE45E2B3E7CFB45706B40453EF601B11E1C779A942AB6E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040B2
                                                                                                                                                                                                                                  • GetDlgItem.USER32(00000000,000003E8), ref: 004040C6
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004040E4
                                                                                                                                                                                                                                  • GetSysColor.USER32(?), ref: 004040F5
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404104
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404113
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00404116
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404125
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040413A
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,0000040A), ref: 0040419C
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000), ref: 0040419F
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 004041CA
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040420A
                                                                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 00404219
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 00404222
                                                                                                                                                                                                                                  • ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404235
                                                                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 00404242
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 00404245
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404271
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404285
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                                                                                                                                                  • String ID: KAo$N$open
                                                                                                                                                                                                                                  • API String ID: 3615053054-4196897437
                                                                                                                                                                                                                                  • Opcode ID: d6331d360d592cb1fcb1934a6ab791839a151b05b6f3426df7f2f496f579edd7
                                                                                                                                                                                                                                  • Instruction ID: f5dd8c80699fee66c1c508087d6ededbe7bbcdfb93c9c5870bdb982cd402330a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d6331d360d592cb1fcb1934a6ab791839a151b05b6f3426df7f2f496f579edd7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1261C5B1A40209BFEB109F61DC45F6A7B79FB84741F10807AFB057A2D1C7B8A951CB98
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                                                                                                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                                  • DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                                  • String ID: F
                                                                                                                                                                                                                                  • API String ID: 941294808-1304234792
                                                                                                                                                                                                                                  • Opcode ID: c0f94b8c962ee7b75acafc3cefd778743504d8a107dd351fe724bfdc705f9f00
                                                                                                                                                                                                                                  • Instruction ID: a0b7ce50fec83efafeb16569406a1c152c04985fcf8b97c7298fc3655e55bd79
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c0f94b8c962ee7b75acafc3cefd778743504d8a107dd351fe724bfdc705f9f00
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrcpyA.KERNEL32(00421A98,NUL,?,00000000,?,00000000,00405BD5,?,?), ref: 00405A51
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405BD5,?,?), ref: 00405A75
                                                                                                                                                                                                                                  • GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405A7E
                                                                                                                                                                                                                                    • Part of subcall function 004058D1: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058E1
                                                                                                                                                                                                                                    • Part of subcall function 004058D1: lstrlenA.KERNEL32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405913
                                                                                                                                                                                                                                  • GetShortPathNameA.KERNEL32(00421E98,00421E98,00000400), ref: 00405A9B
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 00405AB9
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405AF4
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B03
                                                                                                                                                                                                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B3B
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405B91
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00405BA2
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BA9
                                                                                                                                                                                                                                    • Part of subcall function 0040596C: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe,80000000,00000003), ref: 00405970
                                                                                                                                                                                                                                    • Part of subcall function 0040596C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                                                                                                                                                                  • String ID: %s=%s$NUL$[Rename]
                                                                                                                                                                                                                                  • API String ID: 222337774-4148678300
                                                                                                                                                                                                                                  • Opcode ID: 4c27ce9d423c33f638fbced1664b30ba87b14f005f57ce999c1b8a6a2e252c84
                                                                                                                                                                                                                                  • Instruction ID: 42b7cc2c3f2f4ef7c3412fd2f3d3cbe4eee66c4c235e50fd6e5efd85f9217fc4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c27ce9d423c33f638fbced1664b30ba87b14f005f57ce999c1b8a6a2e252c84
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9931E271A04B19ABD2206B619C89F6B3A6CDF45755F14003AFE05F62D2DA7CBC008E6D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" ,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FBC
                                                                                                                                                                                                                                  • CharNextA.USER32(?,?,?,00000000), ref: 00405FC9
                                                                                                                                                                                                                                  • CharNextA.USER32(?,"C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" ,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FCE
                                                                                                                                                                                                                                  • CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030B4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405FDE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F65
                                                                                                                                                                                                                                  • *?|<>/":, xrefs: 00405FAC
                                                                                                                                                                                                                                  • "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" , xrefs: 00405FA0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Char$Next$Prev
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                  • API String ID: 589700163-1377249131
                                                                                                                                                                                                                                  • Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                                                                                                                                                                                                  • Instruction ID: a0964663e3c08fb0288e5f4f4a0160773f2bbbf5a4d40b443b4f636863f092b1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C611C451808F922EEB3216640C44BBB7F99CF5A760F18007BE9D4B22C2D67C5C429F6E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000EB), ref: 00403F62
                                                                                                                                                                                                                                  • GetSysColor.USER32(00000000), ref: 00403F7E
                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00403F8A
                                                                                                                                                                                                                                  • SetBkMode.GDI32(?,?), ref: 00403F96
                                                                                                                                                                                                                                  • GetSysColor.USER32(?), ref: 00403FA9
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,?), ref: 00403FB9
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00403FD3
                                                                                                                                                                                                                                  • CreateBrushIndirect.GDI32(?), ref: 00403FDD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2320649405-0
                                                                                                                                                                                                                                  • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                                                                                                                                                                  • Instruction ID: 563dd17f99c902cd34f005863f03740a6a5938172a6e5e033378c94734032825
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4214271908705ABC7219F68DD48F4BBFF8AF01715B048A29E895E26E0D735EA04CB55
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00402FCF,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
                                                                                                                                                                                                                                  • lstrcatA.KERNEL32(0041F4E8,00402FCF,00402FCF,0041F4E8,00000000,0040E8C0,00000000), ref: 00404F6E
                                                                                                                                                                                                                                  • SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 00404F80
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FA6
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FC0
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FCE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2531174081-0
                                                                                                                                                                                                                                  • Opcode ID: 558402415f57fe0eb81db75807d2d057a66030d2c136bde9c432be6294094776
                                                                                                                                                                                                                                  • Instruction ID: 5a9a404093729f8c7a4ed64dcb73daf90ff889549f225b9df3951733f5861a8d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 558402415f57fe0eb81db75807d2d057a66030d2c136bde9c432be6294094776
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB219DB1A00119BADF119FA5DD84ADEBFB9EF44354F14807AF904B6290C7788E41DBA8
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004047F8
                                                                                                                                                                                                                                  • GetMessagePos.USER32 ref: 00404800
                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 0040481A
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 0040482C
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404852
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                                  • String ID: f
                                                                                                                                                                                                                                  • API String ID: 41195575-1993550816
                                                                                                                                                                                                                                  • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                                                                                                                                                                  • Instruction ID: 206dc1e0429e6aa6b627cd25208fa2295557d59b2a7717453fa0c9894da25502
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6015276D00259BADB01DB94DC45FFEBBBCAF55711F10412BBA10B61C0C7B4A501CBA5
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(044A887E,00000064,044AB7B8), ref: 00402BC5
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 00402BD5
                                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,?), ref: 00402BE5
                                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • verifying installer: %d%%, xrefs: 00402BCF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                                  • String ID: verifying installer: %d%%
                                                                                                                                                                                                                                  • API String ID: 1451636040-82062127
                                                                                                                                                                                                                                  • Opcode ID: 649971ee7512e9da800057b1e5ac373431693e3f4f1e876899c067cd5a0faa84
                                                                                                                                                                                                                                  • Instruction ID: bd73235a5a2a729140de961e31d76a0e47d27260d0eaef7d75f80e35c4c54abd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 649971ee7512e9da800057b1e5ac373431693e3f4f1e876899c067cd5a0faa84
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF01F471540208BBEF109F60DD49EEE3B79EB04305F008039FA16B51D1D7B59955DF59
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 0040276F
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00402782
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2667972263-0
                                                                                                                                                                                                                                  • Opcode ID: 39fbd17f46fc9c371fd9deabdbb1a4d81bf886de883c9339f90e348bb50c0e41
                                                                                                                                                                                                                                  • Instruction ID: 55e8cf3ffad71cabca96213aa966ad8f6b0c6824c0bc9dabfeb9c0d6c9f08848
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39fbd17f46fc9c371fd9deabdbb1a4d81bf886de883c9339f90e348bb50c0e41
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03217C71800124BBCF216FA5DE89EAE7A79EF09324F14023AF950762D1C7795D418FA9
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
                                                                                                                                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                                                                                                                                                                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Close$DeleteEnumOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1912718029-0
                                                                                                                                                                                                                                  • Opcode ID: 26d703e6b955c0b1753e13e50ef068aceb5afa025d50a3e8e2eadb28cc0acf60
                                                                                                                                                                                                                                  • Instruction ID: feb6aed171ad8b85e204e5b4e2feb4536d295dbd67c3687bd8867431d3a466b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26d703e6b955c0b1753e13e50ef068aceb5afa025d50a3e8e2eadb28cc0acf60
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53117F71A00108FFDF229F90DE89EAE3B7DEB54349B104076FA01B10A0D7749E51DB69
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?), ref: 00401CE2
                                                                                                                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 00401CEF
                                                                                                                                                                                                                                  • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1849352358-0
                                                                                                                                                                                                                                  • Opcode ID: 17232caade98c5884c3b98c25dda3274542a73d841a3bd6b31c87e9b59191b88
                                                                                                                                                                                                                                  • Instruction ID: 14b9f5ff68e8b0ed0f2204d74c17d06140583eb6ed2bbf798243b331d3a4cd3b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17232caade98c5884c3b98c25dda3274542a73d841a3bd6b31c87e9b59191b88
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9F0E7B2A04114AFEB01ABE4DE88DAFB7BDEB54305B10447AF602F6191C7789D018B79
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 00401D3B
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                                                                                                                                                                                                                  • CreateFontIndirectA.GDI32(0040A7F0), ref: 00401DB3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3808545654-0
                                                                                                                                                                                                                                  • Opcode ID: 54d11e4959632539d7c5822479490e62378c8afe9ef9106c9a33de1f24eaef6b
                                                                                                                                                                                                                                  • Instruction ID: 818c9bdddfe1b1fffd76dbb1b88acba4993fd419864b94457e62d7fc32e1ff32
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54d11e4959632539d7c5822479490e62378c8afe9ef9106c9a33de1f24eaef6b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE016232948740AFE7416B70AE1AFAA3FB4A755305F108479F201B72E3C67811569B3F
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(0041FD08,0041FD08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045EE,000000DF,00000000,00000400,?), ref: 00404771
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 00404779
                                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,0041FD08), ref: 0040478C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: %u.%u%s%s
                                                                                                                                                                                                                                  • API String ID: 3540041739-3551169577
                                                                                                                                                                                                                                  • Opcode ID: bbe280539c3cc3020c43bf789c637de2f8d0099704e891219e4d784778b6cf22
                                                                                                                                                                                                                                  • Instruction ID: 079308417c3a62341de1df324b483ce4e469374b9790fc4fe8de96a48b85a08e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bbe280539c3cc3020c43bf789c637de2f8d0099704e891219e4d784778b6cf22
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F011A573A0412837EB0065699C45EAF3298DB86374F254637FA25F71D2EA788C5245A8
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowTextA.USER32(00000000,00422F00), ref: 004039D6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: TextWindow
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe" $1033$KAo
                                                                                                                                                                                                                                  • API String ID: 530164218-719868371
                                                                                                                                                                                                                                  • Opcode ID: 486f1793fc8ee117fab60480f2aa26aac85a5ca9132015367b3694c6ae5d67fc
                                                                                                                                                                                                                                  • Instruction ID: 79edc1b1becbb318b5d11430581b7fe373163fbdb48c995140def98ab9010f1e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 486f1793fc8ee117fab60480f2aa26aac85a5ca9132015367b3694c6ae5d67fc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B311F3F1B04611ABCB20DF14DD809737BADEBC4756328823FE941A73A0C67D9D029B98
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030C6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405771
                                                                                                                                                                                                                                  • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030C6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 0040577A
                                                                                                                                                                                                                                  • lstrcatA.KERNEL32(?,00409014), ref: 0040578B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 0040576B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                  • API String ID: 2659869361-3081826266
                                                                                                                                                                                                                                  • Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                                                                                                                                                                  • Instruction ID: 00e6a1abdfef3fccf4d12e3b382aa79108487555f8088e95eeaee7bf5793dfbe
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94D0A9B2A05A307AD3122715AC0DE8B2A08CF82300B094023F200B72A2CB3C1D418BFE
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00409BE8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,?,?,?,00409BE8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00409BE8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateValuelstrlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1356686001-0
                                                                                                                                                                                                                                  • Opcode ID: 1dca66d2d1093a5130de9b07e79a19b0c80f7b3ba9a11136c7381f0e18dd9290
                                                                                                                                                                                                                                  • Instruction ID: 26fcae0a7b2a502e926faea7c6e927eea7b3aae3134fdb689c9e3a18d41500d2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1dca66d2d1093a5130de9b07e79a19b0c80f7b3ba9a11136c7381f0e18dd9290
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E1145B1E00108BFEB10AFA5EE89EAF767DEB54358F10403AF505B71D1D6B85D419B28
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharNextA.USER32(?,?,C:\,?,00405870,C:\,C:\,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405812
                                                                                                                                                                                                                                  • CharNextA.USER32(00000000), ref: 00405817
                                                                                                                                                                                                                                  • CharNextA.USER32(00000000), ref: 0040582B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext
                                                                                                                                                                                                                                  • String ID: C:\
                                                                                                                                                                                                                                  • API String ID: 3213498283-3404278061
                                                                                                                                                                                                                                  • Opcode ID: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
                                                                                                                                                                                                                                  • Instruction ID: 4ca260c7e1a22d06af12069221c3406c2bee361732d71c1e98a9e22686a99acb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71F0C253908F942BFB3276641C44B675F88DB55350F04C07BEA80B62C2C6788860CBEA
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402C33
                                                                                                                                                                                                                                  • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000005), ref: 00402C5E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2102729457-0
                                                                                                                                                                                                                                  • Opcode ID: bb4189f2555980a5a403f1716edff6096ea92162ad211e01232e213a33bdd725
                                                                                                                                                                                                                                  • Instruction ID: 69bd14cd8f1a0d496662edafeb8c2727d8675a530a128bc1770b64b88ff4c26b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb4189f2555980a5a403f1716edff6096ea92162ad211e01232e213a33bdd725
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CF05E7090A220ABD6217F64FE0CDDF7BA4FB41B527018576F144B21E4C379988ACB9D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 00404EB5
                                                                                                                                                                                                                                  • CallWindowProcA.USER32(?,?,?,?), ref: 00404F06
                                                                                                                                                                                                                                    • Part of subcall function 00403F2A: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403F3C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                                  • Opcode ID: d7dba211b113031370aa0d375adf93c2d3682e4ecf800ebd227cab9ba7078c69
                                                                                                                                                                                                                                  • Instruction ID: f49a9e3fcece2dd6490d1841f3d0f5b5163df4d3f93a23d44cf999a9bd086e10
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7dba211b113031370aa0d375adf93c2d3682e4ecf800ebd227cab9ba7078c69
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D10171B110020EABDF209F11DC84A9B3725FBC4754F208037FB11761D1DB799C61A7A9
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,74DF3410,00000000,C:\Users\user\AppData\Local\Temp\,004035BC,004033D6,?), ref: 004035FE
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00403605
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004035E4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Free$GlobalLibrary
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                  • API String ID: 1100898210-3081826266
                                                                                                                                                                                                                                  • Opcode ID: a52acb0b260d536fd7618f3e20de318eec4c6c539c6bb2def64801f0e67eaa78
                                                                                                                                                                                                                                  • Instruction ID: f6c6d059f9b75f5cc6a79e0049e3afa1176d7e4558308c53008dbe788c85df41
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a52acb0b260d536fd7618f3e20de318eec4c6c539c6bb2def64801f0e67eaa78
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3EE0C2338100206BC7211F0AED04B5E77AC6F48B22F054066FC407B3A08B742C418BCC
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402CD2,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe,C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe,80000000,00000003), ref: 004057B8
                                                                                                                                                                                                                                  • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402CD2,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe,C:\Users\user\AppData\Local\Temp\TeamViewer_Setup_x64.exe,80000000,00000003), ref: 004057C6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp, xrefs: 004057B2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharPrevlstrlen
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp
                                                                                                                                                                                                                                  • API String ID: 2709904686-47812868
                                                                                                                                                                                                                                  • Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                                                                                                                                                                  • Instruction ID: 15550f116ff3ce815c4487a542d9ae56249738f0e4d38f85a76656e2d55d0e49
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAD0C7B2409D705EF31353149C08B9F6A58DF16700F195463E141EB591C6785D415BBD
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058E1
                                                                                                                                                                                                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 004058F9
                                                                                                                                                                                                                                  • CharNextA.USER32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040590A
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405913
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000005.00000002.2380578346.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380558195.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380601366.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000409000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000427000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.0000000000429000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380620951.000000000042D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000005.00000002.2380729620.000000000042F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_TeamViewer_Setup_x64.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 190613189-0
                                                                                                                                                                                                                                  • Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                                                                                                                                                                                                  • Instruction ID: 481a9c588bbd1c68550dea5b76d7ebd72626077616c8f786d6c844a28ee3c139
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9EF0F632504418FFCB02AFA5DC0099EBBA8EF46360B2540B9F800F7310D274EF01ABA9

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:25.8%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                  Total number of Nodes:1341
                                                                                                                                                                                                                                  Total number of Limit Nodes:42
                                                                                                                                                                                                                                  execution_graph 4037 402840 4038 402bbf 18 API calls 4037->4038 4040 40284e 4038->4040 4039 402864 4042 405d2e 2 API calls 4039->4042 4040->4039 4041 402bbf 18 API calls 4040->4041 4041->4039 4043 40286a 4042->4043 4065 405d53 GetFileAttributesW CreateFileW 4043->4065 4045 402877 4046 402883 GlobalAlloc 4045->4046 4047 40291a 4045->4047 4050 402911 CloseHandle 4046->4050 4051 40289c 4046->4051 4048 402922 DeleteFileW 4047->4048 4049 402935 4047->4049 4048->4049 4050->4047 4066 40336e SetFilePointer 4051->4066 4053 4028a2 4054 403358 ReadFile 4053->4054 4055 4028ab GlobalAlloc 4054->4055 4056 4028bb 4055->4056 4057 4028ef 4055->4057 4058 4030e7 45 API calls 4056->4058 4059 405e05 WriteFile 4057->4059 4060 4028c8 4058->4060 4061 4028fb GlobalFree 4059->4061 4063 4028e6 GlobalFree 4060->4063 4062 4030e7 45 API calls 4061->4062 4064 40290e 4062->4064 4063->4057 4064->4050 4065->4045 4066->4053 4067 401cc0 4068 402ba2 18 API calls 4067->4068 4069 401cc7 4068->4069 4070 402ba2 18 API calls 4069->4070 4071 401ccf GetDlgItem 4070->4071 4072 402531 4071->4072 4072->4072 4073 4029c0 4074 402ba2 18 API calls 4073->4074 4075 4029c6 4074->4075 4076 4029f9 4075->4076 4077 40281e 4075->4077 4079 4029d4 4075->4079 4076->4077 4078 4061a0 18 API calls 4076->4078 4078->4077 4079->4077 4081 4060c5 wsprintfW 4079->4081 4081->4077 3102 401fc3 3103 401fd5 3102->3103 3104 402087 3102->3104 3122 402bbf 3103->3122 3106 401423 25 API calls 3104->3106 3113 4021e1 3106->3113 3108 402bbf 18 API calls 3109 401fe5 3108->3109 3110 401ffb LoadLibraryExW 3109->3110 3111 401fed GetModuleHandleW 3109->3111 3110->3104 3112 40200c 3110->3112 3111->3110 3111->3112 3128 4065c7 WideCharToMultiByte 3112->3128 3116 402056 3134 4052dd 3116->3134 3117 40201d 3120 40202d 3117->3120 3131 401423 3117->3131 3120->3113 3121 402079 FreeLibrary 3120->3121 3121->3113 3123 402bcb 3122->3123 3145 4061a0 3123->3145 3126 401fdc 3126->3108 3129 4065f1 GetProcAddress 3128->3129 3130 402017 3128->3130 3129->3130 3130->3116 3130->3117 3132 4052dd 25 API calls 3131->3132 3133 401431 3132->3133 3133->3120 3135 4052f8 3134->3135 3136 40539a 3134->3136 3137 405314 lstrlenW 3135->3137 3138 4061a0 18 API calls 3135->3138 3136->3120 3139 405322 lstrlenW 3137->3139 3140 40533d 3137->3140 3138->3137 3139->3136 3141 405334 lstrcatW 3139->3141 3142 405350 3140->3142 3143 405343 SetWindowTextW 3140->3143 3141->3140 3142->3136 3144 405356 SendMessageW SendMessageW SendMessageW 3142->3144 3143->3142 3144->3136 3151 4061ad 3145->3151 3146 4063f8 3147 402bec 3146->3147 3179 40617e lstrcpynW 3146->3179 3147->3126 3163 406412 3147->3163 3149 406260 GetVersion 3149->3151 3150 4063c6 lstrlenW 3150->3151 3151->3146 3151->3149 3151->3150 3152 4061a0 10 API calls 3151->3152 3155 4062db GetSystemDirectoryW 3151->3155 3157 4062ee GetWindowsDirectoryW 3151->3157 3158 406412 5 API calls 3151->3158 3159 4061a0 10 API calls 3151->3159 3160 406367 lstrcatW 3151->3160 3161 406322 SHGetSpecialFolderLocation 3151->3161 3172 40604b RegOpenKeyExW 3151->3172 3177 4060c5 wsprintfW 3151->3177 3178 40617e lstrcpynW 3151->3178 3152->3150 3155->3151 3157->3151 3158->3151 3159->3151 3160->3151 3161->3151 3162 40633a SHGetPathFromIDListW CoTaskMemFree 3161->3162 3162->3151 3164 40641f 3163->3164 3166 406495 3164->3166 3167 406488 CharNextW 3164->3167 3170 406474 CharNextW 3164->3170 3171 406483 CharNextW 3164->3171 3180 405b5f 3164->3180 3165 40649a CharPrevW 3165->3166 3166->3165 3168 4064bb 3166->3168 3167->3164 3167->3166 3168->3126 3170->3164 3171->3167 3173 4060bf 3172->3173 3174 40607f RegQueryValueExW 3172->3174 3173->3151 3175 4060a0 RegCloseKey 3174->3175 3175->3173 3177->3151 3178->3151 3179->3147 3181 405b65 3180->3181 3182 405b7b 3181->3182 3183 405b6c CharNextW 3181->3183 3182->3164 3183->3181 4082 4016c4 4083 402bbf 18 API calls 4082->4083 4084 4016ca GetFullPathNameW 4083->4084 4087 4016e4 4084->4087 4091 401706 4084->4091 4085 40171b GetShortPathNameW 4086 402a4c 4085->4086 4088 4064c1 2 API calls 4087->4088 4087->4091 4089 4016f6 4088->4089 4089->4091 4092 40617e lstrcpynW 4089->4092 4091->4085 4091->4086 4092->4091 4093 406846 4099 4066ca 4093->4099 4094 407035 4095 406754 GlobalAlloc 4095->4094 4095->4099 4096 40674b GlobalFree 4096->4095 4097 4067c2 GlobalFree 4098 4067cb GlobalAlloc 4097->4098 4098->4094 4098->4099 4099->4094 4099->4095 4099->4096 4099->4097 4099->4098 4103 40194e 4104 402bbf 18 API calls 4103->4104 4105 401955 lstrlenW 4104->4105 4106 402531 4105->4106 4107 4027ce 4108 4027d6 4107->4108 4109 4027da FindNextFileW 4108->4109 4111 4027ec 4108->4111 4110 402833 4109->4110 4109->4111 4113 40617e lstrcpynW 4110->4113 4113->4111 4121 405251 4122 405261 4121->4122 4123 405275 4121->4123 4124 405267 4122->4124 4133 4052be 4122->4133 4125 40527d IsWindowVisible 4123->4125 4131 405294 4123->4131 4126 40428e SendMessageW 4124->4126 4127 40528a 4125->4127 4125->4133 4129 405271 4126->4129 4134 404ba7 SendMessageW 4127->4134 4128 4052c3 CallWindowProcW 4128->4129 4131->4128 4139 404c27 4131->4139 4133->4128 4135 404c06 SendMessageW 4134->4135 4136 404bca GetMessagePos ScreenToClient SendMessageW 4134->4136 4138 404bfe 4135->4138 4137 404c03 4136->4137 4136->4138 4137->4135 4138->4131 4148 40617e lstrcpynW 4139->4148 4141 404c3a 4149 4060c5 wsprintfW 4141->4149 4143 404c44 4144 40140b 2 API calls 4143->4144 4145 404c4d 4144->4145 4150 40617e lstrcpynW 4145->4150 4147 404c54 4147->4133 4148->4141 4149->4143 4150->4147 3446 401754 3447 402bbf 18 API calls 3446->3447 3448 40175b 3447->3448 3452 405d82 3448->3452 3450 401762 3451 405d82 2 API calls 3450->3451 3451->3450 3453 405d8f GetTickCount GetTempFileNameW 3452->3453 3454 405dc9 3453->3454 3455 405dc5 3453->3455 3454->3450 3455->3453 3455->3454 3456 4038d5 3457 4038f0 3456->3457 3458 4038e6 CloseHandle 3456->3458 3459 403904 3457->3459 3460 4038fa CloseHandle 3457->3460 3458->3457 3465 403932 3459->3465 3460->3459 3466 403940 3465->3466 3467 403909 3466->3467 3468 403945 FreeLibrary GlobalFree 3466->3468 3469 40596f 3467->3469 3468->3467 3468->3468 3505 405c3a 3469->3505 3472 405997 DeleteFileW 3502 403915 3472->3502 3473 4059ae 3474 405ace 3473->3474 3519 40617e lstrcpynW 3473->3519 3481 4064c1 2 API calls 3474->3481 3474->3502 3476 4059d4 3477 4059e7 3476->3477 3478 4059da lstrcatW 3476->3478 3521 405b7e lstrlenW 3477->3521 3479 4059ed 3478->3479 3482 4059fd lstrcatW 3479->3482 3484 405a08 lstrlenW FindFirstFileW 3479->3484 3483 405af3 3481->3483 3482->3484 3486 405b32 3 API calls 3483->3486 3483->3502 3484->3474 3485 405a2a 3484->3485 3488 405ab1 FindNextFileW 3485->3488 3497 40596f 62 API calls 3485->3497 3501 4052dd 25 API calls 3485->3501 3503 4052dd 25 API calls 3485->3503 3520 40617e lstrcpynW 3485->3520 3525 405927 3485->3525 3533 40601f MoveFileExW 3485->3533 3487 405afd 3486->3487 3489 405927 5 API calls 3487->3489 3488->3485 3492 405ac7 FindClose 3488->3492 3491 405b09 3489->3491 3493 405b23 3491->3493 3496 405b0d 3491->3496 3492->3474 3495 4052dd 25 API calls 3493->3495 3495->3502 3498 4052dd 25 API calls 3496->3498 3496->3502 3497->3485 3499 405b1a 3498->3499 3500 40601f 38 API calls 3499->3500 3500->3502 3501->3488 3503->3485 3537 40617e lstrcpynW 3505->3537 3507 405c4b 3538 405bdd CharNextW CharNextW 3507->3538 3510 40598f 3510->3472 3510->3473 3511 406412 5 API calls 3517 405c61 3511->3517 3512 405c92 lstrlenW 3513 405c9d 3512->3513 3512->3517 3514 405b32 3 API calls 3513->3514 3516 405ca2 GetFileAttributesW 3514->3516 3515 4064c1 2 API calls 3515->3517 3516->3510 3517->3510 3517->3512 3517->3515 3518 405b7e 2 API calls 3517->3518 3518->3512 3519->3476 3520->3485 3522 405b8c 3521->3522 3523 405b92 CharPrevW 3522->3523 3524 405b9e 3522->3524 3523->3522 3523->3524 3524->3479 3526 405d2e 2 API calls 3525->3526 3527 405933 3526->3527 3528 405954 3527->3528 3529 405942 RemoveDirectoryW 3527->3529 3530 40594a DeleteFileW 3527->3530 3528->3485 3531 405950 3529->3531 3530->3531 3531->3528 3532 405960 SetFileAttributesW 3531->3532 3532->3528 3534 406033 3533->3534 3536 406040 3533->3536 3544 405ead lstrcpyW 3534->3544 3536->3485 3537->3507 3540 405c0c 3538->3540 3541 405bfa 3538->3541 3539 405c30 3539->3510 3539->3511 3540->3539 3543 405b5f CharNextW 3540->3543 3541->3540 3542 405c07 CharNextW 3541->3542 3542->3539 3543->3540 3545 405ed5 3544->3545 3546 405efb GetShortPathNameW 3544->3546 3571 405d53 GetFileAttributesW CreateFileW 3545->3571 3548 405f10 3546->3548 3549 40601a 3546->3549 3548->3549 3551 405f18 wsprintfA 3548->3551 3549->3536 3550 405edf CloseHandle GetShortPathNameW 3550->3549 3552 405ef3 3550->3552 3553 4061a0 18 API calls 3551->3553 3552->3546 3552->3549 3554 405f40 3553->3554 3572 405d53 GetFileAttributesW CreateFileW 3554->3572 3556 405f4d 3556->3549 3557 405f5c GetFileSize GlobalAlloc 3556->3557 3558 406013 CloseHandle 3557->3558 3559 405f7e 3557->3559 3558->3549 3560 405dd6 ReadFile 3559->3560 3561 405f86 3560->3561 3561->3558 3573 405cb8 lstrlenA 3561->3573 3564 405fb1 3566 405cb8 4 API calls 3564->3566 3565 405f9d lstrcpyA 3568 405fbf 3565->3568 3566->3568 3567 405ff6 SetFilePointer 3569 405e05 WriteFile 3567->3569 3568->3567 3570 40600c GlobalFree 3569->3570 3570->3558 3571->3550 3572->3556 3574 405cf9 lstrlenA 3573->3574 3575 405d01 3574->3575 3576 405cd2 lstrcmpiA 3574->3576 3575->3564 3575->3565 3576->3575 3577 405cf0 CharNextA 3576->3577 3577->3574 4151 404356 lstrcpynW lstrlenW 4152 401d56 GetDC GetDeviceCaps 4153 402ba2 18 API calls 4152->4153 4154 401d74 MulDiv ReleaseDC 4153->4154 4155 402ba2 18 API calls 4154->4155 4156 401d93 4155->4156 4157 4061a0 18 API calls 4156->4157 4158 401dcc CreateFontIndirectW 4157->4158 4159 402531 4158->4159 4160 401a57 4161 402ba2 18 API calls 4160->4161 4162 401a5d 4161->4162 4163 402ba2 18 API calls 4162->4163 4164 401a05 4163->4164 4165 4014d7 4166 402ba2 18 API calls 4165->4166 4167 4014dd Sleep 4166->4167 4169 402a4c 4167->4169 4170 404c59 GetDlgItem GetDlgItem 4171 404cab 7 API calls 4170->4171 4178 404ec4 4170->4178 4172 404d41 SendMessageW 4171->4172 4173 404d4e DeleteObject 4171->4173 4172->4173 4174 404d57 4173->4174 4176 404d8e 4174->4176 4177 4061a0 18 API calls 4174->4177 4175 404fa8 4180 405054 4175->4180 4190 405001 SendMessageW 4175->4190 4210 404eb7 4175->4210 4179 404242 19 API calls 4176->4179 4181 404d70 SendMessageW SendMessageW 4177->4181 4178->4175 4188 404ba7 5 API calls 4178->4188 4213 404f35 4178->4213 4184 404da2 4179->4184 4182 405066 4180->4182 4183 40505e SendMessageW 4180->4183 4181->4174 4187 40508f 4182->4187 4192 405078 ImageList_Destroy 4182->4192 4193 40507f 4182->4193 4183->4182 4189 404242 19 API calls 4184->4189 4185 4042a9 8 API calls 4191 40524a 4185->4191 4186 404f9a SendMessageW 4186->4175 4195 4051fe 4187->4195 4209 404c27 4 API calls 4187->4209 4217 4050ca 4187->4217 4188->4213 4194 404db0 4189->4194 4196 405016 SendMessageW 4190->4196 4190->4210 4192->4193 4193->4187 4197 405088 GlobalFree 4193->4197 4198 404e85 GetWindowLongW SetWindowLongW 4194->4198 4205 404e7f 4194->4205 4208 404e00 SendMessageW 4194->4208 4211 404e3c SendMessageW 4194->4211 4212 404e4d SendMessageW 4194->4212 4200 405210 ShowWindow GetDlgItem ShowWindow 4195->4200 4195->4210 4199 405029 4196->4199 4197->4187 4201 404e9e 4198->4201 4204 40503a SendMessageW 4199->4204 4200->4210 4202 404ea4 ShowWindow 4201->4202 4203 404ebc 4201->4203 4221 404277 SendMessageW 4202->4221 4222 404277 SendMessageW 4203->4222 4204->4180 4205->4198 4205->4201 4208->4194 4209->4217 4210->4185 4211->4194 4212->4194 4213->4175 4213->4186 4214 4051d4 InvalidateRect 4214->4195 4215 4051ea 4214->4215 4223 404b62 4215->4223 4216 4050f8 SendMessageW 4220 40510e 4216->4220 4217->4216 4217->4220 4219 405182 SendMessageW SendMessageW 4219->4220 4220->4214 4220->4219 4221->4210 4222->4178 4226 404a99 4223->4226 4225 404b77 4225->4195 4227 404ab2 4226->4227 4228 4061a0 18 API calls 4227->4228 4229 404b16 4228->4229 4230 4061a0 18 API calls 4229->4230 4231 404b21 4230->4231 4232 4061a0 18 API calls 4231->4232 4233 404b37 lstrlenW wsprintfW SetDlgItemTextW 4232->4233 4233->4225 4234 40155b 4235 4029f2 4234->4235 4238 4060c5 wsprintfW 4235->4238 4237 4029f7 4238->4237 3908 401ddc 3909 402ba2 18 API calls 3908->3909 3910 401de2 3909->3910 3911 402ba2 18 API calls 3910->3911 3912 401deb 3911->3912 3913 401df2 ShowWindow 3912->3913 3914 401dfd KiUserCallbackDispatcher 3912->3914 3915 402a4c 3913->3915 3914->3915 4239 4046dd 4240 404709 4239->4240 4241 40471a 4239->4241 4300 4058a7 GetDlgItemTextW 4240->4300 4243 404726 GetDlgItem 4241->4243 4249 404785 4241->4249 4244 40473a 4243->4244 4248 40474e SetWindowTextW 4244->4248 4252 405bdd 4 API calls 4244->4252 4245 404869 4298 404a18 4245->4298 4302 4058a7 GetDlgItemTextW 4245->4302 4246 404714 4247 406412 5 API calls 4246->4247 4247->4241 4253 404242 19 API calls 4248->4253 4249->4245 4254 4061a0 18 API calls 4249->4254 4249->4298 4251 4042a9 8 API calls 4256 404a2c 4251->4256 4257 404744 4252->4257 4258 40476a 4253->4258 4259 4047f9 SHBrowseForFolderW 4254->4259 4255 404899 4260 405c3a 18 API calls 4255->4260 4257->4248 4264 405b32 3 API calls 4257->4264 4261 404242 19 API calls 4258->4261 4259->4245 4262 404811 CoTaskMemFree 4259->4262 4263 40489f 4260->4263 4265 404778 4261->4265 4266 405b32 3 API calls 4262->4266 4303 40617e lstrcpynW 4263->4303 4264->4248 4301 404277 SendMessageW 4265->4301 4268 40481e 4266->4268 4271 404855 SetDlgItemTextW 4268->4271 4275 4061a0 18 API calls 4268->4275 4270 40477e 4273 406558 5 API calls 4270->4273 4271->4245 4272 4048b6 4274 406558 5 API calls 4272->4274 4273->4249 4286 4048bd 4274->4286 4276 40483d lstrcmpiW 4275->4276 4276->4271 4278 40484e lstrcatW 4276->4278 4277 4048fe 4304 40617e lstrcpynW 4277->4304 4278->4271 4280 404905 4281 405bdd 4 API calls 4280->4281 4282 40490b GetDiskFreeSpaceW 4281->4282 4284 40492f MulDiv 4282->4284 4287 404956 4282->4287 4284->4287 4285 405b7e 2 API calls 4285->4286 4286->4277 4286->4285 4286->4287 4288 4049c7 4287->4288 4290 404b62 21 API calls 4287->4290 4289 4049ea 4288->4289 4291 40140b 2 API calls 4288->4291 4305 404264 KiUserCallbackDispatcher 4289->4305 4292 4049b4 4290->4292 4291->4289 4294 4049c9 SetDlgItemTextW 4292->4294 4295 4049b9 4292->4295 4294->4288 4296 404a99 21 API calls 4295->4296 4296->4288 4297 404a06 4297->4298 4306 404672 4297->4306 4298->4251 4300->4246 4301->4270 4302->4255 4303->4272 4304->4280 4305->4297 4307 404680 4306->4307 4308 404685 SendMessageW 4306->4308 4307->4308 4308->4298 3985 401bdf 3986 402ba2 18 API calls 3985->3986 3987 401be6 3986->3987 3988 402ba2 18 API calls 3987->3988 3990 401bf0 3988->3990 3989 401c00 3992 401c10 3989->3992 3993 402bbf 18 API calls 3989->3993 3990->3989 3991 402bbf 18 API calls 3990->3991 3991->3989 3994 401c1b 3992->3994 3995 401c5f 3992->3995 3993->3992 3997 402ba2 18 API calls 3994->3997 3996 402bbf 18 API calls 3995->3996 3998 401c64 3996->3998 3999 401c20 3997->3999 4000 402bbf 18 API calls 3998->4000 4001 402ba2 18 API calls 3999->4001 4002 401c6d FindWindowExW 4000->4002 4003 401c29 4001->4003 4006 401c8f 4002->4006 4004 401c31 SendMessageTimeoutW 4003->4004 4005 401c4f SendMessageW 4003->4005 4004->4006 4005->4006 4007 4022df 4008 402bbf 18 API calls 4007->4008 4009 4022ee 4008->4009 4010 402bbf 18 API calls 4009->4010 4011 4022f7 4010->4011 4012 402bbf 18 API calls 4011->4012 4013 402301 GetPrivateProfileStringW 4012->4013 4309 4043df 4311 4043f7 4309->4311 4314 404511 4309->4314 4310 40457b 4312 404585 GetDlgItem 4310->4312 4313 40464d 4310->4313 4317 404242 19 API calls 4311->4317 4315 40460e 4312->4315 4316 40459f 4312->4316 4319 4042a9 8 API calls 4313->4319 4314->4310 4314->4313 4320 40454c GetDlgItem SendMessageW 4314->4320 4315->4313 4324 404620 4315->4324 4316->4315 4323 4045c5 6 API calls 4316->4323 4318 40445e 4317->4318 4321 404242 19 API calls 4318->4321 4322 404648 4319->4322 4340 404264 KiUserCallbackDispatcher 4320->4340 4326 40446b CheckDlgButton 4321->4326 4323->4315 4327 404636 4324->4327 4328 404626 SendMessageW 4324->4328 4338 404264 KiUserCallbackDispatcher 4326->4338 4327->4322 4332 40463c SendMessageW 4327->4332 4328->4327 4329 404576 4330 404672 SendMessageW 4329->4330 4330->4310 4332->4322 4333 404489 GetDlgItem 4339 404277 SendMessageW 4333->4339 4335 40449f SendMessageW 4336 4044c5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4335->4336 4337 4044bc GetSysColor 4335->4337 4336->4322 4337->4336 4338->4333 4339->4335 4340->4329 4341 401960 4342 402ba2 18 API calls 4341->4342 4343 401967 4342->4343 4344 402ba2 18 API calls 4343->4344 4345 401971 4344->4345 4346 402bbf 18 API calls 4345->4346 4347 40197a 4346->4347 4348 40198e lstrlenW 4347->4348 4349 4019ca 4347->4349 4350 401998 4348->4350 4350->4349 4354 40617e lstrcpynW 4350->4354 4352 4019b3 4352->4349 4353 4019c0 lstrlenW 4352->4353 4353->4349 4354->4352 4355 401662 4356 402bbf 18 API calls 4355->4356 4357 401668 4356->4357 4358 4064c1 2 API calls 4357->4358 4359 40166e 4358->4359 4360 4019e4 4361 402bbf 18 API calls 4360->4361 4362 4019eb 4361->4362 4363 402bbf 18 API calls 4362->4363 4364 4019f4 4363->4364 4365 4019fb lstrcmpiW 4364->4365 4366 401a0d lstrcmpW 4364->4366 4367 401a01 4365->4367 4366->4367 4368 4025e5 4369 402ba2 18 API calls 4368->4369 4371 4025f4 4369->4371 4370 40272d 4371->4370 4372 40263a ReadFile 4371->4372 4373 405dd6 ReadFile 4371->4373 4374 40267a MultiByteToWideChar 4371->4374 4375 40272f 4371->4375 4376 405e34 5 API calls 4371->4376 4378 4026a0 SetFilePointer MultiByteToWideChar 4371->4378 4379 402740 4371->4379 4372->4370 4372->4371 4373->4371 4374->4371 4381 4060c5 wsprintfW 4375->4381 4376->4371 4378->4371 4379->4370 4380 402761 SetFilePointer 4379->4380 4380->4370 4381->4370 4389 401e66 4390 402bbf 18 API calls 4389->4390 4391 401e6c 4390->4391 4392 4052dd 25 API calls 4391->4392 4393 401e76 4392->4393 4394 40585e 2 API calls 4393->4394 4395 401e7c 4394->4395 4396 40281e 4395->4396 4397 401edb CloseHandle 4395->4397 4398 401e8c WaitForSingleObject 4395->4398 4397->4396 4399 401e9e 4398->4399 4400 401eb0 GetExitCodeProcess 4399->4400 4403 406594 2 API calls 4399->4403 4401 401ec2 4400->4401 4402 401ecd 4400->4402 4406 4060c5 wsprintfW 4401->4406 4402->4397 4405 401ea5 WaitForSingleObject 4403->4405 4405->4399 4406->4402 3196 401767 3197 402bbf 18 API calls 3196->3197 3198 40176e 3197->3198 3199 401796 3198->3199 3200 40178e 3198->3200 3251 40617e lstrcpynW 3199->3251 3250 40617e lstrcpynW 3200->3250 3203 4017a1 3252 405b32 lstrlenW CharPrevW 3203->3252 3204 401794 3207 406412 5 API calls 3204->3207 3217 4017b3 3207->3217 3211 4017c5 CompareFileTime 3211->3217 3212 401885 3213 4052dd 25 API calls 3212->3213 3215 40188f 3213->3215 3214 4052dd 25 API calls 3216 401871 3214->3216 3235 4030e7 3215->3235 3217->3211 3217->3212 3221 4061a0 18 API calls 3217->3221 3226 40617e lstrcpynW 3217->3226 3233 40185c 3217->3233 3234 405d53 GetFileAttributesW CreateFileW 3217->3234 3255 4064c1 FindFirstFileW 3217->3255 3258 405d2e GetFileAttributesW 3217->3258 3261 4058c3 3217->3261 3220 4018b6 SetFileTime 3222 4018c8 CloseHandle 3220->3222 3221->3217 3222->3216 3223 4018d9 3222->3223 3224 4018f1 3223->3224 3225 4018de 3223->3225 3228 4061a0 18 API calls 3224->3228 3227 4061a0 18 API calls 3225->3227 3226->3217 3229 4018e6 lstrcatW 3227->3229 3230 4018f9 3228->3230 3229->3230 3232 4058c3 MessageBoxIndirectW 3230->3232 3232->3216 3233->3214 3233->3216 3234->3217 3236 403112 3235->3236 3237 4030f6 SetFilePointer 3235->3237 3265 4031ef GetTickCount 3236->3265 3237->3236 3242 4031ef 43 API calls 3243 403149 3242->3243 3244 4031b5 ReadFile 3243->3244 3247 403158 3243->3247 3249 4018a2 3243->3249 3244->3249 3246 405dd6 ReadFile 3246->3247 3247->3246 3247->3249 3280 405e05 WriteFile 3247->3280 3249->3220 3249->3222 3250->3204 3251->3203 3253 4017a7 lstrcatW 3252->3253 3254 405b4e lstrcatW 3252->3254 3253->3204 3254->3253 3256 4064e2 3255->3256 3257 4064d7 FindClose 3255->3257 3256->3217 3257->3256 3259 405d40 SetFileAttributesW 3258->3259 3260 405d4d 3258->3260 3259->3260 3260->3217 3262 4058d8 3261->3262 3263 405924 3262->3263 3264 4058ec MessageBoxIndirectW 3262->3264 3263->3217 3264->3263 3266 403347 3265->3266 3267 40321d 3265->3267 3268 402d9f 33 API calls 3266->3268 3282 40336e SetFilePointer 3267->3282 3274 403119 3268->3274 3270 403228 SetFilePointer 3276 40324d 3270->3276 3274->3249 3278 405dd6 ReadFile 3274->3278 3275 405e05 WriteFile 3275->3276 3276->3274 3276->3275 3277 403328 SetFilePointer 3276->3277 3283 403358 3276->3283 3286 402d9f 3276->3286 3300 406697 3276->3300 3277->3266 3279 403132 3278->3279 3279->3242 3279->3249 3281 405e23 3280->3281 3281->3247 3282->3270 3284 405dd6 ReadFile 3283->3284 3285 40336b 3284->3285 3285->3276 3287 402db0 3286->3287 3288 402dc8 3286->3288 3291 402db9 DestroyWindow 3287->3291 3294 402dc0 3287->3294 3289 402dd0 3288->3289 3290 402dd8 GetTickCount 3288->3290 3310 406594 3289->3310 3293 402de6 3290->3293 3290->3294 3291->3294 3295 402e1b CreateDialogParamW ShowWindow 3293->3295 3296 402dee 3293->3296 3294->3276 3295->3294 3296->3294 3307 402d83 3296->3307 3298 402dfc wsprintfW 3299 4052dd 25 API calls 3298->3299 3299->3294 3301 4066bc 3300->3301 3302 4066c4 3300->3302 3301->3276 3302->3301 3303 406754 GlobalAlloc 3302->3303 3304 40674b GlobalFree 3302->3304 3305 4067c2 GlobalFree 3302->3305 3306 4067cb GlobalAlloc 3302->3306 3303->3301 3303->3302 3304->3303 3305->3306 3306->3301 3306->3302 3308 402d92 3307->3308 3309 402d94 MulDiv 3307->3309 3308->3309 3309->3298 3311 4065b1 PeekMessageW 3310->3311 3312 4065c1 3311->3312 3313 4065a7 DispatchMessageW 3311->3313 3312->3294 3313->3311 4407 401ee9 4408 402bbf 18 API calls 4407->4408 4409 401ef0 4408->4409 4410 4064c1 2 API calls 4409->4410 4411 401ef6 4410->4411 4413 401f07 4411->4413 4414 4060c5 wsprintfW 4411->4414 4414->4413 3314 4021ea 3315 402bbf 18 API calls 3314->3315 3316 4021f0 3315->3316 3317 402bbf 18 API calls 3316->3317 3318 4021f9 3317->3318 3319 402bbf 18 API calls 3318->3319 3320 402202 3319->3320 3321 4064c1 2 API calls 3320->3321 3322 40220b 3321->3322 3323 40221c lstrlenW lstrlenW 3322->3323 3324 40220f 3322->3324 3326 4052dd 25 API calls 3323->3326 3325 4052dd 25 API calls 3324->3325 3328 402217 3324->3328 3325->3328 3327 40225a SHFileOperationW 3326->3327 3327->3324 3327->3328 3329 403d6a 3330 403d82 3329->3330 3331 403ebd 3329->3331 3330->3331 3332 403d8e 3330->3332 3333 403f0e 3331->3333 3334 403ece GetDlgItem GetDlgItem 3331->3334 3335 403d99 SetWindowPos 3332->3335 3336 403dac 3332->3336 3338 403f68 3333->3338 3346 401389 2 API calls 3333->3346 3337 404242 19 API calls 3334->3337 3335->3336 3340 403db1 ShowWindow 3336->3340 3341 403dc9 3336->3341 3342 403ef8 SetClassLongW 3337->3342 3357 403eb8 3338->3357 3397 40428e 3338->3397 3340->3341 3343 403dd1 DestroyWindow 3341->3343 3344 403deb 3341->3344 3345 40140b 2 API calls 3342->3345 3396 4041cb 3343->3396 3347 403df0 SetWindowLongW 3344->3347 3348 403e01 3344->3348 3345->3333 3349 403f40 3346->3349 3347->3357 3352 403e0d GetDlgItem 3348->3352 3366 403e78 3348->3366 3349->3338 3353 403f44 SendMessageW 3349->3353 3350 40140b 2 API calls 3386 403f7a 3350->3386 3351 4041cd DestroyWindow KiUserCallbackDispatcher 3351->3396 3356 403e20 SendMessageW IsWindowEnabled 3352->3356 3359 403e3d 3352->3359 3353->3357 3355 4041fc ShowWindow 3355->3357 3356->3357 3356->3359 3358 4061a0 18 API calls 3358->3386 3360 403e4a 3359->3360 3361 403e91 SendMessageW 3359->3361 3362 403e5d 3359->3362 3370 403e42 3359->3370 3360->3361 3360->3370 3361->3366 3364 403e65 3362->3364 3365 403e7a 3362->3365 3410 40140b 3364->3410 3368 40140b 2 API calls 3365->3368 3416 4042a9 3366->3416 3368->3370 3369 404242 19 API calls 3369->3386 3370->3366 3413 40421b 3370->3413 3372 403ff5 GetDlgItem 3373 404012 ShowWindow KiUserCallbackDispatcher 3372->3373 3374 40400a 3372->3374 3403 404264 KiUserCallbackDispatcher 3373->3403 3374->3373 3376 40403c EnableWindow 3379 404050 3376->3379 3377 404055 GetSystemMenu EnableMenuItem SendMessageW 3378 404085 SendMessageW 3377->3378 3377->3379 3378->3379 3379->3377 3404 404277 SendMessageW 3379->3404 3405 40617e lstrcpynW 3379->3405 3382 4040b3 lstrlenW 3383 4061a0 18 API calls 3382->3383 3384 4040c9 SetWindowTextW 3383->3384 3406 401389 3384->3406 3386->3350 3386->3351 3386->3357 3386->3358 3386->3369 3387 40410d DestroyWindow 3386->3387 3400 404242 3386->3400 3388 404127 CreateDialogParamW 3387->3388 3387->3396 3389 40415a 3388->3389 3388->3396 3390 404242 19 API calls 3389->3390 3391 404165 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3390->3391 3392 401389 2 API calls 3391->3392 3393 4041ab 3392->3393 3393->3357 3394 4041b3 ShowWindow 3393->3394 3395 40428e SendMessageW 3394->3395 3395->3396 3396->3355 3396->3357 3398 4042a6 3397->3398 3399 404297 SendMessageW 3397->3399 3398->3386 3399->3398 3401 4061a0 18 API calls 3400->3401 3402 40424d SetDlgItemTextW 3401->3402 3402->3372 3403->3376 3404->3379 3405->3382 3408 401390 3406->3408 3407 4013fe 3407->3386 3408->3407 3409 4013cb MulDiv SendMessageW 3408->3409 3409->3408 3411 401389 2 API calls 3410->3411 3412 401420 3411->3412 3412->3370 3414 404222 3413->3414 3415 404228 SendMessageW 3413->3415 3414->3415 3415->3366 3417 4042c1 GetWindowLongW 3416->3417 3427 40434a 3416->3427 3418 4042d2 3417->3418 3417->3427 3419 4042e1 GetSysColor 3418->3419 3420 4042e4 3418->3420 3419->3420 3421 4042f4 SetBkMode 3420->3421 3422 4042ea SetTextColor 3420->3422 3423 404312 3421->3423 3424 40430c GetSysColor 3421->3424 3422->3421 3425 404323 3423->3425 3426 404319 SetBkColor 3423->3426 3424->3423 3425->3427 3428 404336 DeleteObject 3425->3428 3429 40433d CreateBrushIndirect 3425->3429 3426->3425 3427->3357 3428->3429 3429->3427 4415 40156b 4416 401584 4415->4416 4417 40157b ShowWindow 4415->4417 4418 401592 ShowWindow 4416->4418 4419 402a4c 4416->4419 4417->4416 4418->4419 4420 40226e 4421 402275 4420->4421 4425 402288 4420->4425 4422 4061a0 18 API calls 4421->4422 4423 402282 4422->4423 4424 4058c3 MessageBoxIndirectW 4423->4424 4424->4425 4426 4014f1 SetForegroundWindow 4427 402a4c 4426->4427 4428 401673 4429 402bbf 18 API calls 4428->4429 4430 40167a 4429->4430 4431 402bbf 18 API calls 4430->4431 4432 401683 4431->4432 4433 402bbf 18 API calls 4432->4433 4434 40168c MoveFileW 4433->4434 4435 40169f 4434->4435 4441 401698 4434->4441 4436 4064c1 2 API calls 4435->4436 4439 4021e1 4435->4439 4438 4016ae 4436->4438 4437 401423 25 API calls 4437->4439 4438->4439 4440 40601f 38 API calls 4438->4440 4440->4441 4441->4437 4442 401cfa GetDlgItem GetClientRect 4443 402bbf 18 API calls 4442->4443 4444 401d2c LoadImageW SendMessageW 4443->4444 4445 401d4a DeleteObject 4444->4445 4446 402a4c 4444->4446 4445->4446 3891 40237b 3892 402381 3891->3892 3893 402bbf 18 API calls 3892->3893 3894 402393 3893->3894 3895 402bbf 18 API calls 3894->3895 3896 40239d RegCreateKeyExW 3895->3896 3897 4023c7 3896->3897 3901 402a4c 3896->3901 3898 4023e2 3897->3898 3899 402bbf 18 API calls 3897->3899 3900 4023ee 3898->3900 3903 402ba2 18 API calls 3898->3903 3902 4023d8 lstrlenW 3899->3902 3904 402409 RegSetValueExW 3900->3904 3905 4030e7 45 API calls 3900->3905 3902->3898 3903->3900 3906 40241f RegCloseKey 3904->3906 3905->3904 3906->3901 4454 4027fb 4455 402bbf 18 API calls 4454->4455 4456 402802 FindFirstFileW 4455->4456 4457 40282a 4456->4457 4460 402815 4456->4460 4458 402833 4457->4458 4462 4060c5 wsprintfW 4457->4462 4463 40617e lstrcpynW 4458->4463 4462->4458 4463->4460 4471 4014ff 4472 401507 4471->4472 4474 40151a 4471->4474 4473 402ba2 18 API calls 4472->4473 4473->4474 4475 401000 4476 401037 BeginPaint GetClientRect 4475->4476 4478 40100c DefWindowProcW 4475->4478 4479 4010f3 4476->4479 4482 401179 4478->4482 4480 401073 CreateBrushIndirect FillRect DeleteObject 4479->4480 4481 4010fc 4479->4481 4480->4479 4483 401102 CreateFontIndirectW 4481->4483 4484 401167 EndPaint 4481->4484 4483->4484 4485 401112 6 API calls 4483->4485 4484->4482 4485->4484 4493 401904 4494 40193b 4493->4494 4495 402bbf 18 API calls 4494->4495 4496 401940 4495->4496 4497 40596f 69 API calls 4496->4497 4498 401949 4497->4498 4499 402d04 4500 402d16 SetTimer 4499->4500 4501 402d2f 4499->4501 4500->4501 4502 402d7d 4501->4502 4503 402d83 MulDiv 4501->4503 4504 402d3d wsprintfW SetWindowTextW SetDlgItemTextW 4503->4504 4504->4502 4506 403985 4507 403990 4506->4507 4508 403994 4507->4508 4509 403997 GlobalAlloc 4507->4509 4509->4508 3184 402786 3185 40278d 3184->3185 3188 4029f7 3184->3188 3192 402ba2 3185->3192 3187 402798 3189 40279f SetFilePointer 3187->3189 3189->3188 3190 4027af 3189->3190 3195 4060c5 wsprintfW 3190->3195 3193 4061a0 18 API calls 3192->3193 3194 402bb6 3193->3194 3194->3187 3195->3188 4510 401907 4511 402bbf 18 API calls 4510->4511 4512 40190e 4511->4512 4513 4058c3 MessageBoxIndirectW 4512->4513 4514 401917 4513->4514 4515 401e08 4516 402bbf 18 API calls 4515->4516 4517 401e0e 4516->4517 4518 402bbf 18 API calls 4517->4518 4519 401e17 4518->4519 4520 402bbf 18 API calls 4519->4520 4521 401e20 4520->4521 4522 402bbf 18 API calls 4521->4522 4523 401e29 4522->4523 4524 401423 25 API calls 4523->4524 4525 401e30 ShellExecuteW 4524->4525 4526 401e61 4525->4526 4532 404390 lstrlenW 4533 4043b1 WideCharToMultiByte 4532->4533 4534 4043af 4532->4534 4534->4533 4535 401491 4536 4052dd 25 API calls 4535->4536 4537 401498 4536->4537 4545 401a15 4546 402bbf 18 API calls 4545->4546 4547 401a1e ExpandEnvironmentStringsW 4546->4547 4548 401a32 4547->4548 4550 401a45 4547->4550 4549 401a37 lstrcmpW 4548->4549 4548->4550 4549->4550 4551 402515 4552 402bbf 18 API calls 4551->4552 4553 40251c 4552->4553 4556 405d53 GetFileAttributesW CreateFileW 4553->4556 4555 402528 4556->4555 4557 402095 4558 402bbf 18 API calls 4557->4558 4559 40209c 4558->4559 4560 402bbf 18 API calls 4559->4560 4561 4020a6 4560->4561 4562 402bbf 18 API calls 4561->4562 4563 4020b0 4562->4563 4564 402bbf 18 API calls 4563->4564 4565 4020ba 4564->4565 4566 402bbf 18 API calls 4565->4566 4568 4020c4 4566->4568 4567 402103 CoCreateInstance 4572 402122 4567->4572 4568->4567 4569 402bbf 18 API calls 4568->4569 4569->4567 4570 401423 25 API calls 4571 4021e1 4570->4571 4572->4570 4572->4571 4573 401b16 4574 402bbf 18 API calls 4573->4574 4575 401b1d 4574->4575 4576 402ba2 18 API calls 4575->4576 4577 401b26 wsprintfW 4576->4577 4578 402a4c 4577->4578 4579 404696 4580 4046a6 4579->4580 4581 4046cc 4579->4581 4582 404242 19 API calls 4580->4582 4583 4042a9 8 API calls 4581->4583 4584 4046b3 SetDlgItemTextW 4582->4584 4585 4046d8 4583->4585 4584->4581 4586 40159b 4587 402bbf 18 API calls 4586->4587 4588 4015a2 SetFileAttributesW 4587->4588 4589 4015b4 4588->4589 3916 40541c 3917 4055c6 3916->3917 3918 40543d GetDlgItem GetDlgItem GetDlgItem 3916->3918 3920 4055f7 3917->3920 3921 4055cf GetDlgItem CreateThread CloseHandle 3917->3921 3961 404277 SendMessageW 3918->3961 3923 405622 3920->3923 3924 405647 3920->3924 3925 40560e ShowWindow ShowWindow 3920->3925 3921->3920 3964 4053b0 5 API calls 3921->3964 3922 4054ad 3927 4054b4 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3922->3927 3926 405682 3923->3926 3929 405636 3923->3929 3930 40565c ShowWindow 3923->3930 3931 4042a9 8 API calls 3924->3931 3963 404277 SendMessageW 3925->3963 3926->3924 3936 405690 SendMessageW 3926->3936 3934 405522 3927->3934 3935 405506 SendMessageW SendMessageW 3927->3935 3937 40421b SendMessageW 3929->3937 3932 40567c 3930->3932 3933 40566e 3930->3933 3938 405655 3931->3938 3940 40421b SendMessageW 3932->3940 3939 4052dd 25 API calls 3933->3939 3941 405535 3934->3941 3942 405527 SendMessageW 3934->3942 3935->3934 3936->3938 3943 4056a9 CreatePopupMenu 3936->3943 3937->3924 3939->3932 3940->3926 3945 404242 19 API calls 3941->3945 3942->3941 3944 4061a0 18 API calls 3943->3944 3946 4056b9 AppendMenuW 3944->3946 3947 405545 3945->3947 3948 4056d6 GetWindowRect 3946->3948 3949 4056e9 TrackPopupMenu 3946->3949 3950 405582 GetDlgItem SendMessageW 3947->3950 3951 40554e ShowWindow 3947->3951 3948->3949 3949->3938 3953 405704 3949->3953 3950->3938 3952 4055a9 SendMessageW SendMessageW 3950->3952 3954 405571 3951->3954 3955 405564 ShowWindow 3951->3955 3952->3938 3956 405720 SendMessageW 3953->3956 3962 404277 SendMessageW 3954->3962 3955->3954 3956->3956 3957 40573d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3956->3957 3959 405762 SendMessageW 3957->3959 3959->3959 3960 40578b GlobalUnlock SetClipboardData CloseClipboard 3959->3960 3960->3938 3961->3922 3962->3950 3963->3923 3965 40229d 3966 4022a5 3965->3966 3967 4022ab 3965->3967 3969 402bbf 18 API calls 3966->3969 3968 4022b9 3967->3968 3970 402bbf 18 API calls 3967->3970 3971 4022c7 3968->3971 3972 402bbf 18 API calls 3968->3972 3969->3967 3970->3968 3973 402bbf 18 API calls 3971->3973 3972->3971 3974 4022d0 WritePrivateProfileStringW 3973->3974 4590 401f1d 4591 402bbf 18 API calls 4590->4591 4592 401f24 4591->4592 4593 406558 5 API calls 4592->4593 4594 401f33 4593->4594 4595 401fb7 4594->4595 4596 401f4f GlobalAlloc 4594->4596 4596->4595 4597 401f63 4596->4597 4598 406558 5 API calls 4597->4598 4599 401f6a 4598->4599 4600 406558 5 API calls 4599->4600 4601 401f74 4600->4601 4601->4595 4605 4060c5 wsprintfW 4601->4605 4603 401fa9 4606 4060c5 wsprintfW 4603->4606 4605->4603 4606->4595 3975 40249e 3976 402cc9 19 API calls 3975->3976 3977 4024a8 3976->3977 3978 402ba2 18 API calls 3977->3978 3979 4024b1 3978->3979 3980 4024d5 RegEnumValueW 3979->3980 3981 4024c9 RegEnumKeyW 3979->3981 3982 40281e 3979->3982 3980->3982 3983 4024ee RegCloseKey 3980->3983 3981->3983 3983->3982 4607 40149e 4608 402288 4607->4608 4609 4014ac PostQuitMessage 4607->4609 4609->4608 4014 40231f 4015 402324 4014->4015 4016 40234f 4014->4016 4018 402cc9 19 API calls 4015->4018 4017 402bbf 18 API calls 4016->4017 4020 402356 4017->4020 4019 40232b 4018->4019 4021 402335 4019->4021 4025 40236c 4019->4025 4026 402bff RegOpenKeyExW 4020->4026 4022 402bbf 18 API calls 4021->4022 4023 40233c RegDeleteValueW RegCloseKey 4022->4023 4023->4025 4027 402c93 4026->4027 4031 402c2a 4026->4031 4027->4025 4028 402c50 RegEnumKeyW 4029 402c62 RegCloseKey 4028->4029 4028->4031 4032 406558 5 API calls 4029->4032 4030 402c87 RegCloseKey 4036 402c76 4030->4036 4031->4028 4031->4029 4031->4030 4033 402bff 5 API calls 4031->4033 4034 402c72 4032->4034 4033->4031 4035 402ca2 RegDeleteKeyW 4034->4035 4034->4036 4035->4036 4036->4027 4610 401ca3 4611 402ba2 18 API calls 4610->4611 4612 401ca9 IsWindow 4611->4612 4613 401a05 4612->4613 4614 402a27 SendMessageW 4615 402a41 InvalidateRect 4614->4615 4616 402a4c 4614->4616 4615->4616 3430 40242a 3441 402cc9 3430->3441 3432 402434 3433 402bbf 18 API calls 3432->3433 3434 40243d 3433->3434 3435 402448 RegQueryValueExW 3434->3435 3438 40281e 3434->3438 3436 402468 3435->3436 3437 40246e RegCloseKey 3435->3437 3436->3437 3445 4060c5 wsprintfW 3436->3445 3437->3438 3442 402bbf 18 API calls 3441->3442 3443 402ce2 3442->3443 3444 402cf0 RegOpenKeyExW 3443->3444 3444->3432 3445->3437 4624 40172d 4625 402bbf 18 API calls 4624->4625 4626 401734 SearchPathW 4625->4626 4627 40174f 4626->4627 4628 404a33 4629 404a43 4628->4629 4630 404a5f 4628->4630 4639 4058a7 GetDlgItemTextW 4629->4639 4632 404a92 4630->4632 4633 404a65 SHGetPathFromIDListW 4630->4633 4634 404a7c SendMessageW 4633->4634 4635 404a75 4633->4635 4634->4632 4637 40140b 2 API calls 4635->4637 4636 404a50 SendMessageW 4636->4630 4637->4634 4639->4636 4640 4027b4 4641 4027ba 4640->4641 4642 4027c2 FindClose 4641->4642 4643 402a4c 4641->4643 4642->4643 3578 4033b6 SetErrorMode GetVersion 3579 4033eb 3578->3579 3580 4033f1 3578->3580 3581 406558 5 API calls 3579->3581 3666 4064e8 GetSystemDirectoryW 3580->3666 3581->3580 3583 403407 lstrlenA 3583->3580 3584 403417 3583->3584 3669 406558 GetModuleHandleA 3584->3669 3587 406558 5 API calls 3588 403426 #17 OleInitialize SHGetFileInfoW 3587->3588 3675 40617e lstrcpynW 3588->3675 3590 403463 GetCommandLineW 3676 40617e lstrcpynW 3590->3676 3592 403475 GetModuleHandleW 3593 40348d 3592->3593 3594 405b5f CharNextW 3593->3594 3595 40349c CharNextW 3594->3595 3596 4035c6 GetTempPathW 3595->3596 3607 4034b5 3595->3607 3677 403385 3596->3677 3598 4035de 3599 4035e2 GetWindowsDirectoryW lstrcatW 3598->3599 3600 403638 DeleteFileW 3598->3600 3602 403385 12 API calls 3599->3602 3687 402e41 GetTickCount GetModuleFileNameW 3600->3687 3605 4035fe 3602->3605 3603 405b5f CharNextW 3603->3607 3604 40364c 3606 403703 ExitProcess CoUninitialize 3604->3606 3610 4036ef 3604->3610 3615 405b5f CharNextW 3604->3615 3605->3600 3608 403602 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3605->3608 3611 403839 3606->3611 3612 403719 3606->3612 3607->3603 3609 4035af 3607->3609 3613 4035b1 3607->3613 3614 403385 12 API calls 3608->3614 3609->3596 3717 4039c7 3610->3717 3619 403841 GetCurrentProcess OpenProcessToken 3611->3619 3620 4038bd ExitProcess 3611->3620 3618 4058c3 MessageBoxIndirectW 3612->3618 3773 40617e lstrcpynW 3613->3773 3621 403630 3614->3621 3632 40366b 3615->3632 3624 403727 ExitProcess 3618->3624 3625 403859 LookupPrivilegeValueW AdjustTokenPrivileges 3619->3625 3626 40388d 3619->3626 3621->3600 3621->3606 3622 4036ff 3622->3606 3625->3626 3627 406558 5 API calls 3626->3627 3628 403894 3627->3628 3631 4038a9 ExitWindowsEx 3628->3631 3635 4038b6 3628->3635 3629 4036c9 3634 405c3a 18 API calls 3629->3634 3630 40372f 3776 405846 3630->3776 3631->3620 3631->3635 3632->3629 3632->3630 3637 4036d5 3634->3637 3638 40140b 2 API calls 3635->3638 3637->3606 3774 40617e lstrcpynW 3637->3774 3638->3620 3639 403750 lstrcatW lstrcmpiW 3639->3606 3642 40376c 3639->3642 3640 403745 lstrcatW 3640->3639 3644 403771 3642->3644 3645 403778 3642->3645 3643 4036e4 3775 40617e lstrcpynW 3643->3775 3779 4057ac CreateDirectoryW 3644->3779 3784 405829 CreateDirectoryW 3645->3784 3650 40377d SetCurrentDirectoryW 3651 403798 3650->3651 3652 40378d 3650->3652 3788 40617e lstrcpynW 3651->3788 3787 40617e lstrcpynW 3652->3787 3655 4061a0 18 API calls 3656 4037d7 DeleteFileW 3655->3656 3657 4037e4 CopyFileW 3656->3657 3663 4037a6 3656->3663 3657->3663 3658 40382d 3660 40601f 38 API calls 3658->3660 3659 40601f 38 API calls 3659->3663 3661 403834 3660->3661 3661->3606 3662 4061a0 18 API calls 3662->3663 3663->3655 3663->3658 3663->3659 3663->3662 3665 403818 CloseHandle 3663->3665 3789 40585e CreateProcessW 3663->3789 3665->3663 3667 40650a wsprintfW LoadLibraryExW 3666->3667 3667->3583 3670 406574 3669->3670 3671 40657e GetProcAddress 3669->3671 3672 4064e8 3 API calls 3670->3672 3673 40341f 3671->3673 3674 40657a 3672->3674 3673->3587 3674->3671 3674->3673 3675->3590 3676->3592 3678 406412 5 API calls 3677->3678 3680 403391 3678->3680 3679 40339b 3679->3598 3680->3679 3681 405b32 3 API calls 3680->3681 3682 4033a3 3681->3682 3683 405829 2 API calls 3682->3683 3684 4033a9 3683->3684 3685 405d82 2 API calls 3684->3685 3686 4033b4 3685->3686 3686->3598 3792 405d53 GetFileAttributesW CreateFileW 3687->3792 3689 402e84 3716 402e91 3689->3716 3793 40617e lstrcpynW 3689->3793 3691 402ea7 3692 405b7e 2 API calls 3691->3692 3693 402ead 3692->3693 3794 40617e lstrcpynW 3693->3794 3695 402eb8 GetFileSize 3696 402fb9 3695->3696 3714 402ecf 3695->3714 3697 402d9f 33 API calls 3696->3697 3699 402fc0 3697->3699 3698 403358 ReadFile 3698->3714 3701 402ffc GlobalAlloc 3699->3701 3699->3716 3796 40336e SetFilePointer 3699->3796 3700 403054 3703 402d9f 33 API calls 3700->3703 3702 403013 3701->3702 3708 405d82 2 API calls 3702->3708 3703->3716 3705 402fdd 3706 403358 ReadFile 3705->3706 3709 402fe8 3706->3709 3707 402d9f 33 API calls 3707->3714 3710 403024 CreateFileW 3708->3710 3709->3701 3709->3716 3711 40305e 3710->3711 3710->3716 3795 40336e SetFilePointer 3711->3795 3713 40306c 3715 4030e7 45 API calls 3713->3715 3714->3696 3714->3698 3714->3700 3714->3707 3714->3716 3715->3716 3716->3604 3718 406558 5 API calls 3717->3718 3719 4039db 3718->3719 3720 4039e1 3719->3720 3721 4039f3 3719->3721 3813 4060c5 wsprintfW 3720->3813 3722 40604b 3 API calls 3721->3722 3723 403a23 3722->3723 3724 403a42 lstrcatW 3723->3724 3726 40604b 3 API calls 3723->3726 3727 4039f1 3724->3727 3726->3724 3797 403c9d 3727->3797 3730 405c3a 18 API calls 3731 403a74 3730->3731 3732 403b08 3731->3732 3734 40604b 3 API calls 3731->3734 3733 405c3a 18 API calls 3732->3733 3735 403b0e 3733->3735 3736 403aa6 3734->3736 3737 403b1e LoadImageW 3735->3737 3740 4061a0 18 API calls 3735->3740 3736->3732 3743 403ac7 lstrlenW 3736->3743 3747 405b5f CharNextW 3736->3747 3738 403bc4 3737->3738 3739 403b45 RegisterClassW 3737->3739 3742 40140b 2 API calls 3738->3742 3741 403b7b SystemParametersInfoW CreateWindowExW 3739->3741 3772 403bce 3739->3772 3740->3737 3741->3738 3746 403bca 3742->3746 3744 403ad5 lstrcmpiW 3743->3744 3745 403afb 3743->3745 3744->3745 3749 403ae5 GetFileAttributesW 3744->3749 3750 405b32 3 API calls 3745->3750 3752 403c9d 19 API calls 3746->3752 3746->3772 3748 403ac4 3747->3748 3748->3743 3751 403af1 3749->3751 3753 403b01 3750->3753 3751->3745 3754 405b7e 2 API calls 3751->3754 3755 403bdb 3752->3755 3814 40617e lstrcpynW 3753->3814 3754->3745 3757 403be7 ShowWindow 3755->3757 3758 403c6a 3755->3758 3760 4064e8 3 API calls 3757->3760 3806 4053b0 OleInitialize 3758->3806 3762 403bff 3760->3762 3761 403c70 3763 403c74 3761->3763 3764 403c8c 3761->3764 3765 403c0d GetClassInfoW 3762->3765 3769 4064e8 3 API calls 3762->3769 3771 40140b 2 API calls 3763->3771 3763->3772 3768 40140b 2 API calls 3764->3768 3766 403c21 GetClassInfoW RegisterClassW 3765->3766 3767 403c37 DialogBoxParamW 3765->3767 3766->3767 3770 40140b 2 API calls 3767->3770 3768->3772 3769->3765 3770->3772 3771->3772 3772->3622 3773->3609 3774->3643 3775->3610 3777 406558 5 API calls 3776->3777 3778 403734 lstrcatW 3777->3778 3778->3639 3778->3640 3780 403776 3779->3780 3781 4057fd GetLastError 3779->3781 3780->3650 3781->3780 3782 40580c SetFileSecurityW 3781->3782 3782->3780 3783 405822 GetLastError 3782->3783 3783->3780 3785 405839 3784->3785 3786 40583d GetLastError 3784->3786 3785->3650 3786->3785 3787->3651 3788->3663 3790 405891 CloseHandle 3789->3790 3791 40589d 3789->3791 3790->3791 3791->3663 3792->3689 3793->3691 3794->3695 3795->3713 3796->3705 3798 403cb1 3797->3798 3815 4060c5 wsprintfW 3798->3815 3800 403d22 3801 4061a0 18 API calls 3800->3801 3802 403d2e SetWindowTextW 3801->3802 3803 403a52 3802->3803 3804 403d4a 3802->3804 3803->3730 3804->3803 3805 4061a0 18 API calls 3804->3805 3805->3804 3807 40428e SendMessageW 3806->3807 3808 4053d3 3807->3808 3811 401389 2 API calls 3808->3811 3812 4053fa 3808->3812 3809 40428e SendMessageW 3810 40540c CoUninitialize 3809->3810 3810->3761 3811->3808 3812->3809 3813->3727 3814->3732 3815->3800 3816 401b37 3817 401b44 3816->3817 3818 401b88 3816->3818 3821 401bcd 3817->3821 3826 401b5b 3817->3826 3819 401bb2 GlobalAlloc 3818->3819 3820 401b8d 3818->3820 3823 4061a0 18 API calls 3819->3823 3834 402288 3820->3834 3837 40617e lstrcpynW 3820->3837 3822 4061a0 18 API calls 3821->3822 3821->3834 3824 402282 3822->3824 3823->3821 3829 4058c3 MessageBoxIndirectW 3824->3829 3835 40617e lstrcpynW 3826->3835 3827 401b9f GlobalFree 3827->3834 3829->3834 3830 401b6a 3836 40617e lstrcpynW 3830->3836 3832 401b79 3838 40617e lstrcpynW 3832->3838 3835->3830 3836->3832 3837->3827 3838->3834 3839 402537 3840 402562 3839->3840 3841 40254b 3839->3841 3843 402596 3840->3843 3844 402567 3840->3844 3842 402ba2 18 API calls 3841->3842 3849 402552 3842->3849 3846 402bbf 18 API calls 3843->3846 3845 402bbf 18 API calls 3844->3845 3847 40256e WideCharToMultiByte lstrlenA 3845->3847 3848 40259d lstrlenW 3846->3848 3847->3849 3848->3849 3850 4025e0 3849->3850 3851 4025d2 3849->3851 3853 4025c3 3849->3853 3852 405e05 WriteFile 3851->3852 3852->3850 3856 405e34 SetFilePointer 3853->3856 3857 405e50 3856->3857 3858 4025ca 3856->3858 3859 405dd6 ReadFile 3857->3859 3858->3850 3858->3851 3860 405e5c 3859->3860 3860->3858 3861 405e75 SetFilePointer 3860->3861 3862 405e9d SetFilePointer 3860->3862 3861->3862 3863 405e80 3861->3863 3862->3858 3864 405e05 WriteFile 3863->3864 3864->3858 4644 4014b8 4645 4014be 4644->4645 4646 401389 2 API calls 4645->4646 4647 4014c6 4646->4647 3865 4015b9 3866 402bbf 18 API calls 3865->3866 3867 4015c0 3866->3867 3868 405bdd 4 API calls 3867->3868 3880 4015c9 3868->3880 3869 401629 3871 40165b 3869->3871 3872 40162e 3869->3872 3870 405b5f CharNextW 3870->3880 3875 401423 25 API calls 3871->3875 3873 401423 25 API calls 3872->3873 3874 401635 3873->3874 3884 40617e lstrcpynW 3874->3884 3881 401653 3875->3881 3877 405829 2 API calls 3877->3880 3878 405846 5 API calls 3878->3880 3879 401642 SetCurrentDirectoryW 3879->3881 3880->3869 3880->3870 3880->3877 3880->3878 3882 40160f GetFileAttributesW 3880->3882 3883 4057ac 4 API calls 3880->3883 3882->3880 3883->3880 3884->3879 4655 40293b 4656 402ba2 18 API calls 4655->4656 4657 402941 4656->4657 4658 402964 4657->4658 4659 40297d 4657->4659 4665 40281e 4657->4665 4660 402969 4658->4660 4661 40297a 4658->4661 4662 402993 4659->4662 4663 402987 4659->4663 4669 40617e lstrcpynW 4660->4669 4670 4060c5 wsprintfW 4661->4670 4664 4061a0 18 API calls 4662->4664 4666 402ba2 18 API calls 4663->4666 4664->4665 4666->4665 4669->4665 4670->4665

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 4033b6-4033e9 SetErrorMode GetVersion 1 4033eb-4033f3 call 406558 0->1 2 4033fc 0->2 1->2 8 4033f5 1->8 4 403401-403415 call 4064e8 lstrlenA 2->4 9 403417-40348b call 406558 * 2 #17 OleInitialize SHGetFileInfoW call 40617e GetCommandLineW call 40617e GetModuleHandleW 4->9 8->2 18 403495-4034af call 405b5f CharNextW 9->18 19 40348d-403494 9->19 22 4034b5-4034bb 18->22 23 4035c6-4035e0 GetTempPathW call 403385 18->23 19->18 25 4034c4-4034c8 22->25 26 4034bd-4034c2 22->26 32 4035e2-403600 GetWindowsDirectoryW lstrcatW call 403385 23->32 33 403638-403652 DeleteFileW call 402e41 23->33 27 4034ca-4034ce 25->27 28 4034cf-4034d3 25->28 26->25 26->26 27->28 30 403592-40359f call 405b5f 28->30 31 4034d9-4034df 28->31 46 4035a1-4035a2 30->46 47 4035a3-4035a9 30->47 35 4034e1-4034e9 31->35 36 4034fa-403533 31->36 32->33 52 403602-403632 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403385 32->52 48 403703-403713 ExitProcess CoUninitialize 33->48 49 403658-40365e 33->49 41 4034f0 35->41 42 4034eb-4034ee 35->42 43 403550-40358a 36->43 44 403535-40353a 36->44 41->36 42->36 42->41 43->30 51 40358c-403590 43->51 44->43 50 40353c-403544 44->50 46->47 47->22 53 4035af 47->53 56 403839-40383f 48->56 57 403719-403729 call 4058c3 ExitProcess 48->57 54 4036f3-4036fa call 4039c7 49->54 55 403664-40366f call 405b5f 49->55 58 403546-403549 50->58 59 40354b 50->59 51->30 60 4035b1-4035bf call 40617e 51->60 52->33 52->48 62 4035c4 53->62 71 4036ff 54->71 78 403671-4036a6 55->78 79 4036bd-4036c7 55->79 67 403841-403857 GetCurrentProcess OpenProcessToken 56->67 68 4038bd-4038c5 56->68 58->43 58->59 59->43 60->62 62->23 75 403859-403887 LookupPrivilegeValueW AdjustTokenPrivileges 67->75 76 40388d-40389b call 406558 67->76 72 4038c7 68->72 73 4038cb-4038cf ExitProcess 68->73 71->48 72->73 75->76 84 4038a9-4038b4 ExitWindowsEx 76->84 85 40389d-4038a7 76->85 81 4036a8-4036ac 78->81 82 4036c9-4036d7 call 405c3a 79->82 83 40372f-403743 call 405846 lstrcatW 79->83 86 4036b5-4036b9 81->86 87 4036ae-4036b3 81->87 82->48 94 4036d9-4036ef call 40617e * 2 82->94 97 403750-40376a lstrcatW lstrcmpiW 83->97 98 403745-40374b lstrcatW 83->98 84->68 90 4038b6-4038b8 call 40140b 84->90 85->84 85->90 86->81 91 4036bb 86->91 87->86 87->91 90->68 91->79 94->54 97->48 100 40376c-40376f 97->100 98->97 102 403771-403776 call 4057ac 100->102 103 403778 call 405829 100->103 109 40377d-40378b SetCurrentDirectoryW 102->109 103->109 110 403798-4037c1 call 40617e 109->110 111 40378d-403793 call 40617e 109->111 115 4037c6-4037e2 call 4061a0 DeleteFileW 110->115 111->110 118 403823-40382b 115->118 119 4037e4-4037f4 CopyFileW 115->119 118->115 121 40382d-403834 call 40601f 118->121 119->118 120 4037f6-403816 call 40601f call 4061a0 call 40585e 119->120 120->118 130 403818-40381f CloseHandle 120->130 121->48 130->118
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNELBASE ref: 004033D9
                                                                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 004033DF
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403408
                                                                                                                                                                                                                                  • #17.COMCTL32(00000007,00000009), ref: 0040342B
                                                                                                                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 00403432
                                                                                                                                                                                                                                  • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 0040344E
                                                                                                                                                                                                                                  • GetCommandLineW.KERNEL32(00429240,NSIS Error), ref: 00403463
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00000000), ref: 00403476
                                                                                                                                                                                                                                  • CharNextW.USER32(00000000,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00000020), ref: 0040349D
                                                                                                                                                                                                                                    • Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                                                                                                                                                                                                    • Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004035D7
                                                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004035E8
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035F4
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403608
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403610
                                                                                                                                                                                                                                  • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403621
                                                                                                                                                                                                                                  • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403629
                                                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(1033), ref: 0040363D
                                                                                                                                                                                                                                    • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32(?), ref: 00403703
                                                                                                                                                                                                                                  • CoUninitialize.COMBASE(?), ref: 00403708
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00403729
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00000000,?), ref: 0040373C
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00000000,?), ref: 0040374B
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00000000,?), ref: 00403756
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00000000,?), ref: 00403762
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040377E
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,?), ref: 004037D8
                                                                                                                                                                                                                                  • CopyFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,00420EE8,00000001), ref: 004037EC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000), ref: 00403819
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403848
                                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 0040384F
                                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403864
                                                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32 ref: 00403887
                                                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 004038AC
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 004038CF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Processlstrcat$ExitFile$Handle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" $.tmp$1033$C:\Program Files\TeamViewer$C:\Program Files\TeamViewer\TVExtractTemp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD$C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                                                  • API String ID: 354199918-40274493
                                                                                                                                                                                                                                  • Opcode ID: e8a7877e60441a61d01466cbee3218a59cd968db92503058061a8fd593dce739
                                                                                                                                                                                                                                  • Instruction ID: be8551fa6605ebbbfda7487142ffb020be8bd547a3943651712312bea09c5587
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8a7877e60441a61d01466cbee3218a59cd968db92503058061a8fd593dce739
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AED10571200300ABE7207F659D49A2B3AEDEB4074AF50443FF881B62D2DB7C8956876E

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 492 40596f-405995 call 405c3a 495 405997-4059a9 DeleteFileW 492->495 496 4059ae-4059b5 492->496 497 405b2b-405b2f 495->497 498 4059b7-4059b9 496->498 499 4059c8-4059d8 call 40617e 496->499 500 405ad9-405ade 498->500 501 4059bf-4059c2 498->501 505 4059e7-4059e8 call 405b7e 499->505 506 4059da-4059e5 lstrcatW 499->506 500->497 503 405ae0-405ae3 500->503 501->499 501->500 507 405ae5-405aeb 503->507 508 405aed-405af5 call 4064c1 503->508 509 4059ed-4059f1 505->509 506->509 507->497 508->497 516 405af7-405b0b call 405b32 call 405927 508->516 512 4059f3-4059fb 509->512 513 4059fd-405a03 lstrcatW 509->513 512->513 515 405a08-405a24 lstrlenW FindFirstFileW 512->515 513->515 517 405a2a-405a32 515->517 518 405ace-405ad2 515->518 532 405b23-405b26 call 4052dd 516->532 533 405b0d-405b10 516->533 521 405a52-405a66 call 40617e 517->521 522 405a34-405a3c 517->522 518->500 520 405ad4 518->520 520->500 534 405a68-405a70 521->534 535 405a7d-405a88 call 405927 521->535 524 405ab1-405ac1 FindNextFileW 522->524 525 405a3e-405a46 522->525 524->517 531 405ac7-405ac8 FindClose 524->531 525->521 528 405a48-405a50 525->528 528->521 528->524 531->518 532->497 533->507 538 405b12-405b21 call 4052dd call 40601f 533->538 534->524 539 405a72-405a76 call 40596f 534->539 545 405aa9-405aac call 4052dd 535->545 546 405a8a-405a8d 535->546 538->497 544 405a7b 539->544 544->524 545->524 548 405aa1-405aa7 546->548 549 405a8f-405a9f call 4052dd call 40601f 546->549 548->524 549->524
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,74DF3420,74DF2EE0,00000000), ref: 00405998
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 004059E0
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 00405A03
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 00405A09
                                                                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 00405A19
                                                                                                                                                                                                                                  • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AB9
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00405AC8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" $C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\*.*$\*.*
                                                                                                                                                                                                                                  • API String ID: 2035342205-678098784
                                                                                                                                                                                                                                  • Opcode ID: 3e74ea5c1780804c8595fdd51fd85a972d4f395f22791088baa2fc53644d391a
                                                                                                                                                                                                                                  • Instruction ID: 6c547db7f4d1248ed83a6ec2b2b7cf99957869ea0eb35c9edb1a86952611c1c3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e74ea5c1780804c8595fdd51fd85a972d4f395f22791088baa2fc53644d391a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A41B530A40914A6CB21AB659CC9AAF7678EF41724F20427FF801711D1D77C5986DE6E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(74DF3420,00426778,C:\,00405C83,C:\,C:\,00000000,C:\,C:\,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0), ref: 004064CC
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 004064D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                  • String ID: C:\$xgB
                                                                                                                                                                                                                                  • API String ID: 2295610775-2001824454
                                                                                                                                                                                                                                  • Opcode ID: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
                                                                                                                                                                                                                                  • Instruction ID: 909a2899cbbcfc21b24ab628f9350e7a3c7b3772aa6d432f74911df6ac2d0bb5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8BD0C9315045209BC2111778AE4C85B7A98AF553317628A36B466F12A0C674CC22869C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
                                                                                                                                                                                                                                  • Instruction ID: 84f5b91c3f937eb173619b21672ae23043901769df73ed9f159891f0fc81c8d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72F18671D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7385A8ACF45

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 131 40541c-405437 132 4055c6-4055cd 131->132 133 40543d-405504 GetDlgItem * 3 call 404277 call 404b7a GetClientRect GetSystemMetrics SendMessageW * 2 131->133 135 4055f7-405604 132->135 136 4055cf-4055f1 GetDlgItem CreateThread CloseHandle 132->136 153 405522-405525 133->153 154 405506-405520 SendMessageW * 2 133->154 138 405622-40562c 135->138 139 405606-40560c 135->139 136->135 143 405682-405686 138->143 144 40562e-405634 138->144 141 405647-405650 call 4042a9 139->141 142 40560e-40561d ShowWindow * 2 call 404277 139->142 157 405655-405659 141->157 142->138 143->141 146 405688-40568e 143->146 148 405636-405642 call 40421b 144->148 149 40565c-40566c ShowWindow 144->149 146->141 155 405690-4056a3 SendMessageW 146->155 148->141 151 40567c-40567d call 40421b 149->151 152 40566e-405677 call 4052dd 149->152 151->143 152->151 160 405535-40554c call 404242 153->160 161 405527-405533 SendMessageW 153->161 154->153 162 4057a5-4057a7 155->162 163 4056a9-4056d4 CreatePopupMenu call 4061a0 AppendMenuW 155->163 170 405582-4055a3 GetDlgItem SendMessageW 160->170 171 40554e-405562 ShowWindow 160->171 161->160 162->157 168 4056d6-4056e6 GetWindowRect 163->168 169 4056e9-4056fe TrackPopupMenu 163->169 168->169 169->162 173 405704-40571b 169->173 170->162 172 4055a9-4055c1 SendMessageW * 2 170->172 174 405571 171->174 175 405564-40556f ShowWindow 171->175 172->162 176 405720-40573b SendMessageW 173->176 177 405577-40557d call 404277 174->177 175->177 176->176 178 40573d-405760 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 176->178 177->170 180 405762-405789 SendMessageW 178->180 180->180 181 40578b-40579f GlobalUnlock SetClipboardData CloseClipboard 180->181 181->162
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000403), ref: 0040547A
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00405489
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004054C6
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000002), ref: 004054CD
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054EE
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054FF
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405512
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405520
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405533
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405555
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000008), ref: 00405569
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 0040558A
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040559A
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055B3
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055BF
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003F8), ref: 00405498
                                                                                                                                                                                                                                    • Part of subcall function 00404277: SendMessageW.USER32(00000028,?,00000001,004040A3), ref: 00404285
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004055DC
                                                                                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_000053B0,00000000), ref: 004055EA
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004055F1
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00405615
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000008), ref: 0040561A
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000008), ref: 00405664
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405698
                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 004056A9
                                                                                                                                                                                                                                  • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056BD
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004056DD
                                                                                                                                                                                                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056F6
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040572E
                                                                                                                                                                                                                                  • OpenClipboard.USER32(00000000), ref: 0040573E
                                                                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 00405744
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405750
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 0040575A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040576E
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040578E
                                                                                                                                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00405799
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 0040579F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                                  • String ID: (7B${
                                                                                                                                                                                                                                  • API String ID: 590372296-525222780
                                                                                                                                                                                                                                  • Opcode ID: 3356856100fded7762ccce4ebf21ef6244253d3db3b1b0b4e2cb175bf3461c6d
                                                                                                                                                                                                                                  • Instruction ID: 3349dadf3efb3a8fdffdb79f187be012afacb07b5928e089a4a7fd9dccbac2fd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3356856100fded7762ccce4ebf21ef6244253d3db3b1b0b4e2cb175bf3461c6d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60B15670900608FFDB119FA0DD89EAE3B79FB48354F40847AFA45A61A0CB754E52DF68

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 182 403d6a-403d7c 183 403d82-403d88 182->183 184 403ebd-403ecc 182->184 183->184 185 403d8e-403d97 183->185 186 403f1b-403f30 184->186 187 403ece-403f16 GetDlgItem * 2 call 404242 SetClassLongW call 40140b 184->187 188 403d99-403da6 SetWindowPos 185->188 189 403dac-403daf 185->189 191 403f70-403f75 call 40428e 186->191 192 403f32-403f35 186->192 187->186 188->189 194 403db1-403dc3 ShowWindow 189->194 195 403dc9-403dcf 189->195 200 403f7a-403f95 191->200 197 403f37-403f42 call 401389 192->197 198 403f68-403f6a 192->198 194->195 201 403dd1-403de6 DestroyWindow 195->201 202 403deb-403dee 195->202 197->198 219 403f44-403f63 SendMessageW 197->219 198->191 199 40420f 198->199 207 404211-404218 199->207 205 403f97-403f99 call 40140b 200->205 206 403f9e-403fa4 200->206 208 4041ec-4041f2 201->208 210 403df0-403dfc SetWindowLongW 202->210 211 403e01-403e07 202->211 205->206 215 403faa-403fb5 206->215 216 4041cd-4041e6 DestroyWindow KiUserCallbackDispatcher 206->216 208->199 213 4041f4-4041fa 208->213 210->207 217 403eaa-403eb8 call 4042a9 211->217 218 403e0d-403e1e GetDlgItem 211->218 213->199 221 4041fc-404205 ShowWindow 213->221 215->216 222 403fbb-404008 call 4061a0 call 404242 * 3 GetDlgItem 215->222 216->208 217->207 223 403e20-403e37 SendMessageW IsWindowEnabled 218->223 224 403e3d-403e40 218->224 219->207 221->199 252 404012-40404e ShowWindow KiUserCallbackDispatcher call 404264 EnableWindow 222->252 253 40400a-40400f 222->253 223->199 223->224 227 403e42-403e43 224->227 228 403e45-403e48 224->228 232 403e73-403e78 call 40421b 227->232 229 403e56-403e5b 228->229 230 403e4a-403e50 228->230 233 403e91-403ea4 SendMessageW 229->233 235 403e5d-403e63 229->235 230->233 234 403e52-403e54 230->234 232->217 233->217 234->232 238 403e65-403e6b call 40140b 235->238 239 403e7a-403e83 call 40140b 235->239 248 403e71 238->248 239->217 249 403e85-403e8f 239->249 248->232 249->248 256 404050-404051 252->256 257 404053 252->257 253->252 258 404055-404083 GetSystemMenu EnableMenuItem SendMessageW 256->258 257->258 259 404085-404096 SendMessageW 258->259 260 404098 258->260 261 40409e-4040dc call 404277 call 40617e lstrlenW call 4061a0 SetWindowTextW call 401389 259->261 260->261 261->200 270 4040e2-4040e4 261->270 270->200 271 4040ea-4040ee 270->271 272 4040f0-4040f6 271->272 273 40410d-404121 DestroyWindow 271->273 272->199 274 4040fc-404102 272->274 273->208 275 404127-404154 CreateDialogParamW 273->275 274->200 276 404108 274->276 275->208 277 40415a-4041b1 call 404242 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 275->277 276->199 277->199 282 4041b3-4041c6 ShowWindow call 40428e 277->282 284 4041cb 282->284 284->208
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DA6
                                                                                                                                                                                                                                  • ShowWindow.USER32(?), ref: 00403DC3
                                                                                                                                                                                                                                  • DestroyWindow.USER32 ref: 00403DD7
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DF3
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00403E14
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E28
                                                                                                                                                                                                                                  • IsWindowEnabled.USER32(00000000), ref: 00403E2F
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 00403EDD
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 00403EE7
                                                                                                                                                                                                                                  • SetClassLongW.USER32(?,000000F2,?), ref: 00403F01
                                                                                                                                                                                                                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F52
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000003), ref: 00403FF8
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?), ref: 00404019
                                                                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040402B
                                                                                                                                                                                                                                  • EnableWindow.USER32(?,?), ref: 00404046
                                                                                                                                                                                                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040405C
                                                                                                                                                                                                                                  • EnableMenuItem.USER32(00000000), ref: 00404063
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040407B
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040408E
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00423728,?,00423728,00429240), ref: 004040B7
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,00423728), ref: 004040CB
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,0000000A), ref: 004041FF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                                                                  • String ID: (7B
                                                                                                                                                                                                                                  • API String ID: 3282139019-3251261122
                                                                                                                                                                                                                                  • Opcode ID: f1306570f035e21c4f068449413519e45d51919a909de34d05465df8e21c2881
                                                                                                                                                                                                                                  • Instruction ID: 4530f9416eb169af0d44378ddba5762a1eee688012323a74912104aead4a3b33
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1306570f035e21c4f068449413519e45d51919a909de34d05465df8e21c2881
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5C1FFB1640200FFCB206F61EE84E2B3AA8EB95745F40057EF641B21F1CB7999529B6D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 285 4039c7-4039df call 406558 288 4039e1-4039f1 call 4060c5 285->288 289 4039f3-403a2a call 40604b 285->289 297 403a4d-403a76 call 403c9d call 405c3a 288->297 293 403a42-403a48 lstrcatW 289->293 294 403a2c-403a3d call 40604b 289->294 293->297 294->293 303 403b08-403b10 call 405c3a 297->303 304 403a7c-403a81 297->304 310 403b12-403b19 call 4061a0 303->310 311 403b1e-403b43 LoadImageW 303->311 304->303 305 403a87-403aaf call 40604b 304->305 305->303 314 403ab1-403ab5 305->314 310->311 312 403bc4-403bcc call 40140b 311->312 313 403b45-403b75 RegisterClassW 311->313 328 403bd6-403be1 call 403c9d 312->328 329 403bce-403bd1 312->329 316 403c93 313->316 317 403b7b-403bbf SystemParametersInfoW CreateWindowExW 313->317 319 403ac7-403ad3 lstrlenW 314->319 320 403ab7-403ac4 call 405b5f 314->320 321 403c95-403c9c 316->321 317->312 322 403ad5-403ae3 lstrcmpiW 319->322 323 403afb-403b03 call 405b32 call 40617e 319->323 320->319 322->323 327 403ae5-403aef GetFileAttributesW 322->327 323->303 331 403af1-403af3 327->331 332 403af5-403af6 call 405b7e 327->332 338 403be7-403c01 ShowWindow call 4064e8 328->338 339 403c6a-403c6b call 4053b0 328->339 329->321 331->323 331->332 332->323 346 403c03-403c08 call 4064e8 338->346 347 403c0d-403c1f GetClassInfoW 338->347 342 403c70-403c72 339->342 344 403c74-403c7a 342->344 345 403c8c-403c8e call 40140b 342->345 344->329 350 403c80-403c87 call 40140b 344->350 345->316 346->347 348 403c21-403c31 GetClassInfoW RegisterClassW 347->348 349 403c37-403c5a DialogBoxParamW call 40140b 347->349 348->349 355 403c5f-403c68 call 403917 349->355 350->329 355->321
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                                                                                                                                                                                                    • Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00000000), ref: 00403A48
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files\TeamViewer,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,74DF3420), ref: 00403AC8
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files\TeamViewer,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403ADB
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403AE6
                                                                                                                                                                                                                                  • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files\TeamViewer), ref: 00403B2F
                                                                                                                                                                                                                                    • Part of subcall function 004060C5: wsprintfW.USER32 ref: 004060D2
                                                                                                                                                                                                                                  • RegisterClassW.USER32(004291E0), ref: 00403B6C
                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B84
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BB9
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403BEF
                                                                                                                                                                                                                                  • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403C1B
                                                                                                                                                                                                                                  • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403C28
                                                                                                                                                                                                                                  • RegisterClassW.USER32(004291E0), ref: 00403C31
                                                                                                                                                                                                                                  • DialogBoxParamW.USER32(?,00000000,00403D6A,00000000), ref: 00403C50
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" $(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files\TeamViewer$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                                                  • API String ID: 1975747703-3187729388
                                                                                                                                                                                                                                  • Opcode ID: e4b79f2775376875fb57570f8962d2b7733680286c700de63aaa8ea03b262410
                                                                                                                                                                                                                                  • Instruction ID: e7f44595d902892b35b801f2f0c3734befc0b18a393fec54347386a87508d522
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4b79f2775376875fb57570f8962d2b7733680286c700de63aaa8ea03b262410
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8661C570244200BAD730AF669D49E2B3A7CEB84B49F40453FF981B62E2DB7D5912C63D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 359 402e41-402e8f GetTickCount GetModuleFileNameW call 405d53 362 402e91-402e96 359->362 363 402e9b-402ec9 call 40617e call 405b7e call 40617e GetFileSize 359->363 364 4030e0-4030e4 362->364 371 402fb9-402fc7 call 402d9f 363->371 372 402ecf-402ee6 363->372 379 403098-40309d 371->379 380 402fcd-402fd0 371->380 374 402ee8 372->374 375 402eea-402ef7 call 403358 372->375 374->375 381 403054-40305c call 402d9f 375->381 382 402efd-402f03 375->382 379->364 383 402fd2-402fea call 40336e call 403358 380->383 384 402ffc-403048 GlobalAlloc call 406677 call 405d82 CreateFileW 380->384 381->379 385 402f83-402f87 382->385 386 402f05-402f1d call 405d0e 382->386 383->379 407 402ff0-402ff6 383->407 410 40304a-40304f 384->410 411 40305e-40308e call 40336e call 4030e7 384->411 390 402f90-402f96 385->390 391 402f89-402f8f call 402d9f 385->391 386->390 405 402f1f-402f26 386->405 398 402f98-402fa6 call 406609 390->398 399 402fa9-402fb3 390->399 391->390 398->399 399->371 399->372 405->390 409 402f28-402f2f 405->409 407->379 407->384 409->390 412 402f31-402f38 409->412 410->364 418 403093-403096 411->418 412->390 414 402f3a-402f41 412->414 414->390 416 402f43-402f63 414->416 416->379 419 402f69-402f6d 416->419 418->379 420 40309f-4030b0 418->420 421 402f75-402f7d 419->421 422 402f6f-402f73 419->422 423 4030b2 420->423 424 4030b8-4030bd 420->424 421->390 425 402f7f-402f81 421->425 422->371 422->421 423->424 426 4030be-4030c4 424->426 425->390 426->426 427 4030c6-4030de call 405d0e 426->427 427->364
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402E55
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,00000400), ref: 00402E71
                                                                                                                                                                                                                                    • Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,80000000,00000003), ref: 00405D57
                                                                                                                                                                                                                                    • Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,80000000,00000003), ref: 00402EBA
                                                                                                                                                                                                                                  • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403001
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • soft, xrefs: 00402F31
                                                                                                                                                                                                                                  • Error launching installer, xrefs: 00402E91
                                                                                                                                                                                                                                  • Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040304A
                                                                                                                                                                                                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403098
                                                                                                                                                                                                                                  • Null, xrefs: 00402F3A
                                                                                                                                                                                                                                  • Inst, xrefs: 00402F28
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe, xrefs: 00402E5B, 00402E6A, 00402E7E, 00402E9B
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD, xrefs: 00402E9C, 00402EA1, 00402EA7
                                                                                                                                                                                                                                  • "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" , xrefs: 00402E41
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00402E4B, 00403019
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD$C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                                                                  • API String ID: 2803837635-1373743479
                                                                                                                                                                                                                                  • Opcode ID: a88f7b64cf2f84ce6159e852375487555ed60e3ec4e5ecaf9a54fe269baa00ef
                                                                                                                                                                                                                                  • Instruction ID: e866f1dd798e5fb15c0a347603bcfded6ce2f229c2e481af73dd86df93422dd6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a88f7b64cf2f84ce6159e852375487555ed60e3ec4e5ecaf9a54fe269baa00ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9761C431A00215ABDB209F75DD49B9E7BB8EB00359F20817FF500F62D1DABD9A448B5D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 430 4061a0-4061ab 431 4061ad-4061bc 430->431 432 4061be-4061d4 430->432 431->432 433 4061da-4061e7 432->433 434 4063ec-4063f2 432->434 433->434 435 4061ed-4061f4 433->435 436 4063f8-406403 434->436 437 4061f9-406206 434->437 435->434 439 406405-406409 call 40617e 436->439 440 40640e-40640f 436->440 437->436 438 40620c-406218 437->438 441 4063d9 438->441 442 40621e-40625a 438->442 439->440 444 4063e7-4063ea 441->444 445 4063db-4063e5 441->445 446 406260-40626b GetVersion 442->446 447 40637a-40637e 442->447 444->434 445->434 448 406285 446->448 449 40626d-406271 446->449 450 406380-406384 447->450 451 4063b3-4063b7 447->451 457 40628c-406293 448->457 449->448 454 406273-406277 449->454 455 406394-4063a1 call 40617e 450->455 456 406386-406392 call 4060c5 450->456 452 4063c6-4063d7 lstrlenW 451->452 453 4063b9-4063c1 call 4061a0 451->453 452->434 453->452 454->448 459 406279-40627d 454->459 468 4063a6-4063af 455->468 456->468 461 406295-406297 457->461 462 406298-40629a 457->462 459->448 464 40627f-406283 459->464 461->462 466 4062d6-4062d9 462->466 467 40629c-4062b9 call 40604b 462->467 464->457 469 4062e9-4062ec 466->469 470 4062db-4062e7 GetSystemDirectoryW 466->470 473 4062be-4062c2 467->473 468->452 472 4063b1 468->472 476 406357-406359 469->476 477 4062ee-4062fc GetWindowsDirectoryW 469->477 475 40635b-40635f 470->475 474 406372-406378 call 406412 472->474 478 406361-406365 473->478 479 4062c8-4062d1 call 4061a0 473->479 474->452 475->474 475->478 476->475 480 4062fe-406308 476->480 477->476 478->474 483 406367-40636d lstrcatW 478->483 479->475 485 406322-406338 SHGetSpecialFolderLocation 480->485 486 40630a-40630d 480->486 483->474 489 406353 485->489 490 40633a-406351 SHGetPathFromIDListW CoTaskMemFree 485->490 486->485 488 40630f-406316 486->488 491 40631e-406320 488->491 489->476 490->475 490->489 491->475 491->485
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersion.KERNEL32(00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,?,00405314,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000), ref: 00406263
                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004062E1
                                                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004062F4
                                                                                                                                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406330
                                                                                                                                                                                                                                  • SHGetPathFromIDListW.SHELL32(?,Remove folder: ), ref: 0040633E
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(?), ref: 00406349
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040636D
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,?,00405314,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000), ref: 004063C7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                                                                                                                                                  • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                                  • API String ID: 900638850-3439563036
                                                                                                                                                                                                                                  • Opcode ID: ad7f9d25d5d15659371a18125183daf3d831ef86bf1ddb5fded95f80f67ed536
                                                                                                                                                                                                                                  • Instruction ID: 57c77dc533264c97ace6329bd87f7d674c2bea75a5b3d90d15d675b8bae5a73d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ad7f9d25d5d15659371a18125183daf3d831ef86bf1ddb5fded95f80f67ed536
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E611571A00104EBDF209F24CC40AAE37A5AF15314F56817FED56BA2D0D73D8AA2CB9D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 556 4052dd-4052f2 557 4052f8-405309 556->557 558 4053a9-4053ad 556->558 559 405314-405320 lstrlenW 557->559 560 40530b-40530f call 4061a0 557->560 562 405322-405332 lstrlenW 559->562 563 40533d-405341 559->563 560->559 562->558 564 405334-405338 lstrcatW 562->564 565 405350-405354 563->565 566 405343-40534a SetWindowTextW 563->566 564->563 567 405356-405398 SendMessageW * 3 565->567 568 40539a-40539c 565->568 566->565 567->568 568->558 569 40539e-4053a1 568->569 569->558
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00402E19,00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000), ref: 00405338
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\), ref: 0040534A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                                  • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\
                                                                                                                                                                                                                                  • API String ID: 2531174081-2889978620
                                                                                                                                                                                                                                  • Opcode ID: 972aac7018336843b0c890e7bd87d5dddbcc3b404b63b40d4461520666951a00
                                                                                                                                                                                                                                  • Instruction ID: d14990956ab1253184f877e9e8298894284f42a30aea32824f5004b5108fa95f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 972aac7018336843b0c890e7bd87d5dddbcc3b404b63b40d4461520666951a00
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62217F71900518BACF119FA6DD44ACFBFB8EF85354F10807AF904B62A1C7B94A51DFA8

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 570 401767-40178c call 402bbf call 405ba9 575 401796-4017a8 call 40617e call 405b32 lstrcatW 570->575 576 40178e-401794 call 40617e 570->576 581 4017ad-4017ae call 406412 575->581 576->581 585 4017b3-4017b7 581->585 586 4017b9-4017c3 call 4064c1 585->586 587 4017ea-4017ed 585->587 595 4017d5-4017e7 586->595 596 4017c5-4017d3 CompareFileTime 586->596 589 4017f5-401811 call 405d53 587->589 590 4017ef-4017f0 call 405d2e 587->590 597 401813-401816 589->597 598 401885-4018ae call 4052dd call 4030e7 589->598 590->589 595->587 596->595 599 401867-401871 call 4052dd 597->599 600 401818-401856 call 40617e * 2 call 4061a0 call 40617e call 4058c3 597->600 612 4018b0-4018b4 598->612 613 4018b6-4018c2 SetFileTime 598->613 610 40187a-401880 599->610 600->585 633 40185c-40185d 600->633 614 402a55 610->614 612->613 616 4018c8-4018d3 CloseHandle 612->616 613->616 617 402a57-402a5b 614->617 619 4018d9-4018dc 616->619 620 402a4c-402a4f 616->620 621 4018f1-4018f4 call 4061a0 619->621 622 4018de-4018ef call 4061a0 lstrcatW 619->622 620->614 628 4018f9-40228d call 4058c3 621->628 622->628 628->617 628->620 633->610 634 40185f-401860 633->634 634->599
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000,00000000,InstallTeamViewer(): Error!!! Installation files could not be extracted. Installation aborted!,C:\Program Files\TeamViewer\TVExtractTemp,?,?,00000031), ref: 004017A8
                                                                                                                                                                                                                                  • CompareFileTime.KERNEL32(-00000014,?,InstallTeamViewer(): Error!!! Installation files could not be extracted. Installation aborted!,InstallTeamViewer(): Error!!! Installation files could not be extracted. Installation aborted!,00000000,00000000,InstallTeamViewer(): Error!!! Installation files could not be extracted. Installation aborted!,C:\Program Files\TeamViewer\TVExtractTemp,?,?,00000031), ref: 004017CD
                                                                                                                                                                                                                                    • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00402E19,00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000), ref: 00405338
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\), ref: 0040534A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                                  • String ID: C:\Program Files\TeamViewer\TVExtractTemp$InstallTeamViewer(): Error!!! Installation files could not be extracted. Installation aborted!
                                                                                                                                                                                                                                  • API String ID: 1941528284-2970256656
                                                                                                                                                                                                                                  • Opcode ID: 1862fb3b77c31d46c0470bd97efe8d86f4df64904e2d1f4c121f71988b6a393e
                                                                                                                                                                                                                                  • Instruction ID: b64174440326d41e90dd14f1ad6608c73badddfa8ee8632f400ec40acf256ac3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1862fb3b77c31d46c0470bd97efe8d86f4df64904e2d1f4c121f71988b6a393e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C41C431900515BACF117FB5CC46DAE3679EF05329B20827BF422F51E2DA3C86629A6D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 636 402d9f-402dae 637 402db0-402db7 636->637 638 402dc8-402dce 636->638 641 402dc0-402dc6 637->641 642 402db9-402dba DestroyWindow 637->642 639 402dd0-402dd6 call 406594 638->639 640 402dd8-402de4 GetTickCount 638->640 645 402e3e-402e40 639->645 644 402de6-402dec 640->644 640->645 641->645 642->641 647 402e1b-402e38 CreateDialogParamW ShowWindow 644->647 648 402dee-402df5 644->648 647->645 648->645 649 402df7-402e14 call 402d83 wsprintfW call 4052dd 648->649 653 402e19 649->653 653->645
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DestroyWindow.USER32(00000000,00000000), ref: 00402DBA
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402DD8
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 00402E06
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00402E19,00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000), ref: 00405338
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\), ref: 0040534A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                                                                                                                                                                                  • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402E2A
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000005), ref: 00402E38
                                                                                                                                                                                                                                    • Part of subcall function 00402D83: MulDiv.KERNEL32(00056D1C,00000064,0005863F), ref: 00402D98
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                                                                                                                  • String ID: ... %d%%
                                                                                                                                                                                                                                  • API String ID: 722711167-2449383134
                                                                                                                                                                                                                                  • Opcode ID: fea16c4b337e24937a113fc6e035eb6b9d553e5e7cb87782fe297e9c5fc018cb
                                                                                                                                                                                                                                  • Instruction ID: 67f39cb704aca6262626a7976268bb3bb8a333bdab68892006d91dd8afb4411f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fea16c4b337e24937a113fc6e035eb6b9d553e5e7cb87782fe297e9c5fc018cb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96016D70541614EBC721AB60EF4DA9B7A68AF00706B14417FF885F12E0CBF85865CBEE

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 654 4057ac-4057f7 CreateDirectoryW 655 4057f9-4057fb 654->655 656 4057fd-40580a GetLastError 654->656 657 405824-405826 655->657 656->657 658 40580c-405820 SetFileSecurityW 656->658 658->655 659 405822 GetLastError 658->659 659->657
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004057EF
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00405803
                                                                                                                                                                                                                                  • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405818
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00405822
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD, xrefs: 004057AC
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004057D2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD
                                                                                                                                                                                                                                  • API String ID: 3449924974-3423635631
                                                                                                                                                                                                                                  • Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
                                                                                                                                                                                                                                  • Instruction ID: b278f7ea68de5888e34302da86fdb06c438f4ef9b03e74a9ab654546e4f81ce2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89010871D00619DADF10DBA0D9447EFBFB8EB04304F00803ADA44B6190E7789618DFA9

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 660 4064e8-406508 GetSystemDirectoryW 661 40650a 660->661 662 40650c-40650e 660->662 661->662 663 406510-406519 662->663 664 40651f-406521 662->664 663->664 665 40651b-40651d 663->665 666 406522-406555 wsprintfW LoadLibraryExW 664->666 665->666
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 0040653A
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040654E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                                  • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                                                  • API String ID: 2200240437-1946221925
                                                                                                                                                                                                                                  • Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
                                                                                                                                                                                                                                  • Instruction ID: c6b4a3c42f63eea3762d57d51081eb848d485012b63e63803453d9912f42ff06
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3AF0FC70500219BADB10AB64ED0DF9B366CAB00304F10403AA646F10D0EB7CD725CBA8

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 667 405d82-405d8e 668 405d8f-405dc3 GetTickCount GetTempFileNameW 667->668 669 405dd2-405dd4 668->669 670 405dc5-405dc7 668->670 672 405dcc-405dcf 669->672 670->668 671 405dc9 670->671 671->672
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00405DA0
                                                                                                                                                                                                                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,004033B4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405DBB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" , xrefs: 00405D82
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D87
                                                                                                                                                                                                                                  • nsa, xrefs: 00405D8F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountFileNameTempTick
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                                  • API String ID: 1716503409-867520439
                                                                                                                                                                                                                                  • Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
                                                                                                                                                                                                                                  • Instruction ID: a69a53d4b23f3d63feeda802a3e8a765614c71270742c911b33c62312df6cecc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32F06D76600608BBDB008B59DD09AABBBB8EF91710F10803BEE01F7190E6B09A548B64

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 673 402bff-402c28 RegOpenKeyExW 674 402c93-402c97 673->674 675 402c2a-402c35 673->675 676 402c50-402c60 RegEnumKeyW 675->676 677 402c62-402c74 RegCloseKey call 406558 676->677 678 402c37-402c3a 676->678 686 402c76-402c85 677->686 687 402c9a-402ca0 677->687 679 402c87-402c8a RegCloseKey 678->679 680 402c3c-402c4e call 402bff 678->680 684 402c90-402c92 679->684 680->676 680->677 684->674 686->674 687->684 688 402ca2-402cb0 RegDeleteKeyW 687->688 688->684 689 402cb2 688->689 689->674
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
                                                                                                                                                                                                                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                                                                                                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Close$DeleteEnumOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1912718029-0
                                                                                                                                                                                                                                  • Opcode ID: 58c60bd3f3897121054778c1da70f1d8408b3ab71b88223ff436e3f080a0af7a
                                                                                                                                                                                                                                  • Instruction ID: b9f5b7c8593eadded22e2ca3cbb8d83d08b5e31647f9888e60cfbaa55d101d4e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58c60bd3f3897121054778c1da70f1d8408b3ab71b88223ff436e3f080a0af7a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66116A71504119FFEF10AF90DF8CEAE3B79FB14384B10007AF905E11A0D7B58E55AA69

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 691 401bdf-401bf7 call 402ba2 * 2 696 401c03-401c07 691->696 697 401bf9-401c00 call 402bbf 691->697 699 401c13-401c19 696->699 700 401c09-401c10 call 402bbf 696->700 697->696 703 401c1b-401c2f call 402ba2 * 2 699->703 704 401c5f-401c89 call 402bbf * 2 FindWindowExW 699->704 700->699 715 401c31-401c4d SendMessageTimeoutW 703->715 716 401c4f-401c5d SendMessageW 703->716 714 401c8f 704->714 717 401c92-401c95 714->717 715->717 716->714 718 401c9b 717->718 719 402a4c-402a5b 717->719 718->719
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Timeout
                                                                                                                                                                                                                                  • String ID: !
                                                                                                                                                                                                                                  • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                                  • Opcode ID: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
                                                                                                                                                                                                                                  • Instruction ID: 9ab6cbc1baff8286944736a18d7265b6422843b7a732a624d4201333bc7942cf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2219071940209BEEF01AFB5CE4AABE7B75EF44744F10403EFA01B61D1D6B88A409B69
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Remove folder: ,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Remove folder: ,?), ref: 00406075
                                                                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Remove folder: ,?), ref: 00406096
                                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Remove folder: ,?), ref: 004060B9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                  • String ID: Remove folder:
                                                                                                                                                                                                                                  • API String ID: 3677997916-1958208860
                                                                                                                                                                                                                                  • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                                                                                                                                                                                  • Instruction ID: 0186f18981595c0b19feb364ea02d5f95392918b8fa258a18f8687652683a575
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4501483115020AEADF21CF66ED08E9B3BA8EF84390B01402AF845D2220D735D964DBA5
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(0040B5D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                                                                                                                                                                                                  • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateValuelstrlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1356686001-0
                                                                                                                                                                                                                                  • Opcode ID: 67c77c8d659d9d4bc82cacddac1e216fe0077c84403bdf1d9c96e54a2d3d16bf
                                                                                                                                                                                                                                  • Instruction ID: d84b147cfae213de6894e87518a1957a70c03431d85ade02b305fde94438308f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 67c77c8d659d9d4bc82cacddac1e216fe0077c84403bdf1d9c96e54a2d3d16bf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E511C071E00108BFEB10AFA4DE89DAE777DEB14358F11403AF904B71D1DBB85E409668
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 004038E7
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 004038FB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\, xrefs: 0040390B
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004038DA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\
                                                                                                                                                                                                                                  • API String ID: 2962429428-775491263
                                                                                                                                                                                                                                  • Opcode ID: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
                                                                                                                                                                                                                                  • Instruction ID: 23b98c188a40640ee87c89e263e7d2a3484f90a0975adae1b2ea6fd77d705eba
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78E086B14407149AC124AF7CAD495853A185F453357248726F178F20F0C778996B5E9D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(?,?,C:\,?,00405C51,C:\,C:\,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405BEB
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                                                                                                                                                                                                    • Part of subcall function 004057AC: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004057EF
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,C:\Program Files\TeamViewer\TVExtractTemp,?,00000000,000000F0), ref: 00401645
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Program Files\TeamViewer\TVExtractTemp, xrefs: 00401638
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                                  • String ID: C:\Program Files\TeamViewer\TVExtractTemp
                                                                                                                                                                                                                                  • API String ID: 1892508949-2667424760
                                                                                                                                                                                                                                  • Opcode ID: 2305ffb504cd1727ef0d2f6d990949bd10217623809cec2c7a11ebe9bcb6ddd7
                                                                                                                                                                                                                                  • Instruction ID: 18abe7de9e9977a76830232601504265d2e6edcedfe07fce7f69d5744a4425eb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2305ffb504cd1727ef0d2f6d990949bd10217623809cec2c7a11ebe9bcb6ddd7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F911E631500504EBCF207FA0CD0199E3AB2EF44364B25453BF906B61F2DA3D4A819E5E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(?,?,C:\,?,00405C51,C:\,C:\,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405BEB
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405C93
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0), ref: 00405CA3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                                  • String ID: C:\
                                                                                                                                                                                                                                  • API String ID: 3248276644-3404278061
                                                                                                                                                                                                                                  • Opcode ID: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
                                                                                                                                                                                                                                  • Instruction ID: 790be11e20efdccda9c73cacd4945748764c6204d4d0b11914a12a4c94a1ccfd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41F0F925108F6515F62233790D05EAF2554CF82394755067FF891B12D1DB3C9D938C7D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
                                                                                                                                                                                                                                  • Instruction ID: 95c87b37ce546c92696c349aad8761a6baa0f42cb897a758cf539d426e2a5a70
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65A13471D00229CBDF28CFA8C844AADBBB1FF44305F15816AD956BB281D7785A86DF44
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
                                                                                                                                                                                                                                  • Instruction ID: dd225a6952a4a1885b566de7f95e3528e0c965b1b64db9b9769652e5c735704b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D913370D04229CBDF28CFA8C844BADBBB1FF44305F15816AD856BB291C7789A86DF45
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
                                                                                                                                                                                                                                  • Instruction ID: c728d5504c89e28601c55753f21d2f559f3974f1a6ce44cf054f885a45476dee
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06813471D04228CFDF24CFA8C844BADBBB1FB44305F25816AD856BB291C7789A86DF45
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
                                                                                                                                                                                                                                  • Instruction ID: 5389f57cfb4a3ea8b0a271fe5c21418892ef356aef38e154ca47b5156c43700c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 37816831D04229CBDF24CFA8C844BADBBB0FF44305F11816AD956BB281D7785986DF45
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
                                                                                                                                                                                                                                  • Instruction ID: 7cecadd07089ef5f508d2048bcf4206a214b5fe31ba49bd0cdf53ec9cfb3ce0b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35712175D04228CBDF28CFA8C844BADBBB1FB44305F15816AD806BB281D7789A96DF44
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
                                                                                                                                                                                                                                  • Instruction ID: f96eec566abe8136b7696836c8602221009d3abbc3cba5cf828ad5cd02611e0d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56713371D04228CBEF28CFA8C844BADBBB1FF44305F15816AD856BB281C7789996DF45
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
                                                                                                                                                                                                                                  • Instruction ID: 17f295adf0ba2181094cfffbed918b39bb4908eb68d6975640ddb9889f0749db
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2714531D04229CBEF28CF98C844BADBBB1FF44305F11816AD816BB291C7785A96DF44
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00403203
                                                                                                                                                                                                                                    • Part of subcall function 0040336E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 00403236
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(04609CEA,00000000,00000000,00414ED0,00004000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000), ref: 00403331
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointer$CountTick
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1092082344-0
                                                                                                                                                                                                                                  • Opcode ID: 60a078b62880e419fd8869ad6c2e376d7a0a18806c11cc7e2be6b3a6e40e2614
                                                                                                                                                                                                                                  • Instruction ID: 2fd669d0756999c0d63da40b5d988076205959dac08f3783f289fe1fafb1afdd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60a078b62880e419fd8869ad6c2e376d7a0a18806c11cc7e2be6b3a6e40e2614
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19314B72500204DBD710DF69EEC49663FA9F74075A718423FE900F22E0CBB55D458B9D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00402E19,00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000), ref: 00405338
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\), ref: 0040534A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 334405425-0
                                                                                                                                                                                                                                  • Opcode ID: 24cdcc8e17645b09c8dba356bdc9c6051ea27a3cc416b1f1b75791a7a23ceb8f
                                                                                                                                                                                                                                  • Instruction ID: 135227bab5bbd0cb957ad13063370cb04025123e1843093ab7a3381522db9c00
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24cdcc8e17645b09c8dba356bdc9c6051ea27a3cc416b1f1b75791a7a23ceb8f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D21A731900219EBCF20AFA5CE48A9E7E71BF00354F20427BF511B51E1DBBD8A81DA5D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00401BA7
                                                                                                                                                                                                                                  • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BB9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • InstallTeamViewer(): Error!!! Installation files could not be extracted. Installation aborted!, xrefs: 00401B5E, 00401B64, 00401B7E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocFree
                                                                                                                                                                                                                                  • String ID: InstallTeamViewer(): Error!!! Installation files could not be extracted. Installation aborted!
                                                                                                                                                                                                                                  • API String ID: 3394109436-3224948528
                                                                                                                                                                                                                                  • Opcode ID: e295b54685931270dff86f202c2fdefb044b2b91f5e4e3df0bc5e06abf08786f
                                                                                                                                                                                                                                  • Instruction ID: 7cdfc3cbb2e69f4264c6c6693aec6085e55c642d7687a467de19211c04d07d9e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e295b54685931270dff86f202c2fdefb044b2b91f5e4e3df0bc5e06abf08786f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67219672A00100EBDB20EB94CD85D5E77B6AF84314B21453BF502F72E1DA7898618F5D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,?,0040B5D8,000000FF,0040ADD8,00000400,?,?,00000021), ref: 00402583
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(0040ADD8,?,?,0040B5D8,000000FF,0040ADD8,00000400,?,?,00000021), ref: 0040258E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3109718747-0
                                                                                                                                                                                                                                  • Opcode ID: 850b0114aee89c8d8b14894d23efcefd65d0faa324c372d2657d007c57cf9cb9
                                                                                                                                                                                                                                  • Instruction ID: 4789cac02ba757069cd1743e95fa376523a080456913a55bd7acca95e4ec0b97
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 850b0114aee89c8d8b14894d23efcefd65d0faa324c372d2657d007c57cf9cb9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA11E772A01204BADB10AFB18F4EE9E32659F54355F20403BF502F65C1DAFC8E51576E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004064C1: FindFirstFileW.KERNELBASE(74DF3420,00426778,C:\,00405C83,C:\,C:\,00000000,C:\,C:\,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0), ref: 004064CC
                                                                                                                                                                                                                                    • Part of subcall function 004064C1: FindClose.KERNEL32(00000000), ref: 004064D8
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 0040222A
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 00402235
                                                                                                                                                                                                                                  • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 0040225E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1486964399-0
                                                                                                                                                                                                                                  • Opcode ID: f9a99ba4a91a9f4c9246cf651f25ea3f75fba1548a7733be5ccfd7ea764f24a6
                                                                                                                                                                                                                                  • Instruction ID: 9c43d8eab5e28b8efadc9e1ada5fd511aa80cab417b32b1cb638ddde26c09318
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9a99ba4a91a9f4c9246cf651f25ea3f75fba1548a7733be5ccfd7ea764f24a6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4711707190021896CB10EFF98D4999EB7F8AF04314F10807FA905FB2DAE6B8D9018B69
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                                                  • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                                                                                                                                                                                                  • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
                                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Enum$CloseOpenValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 167947723-0
                                                                                                                                                                                                                                  • Opcode ID: 60ac1395f0a982b77a3977587a1bd86f46e362b2f506b0714e0df90dc524a01b
                                                                                                                                                                                                                                  • Instruction ID: c7ec42ec2a5b8cbcf97019b844e04a4f9c539befeef3331d530b96059407f5ff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60ac1395f0a982b77a3977587a1bd86f46e362b2f506b0714e0df90dc524a01b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCF03171A14204EBEB209F65DE8CABF767DEF80354B10843FF505B61D0DAB84D419B69
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00405D2E: GetFileAttributesW.KERNELBASE(?,?,00405933,?,?,00000000,00405B09,?,?,?,?), ref: 00405D33
                                                                                                                                                                                                                                    • Part of subcall function 00405D2E: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405D47
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405B09), ref: 00405942
                                                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000000,00405B09), ref: 0040594A
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405962
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1655745494-0
                                                                                                                                                                                                                                  • Opcode ID: 4d7e10e481d95c5c5c7c05f6c7e2fdde8e74fc3924f4c20308c7a9621a850695
                                                                                                                                                                                                                                  • Instruction ID: ecea3d8082f0941e5ee01c5501cf82e541f4c7e763f85e657b920a2cf98d934c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d7e10e481d95c5c5c7c05f6c7e2fdde8e74fc3924f4c20308c7a9621a850695
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6EE09B72105A91D6D21067349E0CB5F2AD8DF96335F09493EF595F11D0C778880ACA7D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000408,?,00000000,00403E78), ref: 00404239
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID: x
                                                                                                                                                                                                                                  • API String ID: 3850602802-2363233923
                                                                                                                                                                                                                                  • Opcode ID: 3e871ac91d012b6cae2f90b6371e3effc72337ca5df1d59cb8fc0e815e15e1ac
                                                                                                                                                                                                                                  • Instruction ID: 9e34857be529cc3efc5f0a7cea2a0d9e3d50e3e0a723924f26ebfb3191f04208
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e871ac91d012b6cae2f90b6371e3effc72337ca5df1d59cb8fc0e815e15e1ac
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78C012B1240200FBCA209B00EE00B167A20F7A8702F2089BDF380200B086718822DB2D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 0040310C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 973152223-0
                                                                                                                                                                                                                                  • Opcode ID: 5362526f818bdb809ad5cab08ae3c06d9fff902eb4395bb37ab99caf6aafdfc9
                                                                                                                                                                                                                                  • Instruction ID: 040f2acbe5348ef8c996952313d322865bd2faa87b76d8d9ba7109e69b0e4b3d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5362526f818bdb809ad5cab08ae3c06d9fff902eb4395bb37ab99caf6aafdfc9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22316B30200219EBDB108F55ED84ADA3F68EB08359F20813AF905EA1D0DB79DF50DBA9
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040245B
                                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                                                  • Opcode ID: 7c5d0e18f6a429da2bc85dc3c2d089be0215a696c23f31d9e61351b332a472c5
                                                                                                                                                                                                                                  • Instruction ID: a4ed2935f8c713a64b441f8b02302a8faa8aa65f3841d01997d269d515fb9b23
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c5d0e18f6a429da2bc85dc3c2d089be0215a696c23f31d9e61351b332a472c5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D119131911205EBDB10CFA0CA489AEB7B4EF44354B20843FE446B72D0D6B85A41DB19
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                  • Opcode ID: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
                                                                                                                                                                                                                                  • Instruction ID: d65e0694727b7210e6f7bc09f77efd2c0147e56cffd904cd4a2c980f2ed28b93
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D01D131724210EBEB195B789D04B2A3698E714314F1089BAF855F62F1DA788C128B5D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 849931509-0
                                                                                                                                                                                                                                  • Opcode ID: af1b21a11892d4ef4174ae2b41b7854131aa20919259ada3e53a4d904ddc093b
                                                                                                                                                                                                                                  • Instruction ID: b5033fe3495a5d5fbf66e52db86fe43622c16bf705f2fe0f4142c4154f9543e6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af1b21a11892d4ef4174ae2b41b7854131aa20919259ada3e53a4d904ddc093b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45F04F32A04110ABEB11BFB59B4EABE726A9B40314F15807BF501B71D5D9FC99025629
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 004053C0
                                                                                                                                                                                                                                    • Part of subcall function 0040428E: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0
                                                                                                                                                                                                                                  • CoUninitialize.COMBASE(00000404,00000000), ref: 0040540C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InitializeMessageSendUninitialize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2896919175-0
                                                                                                                                                                                                                                  • Opcode ID: 3868b5a52622b10a1177551b7cc78a5ffd836502efb30cae45cbc154cdcfe80d
                                                                                                                                                                                                                                  • Instruction ID: fd15c1a48ffcd0bde852b119af7687a848e5b357f1d71b2c4b4b2b4c4c2fcb19
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3868b5a52622b10a1177551b7cc78a5ffd836502efb30cae45cbc154cdcfe80d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 55F0F076645601CBD3101B54AD05B5B7268EF80781F56407EEE44A23F1CABA48428B2E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                                                                                                                                                                                                    • Part of subcall function 004064E8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
                                                                                                                                                                                                                                    • Part of subcall function 004064E8: wsprintfW.USER32 ref: 0040653A
                                                                                                                                                                                                                                    • Part of subcall function 004064E8: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040654E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2547128583-0
                                                                                                                                                                                                                                  • Opcode ID: 45558713834216164227cc70c45b1d33d53decf29647882cb75fd2fc812b7039
                                                                                                                                                                                                                                  • Instruction ID: 8c1a5bb66f910ccc430fc34c4425cef617f316e2833151c7c1ff8c8a0ee84b40
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 45558713834216164227cc70c45b1d33d53decf29647882cb75fd2fc812b7039
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C3E086326042206BD6105B706E0893762BC9ED8740302483EF946F2084D778DC329A6D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
                                                                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 00401DFD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CallbackDispatcherShowUserWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 82835404-0
                                                                                                                                                                                                                                  • Opcode ID: f95c109804867172db61b1135defe61bd419d678e2b077b04fc1289a75674494
                                                                                                                                                                                                                                  • Instruction ID: 21ddd3577add1129786b8edf5e015a7aca6159172531db4ba1f8ff50d12c07f3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f95c109804867172db61b1135defe61bd419d678e2b077b04fc1289a75674494
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3E08C326005009BCB20AFB5AA4999D3375EF50369710017BE402F10E1CABC9C408A2D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,74DF3420,00000000,74DF2EE0,00403909,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 0040394C
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 00403953
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Free$GlobalLibrary
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1100898210-0
                                                                                                                                                                                                                                  • Opcode ID: f4316848cbc6ebdc68634a281282690bfac6e24f3e15d004bec6d27d8a9ac131
                                                                                                                                                                                                                                  • Instruction ID: 420717e04dc644aaadfe3aeddcd4797dc829437e29e913c3c6529364dabb0ba4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4316848cbc6ebdc68634a281282690bfac6e24f3e15d004bec6d27d8a9ac131
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41E012739011309BC6225F95ED44B5E7B6D6F95B32F0A423AE9807B26087B45D838FD8
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,80000000,00000003), ref: 00405D57
                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AttributesCreate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 415043291-0
                                                                                                                                                                                                                                  • Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
                                                                                                                                                                                                                                  • Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,00405933,?,?,00000000,00405B09,?,?,?,?), ref: 00405D33
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405D47
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                                                                                                                                                                                  • Instruction ID: 62c1218995ad43f24aa052634507c0d83541fa9dca801c4eab67991220ff17ac
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40D01272504520AFC2513738EF0C89BBF95EB543B17028B35FAF9A22F0DB304C568A98
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,004033A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040582F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040583D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1375471231-0
                                                                                                                                                                                                                                  • Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
                                                                                                                                                                                                                                  • Instruction ID: d963a2520b22da8993c1f0374a54a6368e12bf2bf52e26206a68f99a8800bbf8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DC04C31204B029AD7506B609F097177954AB50781F11C8396946E00A0DE348465DE2D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0
                                                                                                                                                                                                                                    • Part of subcall function 004060C5: wsprintfW.USER32 ref: 004060D2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointerwsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 327478801-0
                                                                                                                                                                                                                                  • Opcode ID: a43271754c7f07c99b9378ce98c7c6ca1c5cab0cf9015cd4f7670726b0543b0b
                                                                                                                                                                                                                                  • Instruction ID: 0f14848d4f24c16631b00b750435c060a764b4453362ef8260df6bafad2d34e7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a43271754c7f07c99b9378ce98c7c6ca1c5cab0cf9015cd4f7670726b0543b0b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FE01A71601114ABDB11EBA59E4ACAE766AAB40328B10443BF501F14E1CAB988619A2E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PrivateProfileStringWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 390214022-0
                                                                                                                                                                                                                                  • Opcode ID: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
                                                                                                                                                                                                                                  • Instruction ID: a822d11f1d05533bca3208a69e79300e3559a9020bae074bf72d5f6ed1f8f9d7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BCE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00410E7F,0040CED0,004032EF,0040CED0,00410E7F,00414ED0,00004000,?,00000000,00403119,00000004), ref: 00405E19
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                                                  • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                                                                                                                                                                                  • Instruction ID: dac0b8971ba2920abb5474f128329a0fa477ab7403896bbfc0984bb8014ca22f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AE08632100119ABCF105F50DC00EEB376CEB00350F004832FA65E2040E230EA219BE4
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                                                                                                                  • Opcode ID: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
                                                                                                                                                                                                                                  • Instruction ID: ef45ff86538a2d51f1b0222ec8c1b297abd10be8bd22699319dc95f068cee933
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CCE08676244108BFDB00DFA8DE47FD537ECAB14700F004031BA08D70D1C674E5508768
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040336B,0040A230,0040A230,0040326F,00414ED0,00004000,?,00000000,00403119), ref: 00405DEA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                                                                                                  • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                                                                                                                                                                                  • Instruction ID: f39de87387fc754cac4ceee649b5e38243fe2bf9183d254406dbd5143e25ae03
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57E0EC3221125AABDF509F65DC08AEB7B6DEF05360F008837F955E6160D631E9219BE8
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MessageBoxIndirectW.USER32(0040A3E8), ref: 0040591E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: IndirectMessage
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1874166685-0
                                                                                                                                                                                                                                  • Opcode ID: ad30b8c57171d568f185787def9c3cb3c84c161905c8a48c9e8b193500a59949
                                                                                                                                                                                                                                  • Instruction ID: 321c8730501e623a228f699c15320e1e2f592dc12f854a1532b6ac915461554a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ad30b8c57171d568f185787def9c3cb3c84c161905c8a48c9e8b193500a59949
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CCF0F272A10701CBC768CF18EA44B1A3BE0E704304F50817AE854A23B0D77998E2DF1E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PrivateProfileString
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1096422788-0
                                                                                                                                                                                                                                  • Opcode ID: 2412c5e6e38f405480bfb5068b9d3e64da5a88d06b16ee9e0a03aeafae2b93d0
                                                                                                                                                                                                                                  • Instruction ID: 815fd251d1ef055c124add3867079dbd89389a2e6f50d5753089410e689aa70c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2412c5e6e38f405480bfb5068b9d3e64da5a88d06b16ee9e0a03aeafae2b93d0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91E04F30800208BBDF01AFA4CE49DBD3B79AF00344F14043AF940AB0D5E7F89A819749
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,?,00000000), ref: 0040425C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ItemText
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3367045223-0
                                                                                                                                                                                                                                  • Opcode ID: 7233622df6a7a8fb633e185686b3ac587ee5e59de1f4571593d5d0ba3e8b76bd
                                                                                                                                                                                                                                  • Instruction ID: 65f8c73b99d4ee7bdc81e4beaf37a5475fca5134ded6dd21b3b8f91a9c360ad6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7233622df6a7a8fb633e185686b3ac587ee5e59de1f4571593d5d0ba3e8b76bd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2C04C76148200BFE641A755CC42F1FB799EF9431AF40C52EB59CE51D2C63994309A2A
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                  • Opcode ID: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
                                                                                                                                                                                                                                  • Instruction ID: 8584b4a80e8197aea4c9dd325401cbfcfbe68695eba590e205f4256e4e85e437
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67C04C71740600BBDA20CB649D45F1677546754740F1448697640A60E0C674D420D62C
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 973152223-0
                                                                                                                                                                                                                                  • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                                                                                                                                                                                  • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000028,?,00000001,004040A3), ref: 00404285
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                  • Opcode ID: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
                                                                                                                                                                                                                                  • Instruction ID: 3e0bacd84e958153637e663f6e0df00a268db6e73930f78988907d41dcf2010e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32B01235290A00FBDE214B00EE09F457E62F76C701F008478B340240F0CAB300B1DB19
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,0040403C), ref: 0040426E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2492992576-0
                                                                                                                                                                                                                                  • Opcode ID: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
                                                                                                                                                                                                                                  • Instruction ID: ea629541fdd2228df96855dc4de4e407fdbb002a66502a1a5a86269346c048a7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0A001B6644500ABCE129F90EF49D0ABBB2EBE8742B518579A285900348A364961EB59
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404C71
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000408), ref: 00404C7C
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CC6
                                                                                                                                                                                                                                  • LoadBitmapW.USER32(0000006E), ref: 00404CD9
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000FC,00405251), ref: 00404CF2
                                                                                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D06
                                                                                                                                                                                                                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D18
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404D2E
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D3A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D4C
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00404D4F
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D7A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D86
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E1C
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E47
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E5B
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00404E8A
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E98
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000005), ref: 00404EA9
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FA6
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040500B
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405020
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405044
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405064
                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(?), ref: 00405079
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 00405089
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405102
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001102,?,?), ref: 004051AB
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051BA
                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004051DA
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000000), ref: 00405228
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003FE), ref: 00405233
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 0040523A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                                  • String ID: $M$N
                                                                                                                                                                                                                                  • API String ID: 1638840714-813528018
                                                                                                                                                                                                                                  • Opcode ID: c57cb45ce89cd192e0511e30eec95623b06f81766ebd804847a276e94d887aeb
                                                                                                                                                                                                                                  • Instruction ID: ce840dee0c3a5b827351c7f25dbf2e3605d0905f5c54158640504e6bfb71dde6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c57cb45ce89cd192e0511e30eec95623b06f81766ebd804847a276e94d887aeb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C023EB0A00209EFDF209F64CD45AAE7BB5FB84355F10817AE610BA2E1C7799D52CF58
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040447D
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404491
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044AE
                                                                                                                                                                                                                                  • GetSysColor.USER32(?), ref: 004044BF
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044CD
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044DB
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 004044E0
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044ED
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404502
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,0000040A), ref: 0040455B
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000), ref: 00404562
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0040458D
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045D0
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 004045DE
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 004045E1
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(0000070B,open,004281E0,00000000,00000000,00000001), ref: 004045F6
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00404602
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 00404605
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404634
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404646
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                                                                                                                                                  • String ID: N$Remove folder: $VC@$open
                                                                                                                                                                                                                                  • API String ID: 3615053054-2721566001
                                                                                                                                                                                                                                  • Opcode ID: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
                                                                                                                                                                                                                                  • Instruction ID: ef28e404984a924d02769b335405a58d84a4f5c10dd13b46e9d300bde90bb2c1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 717191B1A00209BFDB10AF60DD45E6A7B69FB94344F00843AFB05B62E0D779AD51CF98
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                                  • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                                  • String ID: F
                                                                                                                                                                                                                                  • API String ID: 941294808-1304234792
                                                                                                                                                                                                                                  • Opcode ID: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
                                                                                                                                                                                                                                  • Instruction ID: fbc3582f0be17511ef24b6208279bd62f68a22b1f89f17edcf88e24f0ff4dafb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E418A71800209AFCF058F95DE459AFBBB9FF44310F00842EF991AA1A0C738EA55DFA4
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003FB), ref: 0040472C
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00404756
                                                                                                                                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00404807
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404812
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(Remove folder: ,00423728,00000000,?,?), ref: 00404844
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404850
                                                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404862
                                                                                                                                                                                                                                    • Part of subcall function 004058A7: GetDlgItemTextW.USER32(?,?,00000400,00404899), ref: 004058BA
                                                                                                                                                                                                                                    • Part of subcall function 00406412: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406475
                                                                                                                                                                                                                                    • Part of subcall function 00406412: CharNextW.USER32(?,?,?,00000000), ref: 00406484
                                                                                                                                                                                                                                    • Part of subcall function 00406412: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406489
                                                                                                                                                                                                                                    • Part of subcall function 00406412: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040649C
                                                                                                                                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404925
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404940
                                                                                                                                                                                                                                    • Part of subcall function 00404A99: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3A
                                                                                                                                                                                                                                    • Part of subcall function 00404A99: wsprintfW.USER32 ref: 00404B43
                                                                                                                                                                                                                                    • Part of subcall function 00404A99: SetDlgItemTextW.USER32(?,00423728), ref: 00404B56
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: (7B$A$C:\Program Files\TeamViewer$Remove folder:
                                                                                                                                                                                                                                  • API String ID: 2624150263-2772811393
                                                                                                                                                                                                                                  • Opcode ID: c0b61ef350f3b11f3d6e2819161bdb8859453bf742527bbdd3f0f7a625ed1280
                                                                                                                                                                                                                                  • Instruction ID: d5aaf60bd55b21875b9c8b9a8d0b3d7e01f34e6f89f3adcbdcc63617e1d21faf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c0b61ef350f3b11f3d6e2819161bdb8859453bf742527bbdd3f0f7a625ed1280
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7A191F1A00209ABDB11AFA5CC45AAF77B8EF84354F10847BF601B62D1D77C99418B6D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrcpyW.KERNEL32(00426DC8,NUL,?,00000000,?,?,00406040,?,?), ref: 00405EBC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00406040,?,?), ref: 00405EE0
                                                                                                                                                                                                                                  • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00405EE9
                                                                                                                                                                                                                                    • Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
                                                                                                                                                                                                                                    • Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA
                                                                                                                                                                                                                                  • GetShortPathNameW.KERNEL32(004275C8,004275C8,00000400), ref: 00405F06
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 00405F24
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405F5F
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F6E
                                                                                                                                                                                                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00405FFC
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0040600D
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406014
                                                                                                                                                                                                                                    • Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,80000000,00000003), ref: 00405D57
                                                                                                                                                                                                                                    • Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                                                                                                                                                                  • String ID: %ls=%ls$NUL$[Rename]
                                                                                                                                                                                                                                  • API String ID: 222337774-899692902
                                                                                                                                                                                                                                  • Opcode ID: 30f1ad71034d6c445b7df81822845e1e30d199c7f1bc078365d62d19a968fdd2
                                                                                                                                                                                                                                  • Instruction ID: 52ae09e4e2a5e81e4d5588e003ad531eff1fe7f7ae6e2de5146a23cae23f7ad9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 30f1ad71034d6c445b7df81822845e1e30d199c7f1bc078365d62d19a968fdd2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB315330241B19BBD2206B209D08F2B3A5CEF85758F15043BF942F62C2EA7CC9118EBD
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406475
                                                                                                                                                                                                                                  • CharNextW.USER32(?,?,?,00000000), ref: 00406484
                                                                                                                                                                                                                                  • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406489
                                                                                                                                                                                                                                  • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" ,00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040649C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • *?|<>/":, xrefs: 00406464
                                                                                                                                                                                                                                  • "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" , xrefs: 00406412
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00406413
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Char$Next$Prev
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                  • API String ID: 589700163-1635410149
                                                                                                                                                                                                                                  • Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
                                                                                                                                                                                                                                  • Instruction ID: c1b46f2de1f90aebbf911330ce555e940da56993e608f70b6a8db31027969b8c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5311C85680121299DB307B588C40AB7A2B8EF55754F52803FEDCA732C1E77C5C9286BD
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 004042C6
                                                                                                                                                                                                                                  • GetSysColor.USER32(00000000), ref: 004042E2
                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 004042EE
                                                                                                                                                                                                                                  • SetBkMode.GDI32(?,?), ref: 004042FA
                                                                                                                                                                                                                                  • GetSysColor.USER32(?), ref: 0040430D
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,?), ref: 0040431D
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00404337
                                                                                                                                                                                                                                  • CreateBrushIndirect.GDI32(?), ref: 00404341
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2320649405-0
                                                                                                                                                                                                                                  • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                                                                                                                                                                                  • Instruction ID: 2a82f640caf94e13ad52f77eccc7f6a005bf570db5d4005cc44859485eb84fad
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F215171600704ABCB219F68DE08B4BBBF8AF81714F04892DED95E26A0D738E904CB64
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                                                                                                                                                                                                    • Part of subcall function 00405E34: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E4A
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                                                                  • String ID: 9
                                                                                                                                                                                                                                  • API String ID: 163830602-2366072709
                                                                                                                                                                                                                                  • Opcode ID: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
                                                                                                                                                                                                                                  • Instruction ID: fbd7f9394f7a40dbbdef10ea3a20ac1ae57b35180e29dd1ddeb30b88b5afce05
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19510774D00219ABDF209F94CA88AAEB779FF04344F50447BE501B72E0D7B99982DB69
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BC2
                                                                                                                                                                                                                                  • GetMessagePos.USER32 ref: 00404BCA
                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00404BE4
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BF6
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C1C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                                  • String ID: f
                                                                                                                                                                                                                                  • API String ID: 41195575-1993550816
                                                                                                                                                                                                                                  • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                                                                                                                                                                                  • Instruction ID: 45e0f6331f39cfe7836e80c9775163861a3897288b26a0b158bc224782e9bc0b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9015271901218BAEB00DB94DD45FFEBBBCAF54711F10012BBA51B61D0C7B495018B54
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 00401D59
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                                                                                                                                                                                                  • CreateFontIndirectW.GDI32(0040CDE0), ref: 00401DD1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                                  • String ID: Tahoma
                                                                                                                                                                                                                                  • API String ID: 3808545654-3580928618
                                                                                                                                                                                                                                  • Opcode ID: 5a25ca78bc8c32752d7f72089744ea34f9941ea911f474610dde7174e3f6db02
                                                                                                                                                                                                                                  • Instruction ID: 9e8fd183d3d9d3ef172346538d4b27734d94fdc92d2c471f4f64b2fa811a60c8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a25ca78bc8c32752d7f72089744ea34f9941ea911f474610dde7174e3f6db02
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F601A271544641EFEB016BB0AF4AF9A3F75BB65301F104579F152B61E2CA7C0006AB2D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 00402D56
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00402D66
                                                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D78
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                                  • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                                                                                  • API String ID: 1451636040-1158693248
                                                                                                                                                                                                                                  • Opcode ID: 3598370c3c9dfc29f84c7b8ed24a957720a686991d5537ef1c6dff233380f4e6
                                                                                                                                                                                                                                  • Instruction ID: 006a23aec332b8a1771af90dfa9c1e08c84c5b856183a3bf167901723993fe13
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3598370c3c9dfc29f84c7b8ed24a957720a686991d5537ef1c6dff233380f4e6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FF0367050020CABEF206F50DD49BEA3B69FF44305F00803AFA55B51D0DBF959558F59
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 004028E9
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00402914
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2667972263-0
                                                                                                                                                                                                                                  • Opcode ID: e8b18edfeea79fa09e45a72486dc9901f693ae42d48326bb65f86fff18046ac9
                                                                                                                                                                                                                                  • Instruction ID: 9003099e8900d80eaa65f9bf21adae6f43ee9946aaa6f9d478ae9c17af360c06
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8b18edfeea79fa09e45a72486dc9901f693ae42d48326bb65f86fff18046ac9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6216F72801118BBCF216FA5CE49D9E7F79EF09364F24423AF550762E0CB794E419B98
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3A
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 00404B43
                                                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,00423728), ref: 00404B56
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: %u.%u%s%s$(7B
                                                                                                                                                                                                                                  • API String ID: 3540041739-1320723960
                                                                                                                                                                                                                                  • Opcode ID: 81ae9ae8dc439d9931515dbc50321e52771afc0a6870d61e722dcea37f1a3983
                                                                                                                                                                                                                                  • Instruction ID: 8555a1dc09e6b234f76c08cd80d60a8511de1cbf1cdbca66d7a603e4fd23a7b2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81ae9ae8dc439d9931515dbc50321e52771afc0a6870d61e722dcea37f1a3983
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E911EB736441283BDB0095AD9C45F9E3298DB85378F150237FA26F71D1DA79D82286EC
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00401D00
                                                                                                                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                                                                                                                                                                                                  • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1849352358-0
                                                                                                                                                                                                                                  • Opcode ID: 6491dc860a80c02085eecb14b1266a63ebbf57ab5d60057a90a3d7af6463b562
                                                                                                                                                                                                                                  • Instruction ID: c287ee2e14a47dfcdc45124cadc9b4dd0eb33b5564dd8f2f51e592e83ba53e14
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6491dc860a80c02085eecb14b1266a63ebbf57ab5d60057a90a3d7af6463b562
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33F0E172600504AFD701DBE4DE88CEEBBBDEB48311B104476F541F51A1CA749D018B38
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharNextW.USER32(?,?,C:\,?,00405C51,C:\,C:\,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405BEB
                                                                                                                                                                                                                                  • CharNextW.USER32(00000000), ref: 00405BF0
                                                                                                                                                                                                                                  • CharNextW.USER32(00000000), ref: 00405C08
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext
                                                                                                                                                                                                                                  • String ID: C:\
                                                                                                                                                                                                                                  • API String ID: 3213498283-3404278061
                                                                                                                                                                                                                                  • Opcode ID: 97bda6209b414f3be7afdaeea7f60dfeaed0a7be6e9491b65ace1fa1eacd3bf0
                                                                                                                                                                                                                                  • Instruction ID: 6e78a38a92844ebddfb5a00e32717de03c0cdfda6ab0f65e84db47d2e3257ff5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97bda6209b414f3be7afdaeea7f60dfeaed0a7be6e9491b65ace1fa1eacd3bf0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 83F0B411949F1D95FF3177584C45A7BA7BCEB55360B00803BEA41B72C1D7B84C818EEA
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405B38
                                                                                                                                                                                                                                  • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405B42
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,0040A014), ref: 00405B54
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B32
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                  • API String ID: 2659869361-3081826266
                                                                                                                                                                                                                                  • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                                                                                                                                                                                  • Instruction ID: 1c34604f245f66d13fb295c2dca74b2082213948d97efa3850964b8affffb698
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57D05E31101934AAC2116B448C04DDB73AC9E46304341442AF201B70A6C778695286FD
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00402E19,00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,00000000,00000000,00000000), ref: 00405338
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsy5D72.tmp\), ref: 0040534A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                                                                                                                                                                                    • Part of subcall function 0040585E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
                                                                                                                                                                                                                                    • Part of subcall function 0040585E: CloseHandle.KERNEL32(?), ref: 00405894
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3585118688-0
                                                                                                                                                                                                                                  • Opcode ID: bb4ed085c638bd443c710e2d7f0342cbaf51ccc2adafb456e5dd98b29d2a060b
                                                                                                                                                                                                                                  • Instruction ID: 5702df78c33f9bd13decba52644e1012fe72a42f767711efff684f6f7274af03
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb4ed085c638bd443c710e2d7f0342cbaf51ccc2adafb456e5dd98b29d2a060b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF11A131900508EBCF21AF91CD4499E7AB6AF40314F21407BFA05B61F1D7798A92DB99
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(00000000,00429240), ref: 00403D35
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: TextWindow
                                                                                                                                                                                                                                  • String ID: "C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe" $1033
                                                                                                                                                                                                                                  • API String ID: 530164218-809957822
                                                                                                                                                                                                                                  • Opcode ID: 9d022d01f112da27556ef407cc074c94f0222ef42f22569fe4f3b5c0e17e7ae8
                                                                                                                                                                                                                                  • Instruction ID: 4786a0dcc4ba2f930af81554b1ec9cb86176e7a1d2ad565e9f211a7c6dcc4e6b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d022d01f112da27556ef407cc074c94f0222ef42f22569fe4f3b5c0e17e7ae8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7111C331B44210ABD7359F15EC40A337B6CEF85715B28427BE801AB3A1C63A9D1296A9
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 00405280
                                                                                                                                                                                                                                  • CallWindowProcW.USER32(?,?,?,?), ref: 004052D1
                                                                                                                                                                                                                                    • Part of subcall function 0040428E: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                                  • Opcode ID: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
                                                                                                                                                                                                                                  • Instruction ID: 35360b72f4910b777185a6264b25dc7760dbd7dc789205491e41d57b326ac1ec
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B019E71210708ABDF208F11DD84E9B3A35EF94321F60443AFA00761D1C77A8D529E6A
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00405894
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Error launching installer, xrefs: 00405871
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                                  • String ID: Error launching installer
                                                                                                                                                                                                                                  • API String ID: 3712363035-66219284
                                                                                                                                                                                                                                  • Opcode ID: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
                                                                                                                                                                                                                                  • Instruction ID: 0fb7bd0647ee639374dbc29985885c8cd5f4694ddcbbc5ba66c50ad851a9a680
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22E04FB0A002097FEB009B64ED45F7B77ACEB04208F408431BD00F2150D77498248A78
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,00402EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,80000000,00000003), ref: 00405B84
                                                                                                                                                                                                                                  • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,00402EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD\TeamViewer_.exe,80000000,00000003), ref: 00405B94
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD, xrefs: 00405B7E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharPrevlstrlen
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsc4E1F.tmp\nsn4EAD
                                                                                                                                                                                                                                  • API String ID: 2709904686-2353090577
                                                                                                                                                                                                                                  • Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                                                                                                                                                                                  • Instruction ID: 87bbc210c64b19a6b78a00595756172ded5dec919d443e3f73ce50da7c0279be
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4D05EB24009209AD312AB04DD00DAF77ACEF163007464426E841AB166D778BC8186BC
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
                                                                                                                                                                                                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CE0
                                                                                                                                                                                                                                  • CharNextA.USER32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CF1
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000006.00000002.2371266651.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371247525.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371371269.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000040A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000422000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000425000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000042C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000430000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000435000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.0000000000460000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371401685.000000000047B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000006.00000002.2371670655.0000000000486000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 190613189-0
                                                                                                                                                                                                                                  • Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
                                                                                                                                                                                                                                  • Instruction ID: b09c91cad7c2282b041c35ea214dbdd3f15ee75aa50bf55fe933874c09a5e2ef
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BFF0F631104954FFD702DFA5DD04E9FBBA8EF06350B2180BAE841F7210D674DE01ABA8

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:20.8%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                  Total number of Nodes:1343
                                                                                                                                                                                                                                  Total number of Limit Nodes:40
                                                                                                                                                                                                                                  execution_graph 3888 402840 3889 402bbf 18 API calls 3888->3889 3891 40284e 3889->3891 3890 402864 3893 405d2e 2 API calls 3890->3893 3891->3890 3892 402bbf 18 API calls 3891->3892 3892->3890 3894 40286a 3893->3894 3916 405d53 GetFileAttributesW CreateFileW 3894->3916 3896 402877 3897 402883 GlobalAlloc 3896->3897 3898 40291a 3896->3898 3901 402911 CloseHandle 3897->3901 3902 40289c 3897->3902 3899 402922 DeleteFileW 3898->3899 3900 402935 3898->3900 3899->3900 3901->3898 3917 40336e SetFilePointer 3902->3917 3904 4028a2 3905 403358 ReadFile 3904->3905 3906 4028ab GlobalAlloc 3905->3906 3907 4028bb 3906->3907 3908 4028ef 3906->3908 3909 4030e7 45 API calls 3907->3909 3910 405e05 WriteFile 3908->3910 3911 4028c8 3909->3911 3912 4028fb GlobalFree 3910->3912 3914 4028e6 GlobalFree 3911->3914 3913 4030e7 45 API calls 3912->3913 3915 40290e 3913->3915 3914->3908 3915->3901 3916->3896 3917->3904 3918 401cc0 3919 402ba2 18 API calls 3918->3919 3920 401cc7 3919->3920 3921 402ba2 18 API calls 3920->3921 3922 401ccf GetDlgItem 3921->3922 3923 402531 3922->3923 3923->3923 3924 4029c0 3925 402ba2 18 API calls 3924->3925 3926 4029c6 3925->3926 3927 4029f9 3926->3927 3928 40281e 3926->3928 3930 4029d4 3926->3930 3927->3928 3929 4061a0 18 API calls 3927->3929 3929->3928 3930->3928 3932 4060c5 wsprintfW 3930->3932 3932->3928 3101 401fc3 3102 401fd5 3101->3102 3103 402087 3101->3103 3121 402bbf 3102->3121 3106 401423 25 API calls 3103->3106 3112 4021e1 3106->3112 3107 402bbf 18 API calls 3108 401fe5 3107->3108 3109 401ffb LoadLibraryExW 3108->3109 3110 401fed GetModuleHandleW 3108->3110 3109->3103 3111 40200c 3109->3111 3110->3109 3110->3111 3127 4065c7 WideCharToMultiByte 3111->3127 3115 402056 3133 4052dd 3115->3133 3116 40201d 3119 40202d 3116->3119 3130 401423 3116->3130 3119->3112 3120 402079 FreeLibrary 3119->3120 3120->3112 3122 402bcb 3121->3122 3144 4061a0 3122->3144 3125 401fdc 3125->3107 3128 4065f1 GetProcAddress 3127->3128 3129 402017 3127->3129 3128->3129 3129->3115 3129->3116 3131 4052dd 25 API calls 3130->3131 3132 401431 3131->3132 3132->3119 3134 4052f8 3133->3134 3135 40539a 3133->3135 3136 405314 lstrlenW 3134->3136 3137 4061a0 18 API calls 3134->3137 3135->3119 3138 405322 lstrlenW 3136->3138 3139 40533d 3136->3139 3137->3136 3138->3135 3140 405334 lstrcatW 3138->3140 3141 405350 3139->3141 3142 405343 SetWindowTextW 3139->3142 3140->3139 3141->3135 3143 405356 SendMessageW SendMessageW SendMessageW 3141->3143 3142->3141 3143->3135 3149 4061ad 3144->3149 3145 4063f8 3146 402bec 3145->3146 3178 40617e lstrcpynW 3145->3178 3146->3125 3162 406412 3146->3162 3148 406260 GetVersion 3148->3149 3149->3145 3149->3148 3150 4063c6 lstrlenW 3149->3150 3151 4061a0 10 API calls 3149->3151 3154 4062db GetSystemDirectoryW 3149->3154 3156 4062ee GetWindowsDirectoryW 3149->3156 3157 406412 5 API calls 3149->3157 3158 4061a0 10 API calls 3149->3158 3159 406367 lstrcatW 3149->3159 3160 406322 SHGetSpecialFolderLocation 3149->3160 3171 40604b RegOpenKeyExW 3149->3171 3176 4060c5 wsprintfW 3149->3176 3177 40617e lstrcpynW 3149->3177 3150->3149 3151->3150 3154->3149 3156->3149 3157->3149 3158->3149 3159->3149 3160->3149 3161 40633a SHGetPathFromIDListW CoTaskMemFree 3160->3161 3161->3149 3163 40641f 3162->3163 3165 406495 3163->3165 3166 406488 CharNextW 3163->3166 3169 406474 CharNextW 3163->3169 3170 406483 CharNextW 3163->3170 3179 405b5f 3163->3179 3164 40649a CharPrevW 3164->3165 3165->3164 3167 4064bb 3165->3167 3166->3163 3166->3165 3167->3125 3169->3163 3170->3166 3172 4060bf 3171->3172 3173 40607f RegQueryValueExW 3171->3173 3172->3149 3174 4060a0 RegCloseKey 3173->3174 3174->3172 3176->3149 3177->3149 3178->3146 3180 405b65 3179->3180 3181 405b7b 3180->3181 3182 405b6c CharNextW 3180->3182 3181->3163 3182->3180 3933 4016c4 3934 402bbf 18 API calls 3933->3934 3935 4016ca GetFullPathNameW 3934->3935 3938 4016e4 3935->3938 3942 401706 3935->3942 3936 40171b GetShortPathNameW 3937 402a4c 3936->3937 3939 4064c1 2 API calls 3938->3939 3938->3942 3940 4016f6 3939->3940 3940->3942 3943 40617e lstrcpynW 3940->3943 3942->3936 3942->3937 3943->3942 3944 406846 3950 4066ca 3944->3950 3945 407035 3946 406754 GlobalAlloc 3946->3945 3946->3950 3947 40674b GlobalFree 3947->3946 3948 4067c2 GlobalFree 3949 4067cb GlobalAlloc 3948->3949 3949->3945 3949->3950 3950->3945 3950->3946 3950->3947 3950->3948 3950->3949 3361 4027ce 3362 4027d6 3361->3362 3363 4027da FindNextFileW 3362->3363 3365 4027ec 3362->3365 3364 402833 3363->3364 3363->3365 3367 40617e lstrcpynW 3364->3367 3367->3365 3954 40194e 3955 402bbf 18 API calls 3954->3955 3956 401955 lstrlenW 3955->3956 3957 402531 3956->3957 3965 405251 3966 405261 3965->3966 3967 405275 3965->3967 3968 405267 3966->3968 3977 4052be 3966->3977 3969 40527d IsWindowVisible 3967->3969 3975 405294 3967->3975 3970 40428e SendMessageW 3968->3970 3971 40528a 3969->3971 3969->3977 3973 405271 3970->3973 3978 404ba7 SendMessageW 3971->3978 3972 4052c3 CallWindowProcW 3972->3973 3975->3972 3983 404c27 3975->3983 3977->3972 3979 404c06 SendMessageW 3978->3979 3980 404bca GetMessagePos ScreenToClient SendMessageW 3978->3980 3982 404bfe 3979->3982 3981 404c03 3980->3981 3980->3982 3981->3979 3982->3975 3992 40617e lstrcpynW 3983->3992 3985 404c3a 3993 4060c5 wsprintfW 3985->3993 3987 404c44 3988 40140b 2 API calls 3987->3988 3989 404c4d 3988->3989 3994 40617e lstrcpynW 3989->3994 3991 404c54 3991->3977 3992->3985 3993->3987 3994->3991 3421 401754 3422 402bbf 18 API calls 3421->3422 3423 40175b 3422->3423 3427 405d82 3423->3427 3425 401762 3426 405d82 2 API calls 3425->3426 3426->3425 3428 405d8f GetTickCount GetTempFileNameW 3427->3428 3429 405dc9 3428->3429 3430 405dc5 3428->3430 3429->3425 3430->3428 3430->3429 3431 4038d5 3432 4038f0 3431->3432 3433 4038e6 CloseHandle 3431->3433 3434 403904 3432->3434 3435 4038fa CloseHandle 3432->3435 3433->3432 3440 403932 3434->3440 3435->3434 3441 403940 3440->3441 3442 403909 3441->3442 3443 403945 FreeLibrary GlobalFree 3441->3443 3444 40596f 3442->3444 3443->3442 3443->3443 3480 405c3a 3444->3480 3447 405997 DeleteFileW 3477 403915 3447->3477 3448 4059ae 3449 405ace 3448->3449 3494 40617e lstrcpynW 3448->3494 3456 4064c1 2 API calls 3449->3456 3449->3477 3451 4059d4 3452 4059e7 3451->3452 3453 4059da lstrcatW 3451->3453 3496 405b7e lstrlenW 3452->3496 3454 4059ed 3453->3454 3457 4059fd lstrcatW 3454->3457 3459 405a08 lstrlenW FindFirstFileW 3454->3459 3458 405af3 3456->3458 3457->3459 3461 405b32 3 API calls 3458->3461 3458->3477 3459->3449 3460 405a2a 3459->3460 3463 405ab1 FindNextFileW 3460->3463 3472 40596f 62 API calls 3460->3472 3476 4052dd 25 API calls 3460->3476 3478 4052dd 25 API calls 3460->3478 3479 40601f 38 API calls 3460->3479 3495 40617e lstrcpynW 3460->3495 3500 405927 3460->3500 3462 405afd 3461->3462 3464 405927 5 API calls 3462->3464 3463->3460 3467 405ac7 FindClose 3463->3467 3466 405b09 3464->3466 3468 405b23 3466->3468 3471 405b0d 3466->3471 3467->3449 3470 4052dd 25 API calls 3468->3470 3470->3477 3473 4052dd 25 API calls 3471->3473 3471->3477 3472->3460 3474 405b1a 3473->3474 3475 40601f 38 API calls 3474->3475 3475->3477 3476->3463 3478->3460 3479->3460 3508 40617e lstrcpynW 3480->3508 3482 405c4b 3509 405bdd CharNextW CharNextW 3482->3509 3485 40598f 3485->3447 3485->3448 3486 406412 5 API calls 3492 405c61 3486->3492 3487 405c92 lstrlenW 3488 405c9d 3487->3488 3487->3492 3489 405b32 3 API calls 3488->3489 3491 405ca2 GetFileAttributesW 3489->3491 3490 4064c1 2 API calls 3490->3492 3491->3485 3492->3485 3492->3487 3492->3490 3493 405b7e 2 API calls 3492->3493 3493->3487 3494->3451 3495->3460 3497 405b8c 3496->3497 3498 405b92 CharPrevW 3497->3498 3499 405b9e 3497->3499 3498->3497 3498->3499 3499->3454 3501 405d2e 2 API calls 3500->3501 3502 405933 3501->3502 3503 405954 3502->3503 3504 405942 RemoveDirectoryW 3502->3504 3505 40594a DeleteFileW 3502->3505 3503->3460 3506 405950 3504->3506 3505->3506 3506->3503 3507 405960 SetFileAttributesW 3506->3507 3507->3503 3508->3482 3511 405c0c 3509->3511 3512 405bfa 3509->3512 3510 405c30 3510->3485 3510->3486 3511->3510 3514 405b5f CharNextW 3511->3514 3512->3511 3513 405c07 CharNextW 3512->3513 3513->3510 3514->3511 3995 404356 lstrcpynW lstrlenW 3996 401d56 GetDC GetDeviceCaps 3997 402ba2 18 API calls 3996->3997 3998 401d74 MulDiv ReleaseDC 3997->3998 3999 402ba2 18 API calls 3998->3999 4000 401d93 3999->4000 4001 4061a0 18 API calls 4000->4001 4002 401dcc CreateFontIndirectW 4001->4002 4003 402531 4002->4003 4004 401a57 4005 402ba2 18 API calls 4004->4005 4006 401a5d 4005->4006 4007 402ba2 18 API calls 4006->4007 4008 401a05 4007->4008 4009 4014d7 4010 402ba2 18 API calls 4009->4010 4011 4014dd Sleep 4010->4011 4013 402a4c 4011->4013 4014 404c59 GetDlgItem GetDlgItem 4015 404cab 7 API calls 4014->4015 4022 404ec4 4014->4022 4016 404d41 SendMessageW 4015->4016 4017 404d4e DeleteObject 4015->4017 4016->4017 4018 404d57 4017->4018 4020 404d8e 4018->4020 4021 4061a0 18 API calls 4018->4021 4019 404fa8 4024 405054 4019->4024 4034 405001 SendMessageW 4019->4034 4054 404eb7 4019->4054 4065 404242 4020->4065 4025 404d70 SendMessageW SendMessageW 4021->4025 4022->4019 4032 404ba7 5 API calls 4022->4032 4057 404f35 4022->4057 4026 405066 4024->4026 4027 40505e SendMessageW 4024->4027 4025->4018 4031 40508f 4026->4031 4036 405078 ImageList_Destroy 4026->4036 4037 40507f 4026->4037 4027->4026 4028 404da2 4033 404242 19 API calls 4028->4033 4030 404f9a SendMessageW 4030->4019 4039 4051fe 4031->4039 4053 404c27 4 API calls 4031->4053 4061 4050ca 4031->4061 4032->4057 4038 404db0 4033->4038 4040 405016 SendMessageW 4034->4040 4034->4054 4036->4037 4037->4031 4041 405088 GlobalFree 4037->4041 4042 404e85 GetWindowLongW SetWindowLongW 4038->4042 4049 404e7f 4038->4049 4052 404e00 SendMessageW 4038->4052 4055 404e3c SendMessageW 4038->4055 4056 404e4d SendMessageW 4038->4056 4044 405210 ShowWindow GetDlgItem ShowWindow 4039->4044 4039->4054 4043 405029 4040->4043 4041->4031 4045 404e9e 4042->4045 4048 40503a SendMessageW 4043->4048 4044->4054 4046 404ea4 ShowWindow 4045->4046 4047 404ebc 4045->4047 4068 404277 SendMessageW 4046->4068 4069 404277 SendMessageW 4047->4069 4048->4024 4049->4042 4049->4045 4052->4038 4053->4061 4073 4042a9 4054->4073 4055->4038 4056->4038 4057->4019 4057->4030 4058 4051d4 InvalidateRect 4058->4039 4059 4051ea 4058->4059 4070 404b62 4059->4070 4060 4050f8 SendMessageW 4064 40510e 4060->4064 4061->4060 4061->4064 4063 405182 SendMessageW SendMessageW 4063->4064 4064->4058 4064->4063 4066 4061a0 18 API calls 4065->4066 4067 40424d SetDlgItemTextW 4066->4067 4067->4028 4068->4054 4069->4022 4087 404a99 4070->4087 4072 404b77 4072->4039 4074 4042c1 GetWindowLongW 4073->4074 4084 40434a 4073->4084 4075 4042d2 4074->4075 4074->4084 4076 4042e1 GetSysColor 4075->4076 4077 4042e4 4075->4077 4076->4077 4078 4042f4 SetBkMode 4077->4078 4079 4042ea SetTextColor 4077->4079 4080 404312 4078->4080 4081 40430c GetSysColor 4078->4081 4079->4078 4082 404319 SetBkColor 4080->4082 4083 404323 4080->4083 4081->4080 4082->4083 4083->4084 4085 404336 DeleteObject 4083->4085 4086 40433d CreateBrushIndirect 4083->4086 4085->4086 4086->4084 4088 404ab2 4087->4088 4089 4061a0 18 API calls 4088->4089 4090 404b16 4089->4090 4091 4061a0 18 API calls 4090->4091 4092 404b21 4091->4092 4093 4061a0 18 API calls 4092->4093 4094 404b37 lstrlenW wsprintfW SetDlgItemTextW 4093->4094 4094->4072 4095 40155b 4096 4029f2 4095->4096 4099 4060c5 wsprintfW 4096->4099 4098 4029f7 4099->4098 4100 401ddc 4101 402ba2 18 API calls 4100->4101 4102 401de2 4101->4102 4103 402ba2 18 API calls 4102->4103 4104 401deb 4103->4104 4105 401df2 ShowWindow 4104->4105 4106 401dfd EnableWindow 4104->4106 4107 402a4c 4105->4107 4106->4107 4108 4046dd 4109 404709 4108->4109 4110 40471a 4108->4110 4169 4058a7 GetDlgItemTextW 4109->4169 4112 404726 GetDlgItem 4110->4112 4118 404785 4110->4118 4113 40473a 4112->4113 4117 40474e SetWindowTextW 4113->4117 4121 405bdd 4 API calls 4113->4121 4114 404869 4167 404a18 4114->4167 4171 4058a7 GetDlgItemTextW 4114->4171 4115 404714 4116 406412 5 API calls 4115->4116 4116->4110 4122 404242 19 API calls 4117->4122 4118->4114 4123 4061a0 18 API calls 4118->4123 4118->4167 4120 4042a9 8 API calls 4125 404a2c 4120->4125 4126 404744 4121->4126 4127 40476a 4122->4127 4128 4047f9 SHBrowseForFolderW 4123->4128 4124 404899 4129 405c3a 18 API calls 4124->4129 4126->4117 4133 405b32 3 API calls 4126->4133 4130 404242 19 API calls 4127->4130 4128->4114 4131 404811 CoTaskMemFree 4128->4131 4132 40489f 4129->4132 4134 404778 4130->4134 4135 405b32 3 API calls 4131->4135 4172 40617e lstrcpynW 4132->4172 4133->4117 4170 404277 SendMessageW 4134->4170 4137 40481e 4135->4137 4140 404855 SetDlgItemTextW 4137->4140 4144 4061a0 18 API calls 4137->4144 4139 40477e 4142 406558 5 API calls 4139->4142 4140->4114 4141 4048b6 4143 406558 5 API calls 4141->4143 4142->4118 4155 4048bd 4143->4155 4145 40483d lstrcmpiW 4144->4145 4145->4140 4147 40484e lstrcatW 4145->4147 4146 4048fe 4173 40617e lstrcpynW 4146->4173 4147->4140 4149 404905 4150 405bdd 4 API calls 4149->4150 4151 40490b GetDiskFreeSpaceW 4150->4151 4153 40492f MulDiv 4151->4153 4156 404956 4151->4156 4153->4156 4154 405b7e 2 API calls 4154->4155 4155->4146 4155->4154 4155->4156 4157 4049c7 4156->4157 4159 404b62 21 API calls 4156->4159 4158 4049ea 4157->4158 4160 40140b 2 API calls 4157->4160 4174 404264 EnableWindow 4158->4174 4161 4049b4 4159->4161 4160->4158 4163 4049c9 SetDlgItemTextW 4161->4163 4164 4049b9 4161->4164 4163->4157 4165 404a99 21 API calls 4164->4165 4165->4157 4166 404a06 4166->4167 4175 404672 4166->4175 4167->4120 4169->4115 4170->4139 4171->4124 4172->4141 4173->4149 4174->4166 4176 404680 4175->4176 4177 404685 SendMessageW 4175->4177 4176->4177 4177->4167 3856 4022df 3857 402bbf 18 API calls 3856->3857 3858 4022ee 3857->3858 3859 402bbf 18 API calls 3858->3859 3860 4022f7 3859->3860 3861 402bbf 18 API calls 3860->3861 3862 402301 GetPrivateProfileStringW 3861->3862 4178 4043df 4180 4043f7 4178->4180 4183 404511 4178->4183 4179 40457b 4181 404585 GetDlgItem 4179->4181 4182 40464d 4179->4182 4184 404242 19 API calls 4180->4184 4185 40460e 4181->4185 4186 40459f 4181->4186 4189 4042a9 8 API calls 4182->4189 4183->4179 4183->4182 4187 40454c GetDlgItem SendMessageW 4183->4187 4188 40445e 4184->4188 4185->4182 4194 404620 4185->4194 4186->4185 4193 4045c5 6 API calls 4186->4193 4209 404264 EnableWindow 4187->4209 4191 404242 19 API calls 4188->4191 4192 404648 4189->4192 4196 40446b CheckDlgButton 4191->4196 4193->4185 4197 404636 4194->4197 4198 404626 SendMessageW 4194->4198 4195 404576 4199 404672 SendMessageW 4195->4199 4207 404264 EnableWindow 4196->4207 4197->4192 4201 40463c SendMessageW 4197->4201 4198->4197 4199->4179 4201->4192 4202 404489 GetDlgItem 4208 404277 SendMessageW 4202->4208 4204 40449f SendMessageW 4205 4044c5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4204->4205 4206 4044bc GetSysColor 4204->4206 4205->4192 4206->4205 4207->4202 4208->4204 4209->4195 4210 401bdf 4211 402ba2 18 API calls 4210->4211 4212 401be6 4211->4212 4213 402ba2 18 API calls 4212->4213 4214 401bf0 4213->4214 4215 401c00 4214->4215 4216 402bbf 18 API calls 4214->4216 4217 401c10 4215->4217 4218 402bbf 18 API calls 4215->4218 4216->4215 4219 401c1b 4217->4219 4220 401c5f 4217->4220 4218->4217 4221 402ba2 18 API calls 4219->4221 4222 402bbf 18 API calls 4220->4222 4223 401c20 4221->4223 4224 401c64 4222->4224 4225 402ba2 18 API calls 4223->4225 4226 402bbf 18 API calls 4224->4226 4227 401c29 4225->4227 4228 401c6d FindWindowExW 4226->4228 4229 401c31 SendMessageTimeoutW 4227->4229 4230 401c4f SendMessageW 4227->4230 4231 401c8f 4228->4231 4229->4231 4230->4231 4232 401960 4233 402ba2 18 API calls 4232->4233 4234 401967 4233->4234 4235 402ba2 18 API calls 4234->4235 4236 401971 4235->4236 4237 402bbf 18 API calls 4236->4237 4238 40197a 4237->4238 4239 40198e lstrlenW 4238->4239 4240 4019ca 4238->4240 4241 401998 4239->4241 4241->4240 4245 40617e lstrcpynW 4241->4245 4243 4019b3 4243->4240 4244 4019c0 lstrlenW 4243->4244 4244->4240 4245->4243 4246 401662 4247 402bbf 18 API calls 4246->4247 4248 401668 4247->4248 4249 4064c1 2 API calls 4248->4249 4250 40166e 4249->4250 4251 4019e4 4252 402bbf 18 API calls 4251->4252 4253 4019eb 4252->4253 4254 402bbf 18 API calls 4253->4254 4255 4019f4 4254->4255 4256 4019fb lstrcmpiW 4255->4256 4257 401a0d lstrcmpW 4255->4257 4258 401a01 4256->4258 4257->4258 4259 4025e5 4260 402ba2 18 API calls 4259->4260 4262 4025f4 4260->4262 4261 40272d 4262->4261 4263 40263a ReadFile 4262->4263 4264 405dd6 ReadFile 4262->4264 4265 40267a MultiByteToWideChar 4262->4265 4266 40272f 4262->4266 4267 405e34 5 API calls 4262->4267 4269 4026a0 SetFilePointer MultiByteToWideChar 4262->4269 4270 402740 4262->4270 4263->4261 4263->4262 4264->4262 4265->4262 4272 4060c5 wsprintfW 4266->4272 4267->4262 4269->4262 4270->4261 4271 402761 SetFilePointer 4270->4271 4271->4261 4272->4261 3193 401e66 3194 402bbf 18 API calls 3193->3194 3195 401e6c 3194->3195 3196 4052dd 25 API calls 3195->3196 3197 401e76 3196->3197 3210 40585e CreateProcessW 3197->3210 3200 40281e 3201 401edb CloseHandle 3201->3200 3202 401e8c WaitForSingleObject 3203 401e9e 3202->3203 3204 401eb0 GetExitCodeProcess 3203->3204 3213 406594 3203->3213 3205 401ec2 3204->3205 3206 401ecd 3204->3206 3217 4060c5 wsprintfW 3205->3217 3206->3201 3211 405891 CloseHandle 3210->3211 3212 401e7c 3210->3212 3211->3212 3212->3200 3212->3201 3212->3202 3214 4065b1 PeekMessageW 3213->3214 3215 401ea5 WaitForSingleObject 3214->3215 3216 4065a7 DispatchMessageW 3214->3216 3215->3203 3216->3214 3217->3206 3230 401767 3231 402bbf 18 API calls 3230->3231 3232 40176e 3231->3232 3233 401796 3232->3233 3234 40178e 3232->3234 3285 40617e lstrcpynW 3233->3285 3284 40617e lstrcpynW 3234->3284 3237 4017a1 3286 405b32 lstrlenW CharPrevW 3237->3286 3238 401794 3241 406412 5 API calls 3238->3241 3251 4017b3 3241->3251 3245 4017c5 CompareFileTime 3245->3251 3246 401885 3247 4052dd 25 API calls 3246->3247 3249 40188f 3247->3249 3248 4052dd 25 API calls 3250 401871 3248->3250 3269 4030e7 3249->3269 3251->3245 3251->3246 3255 4061a0 18 API calls 3251->3255 3260 40617e lstrcpynW 3251->3260 3267 40185c 3251->3267 3268 405d53 GetFileAttributesW CreateFileW 3251->3268 3289 4064c1 FindFirstFileW 3251->3289 3292 405d2e GetFileAttributesW 3251->3292 3295 4058c3 3251->3295 3254 4018b6 SetFileTime 3256 4018c8 CloseHandle 3254->3256 3255->3251 3256->3250 3257 4018d9 3256->3257 3258 4018f1 3257->3258 3259 4018de 3257->3259 3262 4061a0 18 API calls 3258->3262 3261 4061a0 18 API calls 3259->3261 3260->3251 3263 4018e6 lstrcatW 3261->3263 3264 4018f9 3262->3264 3263->3264 3266 4058c3 MessageBoxIndirectW 3264->3266 3266->3250 3267->3248 3267->3250 3268->3251 3270 403112 3269->3270 3271 4030f6 SetFilePointer 3269->3271 3299 4031ef GetTickCount 3270->3299 3271->3270 3276 4031ef 43 API calls 3277 403149 3276->3277 3278 4031b5 ReadFile 3277->3278 3281 403158 3277->3281 3283 4018a2 3277->3283 3278->3283 3280 405dd6 ReadFile 3280->3281 3281->3280 3281->3283 3314 405e05 WriteFile 3281->3314 3283->3254 3283->3256 3284->3238 3285->3237 3287 4017a7 lstrcatW 3286->3287 3288 405b4e lstrcatW 3286->3288 3287->3238 3288->3287 3290 4064e2 3289->3290 3291 4064d7 FindClose 3289->3291 3290->3251 3291->3290 3293 405d40 SetFileAttributesW 3292->3293 3294 405d4d 3292->3294 3293->3294 3294->3251 3296 4058d8 3295->3296 3297 405924 3296->3297 3298 4058ec MessageBoxIndirectW 3296->3298 3297->3251 3298->3297 3300 403347 3299->3300 3301 40321d 3299->3301 3302 402d9f 33 API calls 3300->3302 3316 40336e SetFilePointer 3301->3316 3308 403119 3302->3308 3304 403228 SetFilePointer 3310 40324d 3304->3310 3308->3283 3312 405dd6 ReadFile 3308->3312 3309 405e05 WriteFile 3309->3310 3310->3308 3310->3309 3311 403328 SetFilePointer 3310->3311 3317 403358 3310->3317 3320 406697 3310->3320 3327 402d9f 3310->3327 3311->3300 3313 403132 3312->3313 3313->3276 3313->3283 3315 405e23 3314->3315 3315->3281 3316->3304 3318 405dd6 ReadFile 3317->3318 3319 40336b 3318->3319 3319->3310 3321 4066bc 3320->3321 3326 4066c4 3320->3326 3321->3310 3322 406754 GlobalAlloc 3322->3321 3322->3326 3323 40674b GlobalFree 3323->3322 3324 4067c2 GlobalFree 3325 4067cb GlobalAlloc 3324->3325 3325->3321 3325->3326 3326->3321 3326->3322 3326->3323 3326->3324 3326->3325 3328 402db0 3327->3328 3329 402dc8 3327->3329 3330 402db9 DestroyWindow 3328->3330 3334 402dc0 3328->3334 3331 402dd0 3329->3331 3332 402dd8 GetTickCount 3329->3332 3330->3334 3335 406594 2 API calls 3331->3335 3333 402de6 3332->3333 3332->3334 3336 402e1b CreateDialogParamW ShowWindow 3333->3336 3337 402dee 3333->3337 3334->3310 3335->3334 3336->3334 3337->3334 3338 402d83 MulDiv 3337->3338 3339 402dfc wsprintfW 3338->3339 3340 4052dd 25 API calls 3339->3340 3340->3334 4280 401ee9 4281 402bbf 18 API calls 4280->4281 4282 401ef0 4281->4282 4283 4064c1 2 API calls 4282->4283 4284 401ef6 4283->4284 4286 401f07 4284->4286 4287 4060c5 wsprintfW 4284->4287 4287->4286 4288 403d6a 4289 403d82 4288->4289 4290 403ebd 4288->4290 4289->4290 4291 403d8e 4289->4291 4292 403f0e 4290->4292 4293 403ece GetDlgItem GetDlgItem 4290->4293 4294 403d99 SetWindowPos 4291->4294 4295 403dac 4291->4295 4297 403f68 4292->4297 4305 401389 2 API calls 4292->4305 4296 404242 19 API calls 4293->4296 4294->4295 4299 403db1 ShowWindow 4295->4299 4300 403dc9 4295->4300 4301 403ef8 SetClassLongW 4296->4301 4298 40428e SendMessageW 4297->4298 4316 403eb8 4297->4316 4345 403f7a 4298->4345 4299->4300 4302 403dd1 DestroyWindow 4300->4302 4303 403deb 4300->4303 4304 40140b 2 API calls 4301->4304 4355 4041cb 4302->4355 4306 403df0 SetWindowLongW 4303->4306 4307 403e01 4303->4307 4304->4292 4308 403f40 4305->4308 4306->4316 4311 403e0d GetDlgItem 4307->4311 4325 403e78 4307->4325 4308->4297 4312 403f44 SendMessageW 4308->4312 4309 40140b 2 API calls 4309->4345 4310 4041cd DestroyWindow EndDialog 4310->4355 4315 403e20 SendMessageW IsWindowEnabled 4311->4315 4318 403e3d 4311->4318 4312->4316 4313 4042a9 8 API calls 4313->4316 4314 4041fc ShowWindow 4314->4316 4315->4316 4315->4318 4317 4061a0 18 API calls 4317->4345 4319 403e4a 4318->4319 4320 403e91 SendMessageW 4318->4320 4321 403e5d 4318->4321 4329 403e42 4318->4329 4319->4320 4319->4329 4320->4325 4323 403e65 4321->4323 4324 403e7a 4321->4324 4326 40140b 2 API calls 4323->4326 4327 40140b 2 API calls 4324->4327 4325->4313 4326->4329 4327->4329 4328 404242 19 API calls 4328->4345 4329->4325 4356 40421b 4329->4356 4330 404242 19 API calls 4331 403ff5 GetDlgItem 4330->4331 4332 404012 ShowWindow EnableWindow 4331->4332 4333 40400a 4331->4333 4359 404264 EnableWindow 4332->4359 4333->4332 4335 40403c EnableWindow 4338 404050 4335->4338 4336 404055 GetSystemMenu EnableMenuItem SendMessageW 4337 404085 SendMessageW 4336->4337 4336->4338 4337->4338 4338->4336 4360 404277 SendMessageW 4338->4360 4361 40617e lstrcpynW 4338->4361 4341 4040b3 lstrlenW 4342 4061a0 18 API calls 4341->4342 4343 4040c9 SetWindowTextW 4342->4343 4344 401389 2 API calls 4343->4344 4344->4345 4345->4309 4345->4310 4345->4316 4345->4317 4345->4328 4345->4330 4346 40410d DestroyWindow 4345->4346 4347 404127 CreateDialogParamW 4346->4347 4346->4355 4348 40415a 4347->4348 4347->4355 4349 404242 19 API calls 4348->4349 4350 404165 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4349->4350 4351 401389 2 API calls 4350->4351 4352 4041ab 4351->4352 4352->4316 4353 4041b3 ShowWindow 4352->4353 4354 40428e SendMessageW 4353->4354 4354->4355 4355->4314 4355->4316 4357 404222 4356->4357 4358 404228 SendMessageW 4356->4358 4357->4358 4358->4325 4359->4335 4360->4338 4361->4341 4362 4021ea 4363 402bbf 18 API calls 4362->4363 4364 4021f0 4363->4364 4365 402bbf 18 API calls 4364->4365 4366 4021f9 4365->4366 4367 402bbf 18 API calls 4366->4367 4368 402202 4367->4368 4369 4064c1 2 API calls 4368->4369 4370 40220b 4369->4370 4371 40221c lstrlenW lstrlenW 4370->4371 4372 40220f 4370->4372 4374 4052dd 25 API calls 4371->4374 4373 4052dd 25 API calls 4372->4373 4376 402217 4372->4376 4373->4376 4375 40225a SHFileOperationW 4374->4375 4375->4372 4375->4376 4377 40156b 4378 401584 4377->4378 4379 40157b ShowWindow 4377->4379 4380 401592 ShowWindow 4378->4380 4381 402a4c 4378->4381 4379->4378 4380->4381 4382 40226e 4383 402275 4382->4383 4387 402288 4382->4387 4384 4061a0 18 API calls 4383->4384 4385 402282 4384->4385 4386 4058c3 MessageBoxIndirectW 4385->4386 4386->4387 4388 4014f1 SetForegroundWindow 4389 402a4c 4388->4389 3368 401673 3369 402bbf 18 API calls 3368->3369 3370 40167a 3369->3370 3371 402bbf 18 API calls 3370->3371 3372 401683 3371->3372 3373 402bbf 18 API calls 3372->3373 3374 40168c MoveFileW 3373->3374 3375 40169f 3374->3375 3381 401698 3374->3381 3376 4064c1 2 API calls 3375->3376 3379 4021e1 3375->3379 3378 4016ae 3376->3378 3377 401423 25 API calls 3377->3379 3378->3379 3382 40601f MoveFileExW 3378->3382 3381->3377 3383 406042 3382->3383 3384 406033 3382->3384 3383->3381 3387 405ead lstrcpyW 3384->3387 3388 405ed5 3387->3388 3389 405efb GetShortPathNameW 3387->3389 3414 405d53 GetFileAttributesW CreateFileW 3388->3414 3390 405f10 3389->3390 3391 40601a 3389->3391 3390->3391 3393 405f18 wsprintfA 3390->3393 3391->3383 3396 4061a0 18 API calls 3393->3396 3394 405edf CloseHandle GetShortPathNameW 3394->3391 3395 405ef3 3394->3395 3395->3389 3395->3391 3397 405f40 3396->3397 3415 405d53 GetFileAttributesW CreateFileW 3397->3415 3399 405f4d 3399->3391 3400 405f5c GetFileSize GlobalAlloc 3399->3400 3401 406013 CloseHandle 3400->3401 3402 405f7e 3400->3402 3401->3391 3403 405dd6 ReadFile 3402->3403 3404 405f86 3403->3404 3404->3401 3416 405cb8 lstrlenA 3404->3416 3407 405fb1 3409 405cb8 4 API calls 3407->3409 3408 405f9d lstrcpyA 3410 405fbf 3408->3410 3409->3410 3411 405ff6 SetFilePointer 3410->3411 3412 405e05 WriteFile 3411->3412 3413 40600c GlobalFree 3412->3413 3413->3401 3414->3394 3415->3399 3417 405cf9 lstrlenA 3416->3417 3418 405d01 3417->3418 3419 405cd2 lstrcmpiA 3417->3419 3418->3407 3418->3408 3419->3418 3420 405cf0 CharNextA 3419->3420 3420->3417 4390 401cfa GetDlgItem GetClientRect 4391 402bbf 18 API calls 4390->4391 4392 401d2c LoadImageW SendMessageW 4391->4392 4393 401d4a DeleteObject 4392->4393 4394 402a4c 4392->4394 4393->4394 3836 4027fb 3837 402bbf 18 API calls 3836->3837 3838 402802 FindFirstFileW 3837->3838 3839 40282a 3838->3839 3842 402815 3838->3842 3840 402833 3839->3840 3844 4060c5 wsprintfW 3839->3844 3845 40617e lstrcpynW 3840->3845 3844->3840 3845->3842 4395 40237b 4396 402381 4395->4396 4397 402bbf 18 API calls 4396->4397 4398 402393 4397->4398 4399 402bbf 18 API calls 4398->4399 4400 40239d RegCreateKeyExW 4399->4400 4401 4023c7 4400->4401 4405 402a4c 4400->4405 4402 4023e2 4401->4402 4403 402bbf 18 API calls 4401->4403 4404 4023ee 4402->4404 4407 402ba2 18 API calls 4402->4407 4406 4023d8 lstrlenW 4403->4406 4408 402409 RegSetValueExW 4404->4408 4409 4030e7 45 API calls 4404->4409 4406->4402 4407->4404 4410 40241f RegCloseKey 4408->4410 4409->4408 4410->4405 4426 4014ff 4427 401507 4426->4427 4429 40151a 4426->4429 4428 402ba2 18 API calls 4427->4428 4428->4429 4430 401000 4431 401037 BeginPaint GetClientRect 4430->4431 4433 40100c DefWindowProcW 4430->4433 4434 4010f3 4431->4434 4437 401179 4433->4437 4435 401073 CreateBrushIndirect FillRect DeleteObject 4434->4435 4436 4010fc 4434->4436 4435->4434 4438 401102 CreateFontIndirectW 4436->4438 4439 401167 EndPaint 4436->4439 4438->4439 4440 401112 6 API calls 4438->4440 4439->4437 4440->4439 3183 402d04 3184 402d16 SetTimer 3183->3184 3185 402d2f 3183->3185 3184->3185 3186 402d7d 3185->3186 3190 402d83 3185->3190 3188 402d3d wsprintfW SetWindowTextW SetDlgItemTextW 3188->3186 3191 402d92 3190->3191 3192 402d94 MulDiv 3190->3192 3191->3192 3192->3188 4448 401904 4449 40193b 4448->4449 4450 402bbf 18 API calls 4449->4450 4451 401940 4450->4451 4452 40596f 69 API calls 4451->4452 4453 401949 4452->4453 4454 403985 4455 403990 4454->4455 4456 403994 4455->4456 4457 403997 GlobalAlloc 4455->4457 4457->4456 3218 402786 3219 40278d 3218->3219 3222 4029f7 3218->3222 3226 402ba2 3219->3226 3221 402798 3223 40279f SetFilePointer 3221->3223 3223->3222 3224 4027af 3223->3224 3229 4060c5 wsprintfW 3224->3229 3227 4061a0 18 API calls 3226->3227 3228 402bb6 3227->3228 3228->3221 3229->3222 4458 401907 4459 402bbf 18 API calls 4458->4459 4460 40190e 4459->4460 4461 4058c3 MessageBoxIndirectW 4460->4461 4462 401917 4461->4462 4463 401e08 4464 402bbf 18 API calls 4463->4464 4465 401e0e 4464->4465 4466 402bbf 18 API calls 4465->4466 4467 401e17 4466->4467 4468 402bbf 18 API calls 4467->4468 4469 401e20 4468->4469 4470 402bbf 18 API calls 4469->4470 4471 401e29 4470->4471 4472 401423 25 API calls 4471->4472 4473 401e30 ShellExecuteW 4472->4473 4474 401e61 4473->4474 3341 401389 3343 401390 3341->3343 3342 4013fe 3343->3342 3344 4013cb MulDiv SendMessageW 3343->3344 3344->3343 4480 404390 lstrlenW 4481 4043b1 WideCharToMultiByte 4480->4481 4482 4043af 4480->4482 4482->4481 4483 401491 4484 4052dd 25 API calls 4483->4484 4485 401498 4484->4485 4493 401a15 4494 402bbf 18 API calls 4493->4494 4495 401a1e ExpandEnvironmentStringsW 4494->4495 4496 401a32 4495->4496 4498 401a45 4495->4498 4497 401a37 lstrcmpW 4496->4497 4496->4498 4497->4498 4499 402515 4500 402bbf 18 API calls 4499->4500 4501 40251c 4500->4501 4504 405d53 GetFileAttributesW CreateFileW 4501->4504 4503 402528 4504->4503 4505 402095 4506 402bbf 18 API calls 4505->4506 4507 40209c 4506->4507 4508 402bbf 18 API calls 4507->4508 4509 4020a6 4508->4509 4510 402bbf 18 API calls 4509->4510 4511 4020b0 4510->4511 4512 402bbf 18 API calls 4511->4512 4513 4020ba 4512->4513 4514 402bbf 18 API calls 4513->4514 4516 4020c4 4514->4516 4515 402103 CoCreateInstance 4520 402122 4515->4520 4516->4515 4517 402bbf 18 API calls 4516->4517 4517->4515 4518 401423 25 API calls 4519 4021e1 4518->4519 4520->4518 4520->4519 4521 401b16 4522 402bbf 18 API calls 4521->4522 4523 401b1d 4522->4523 4524 402ba2 18 API calls 4523->4524 4525 401b26 wsprintfW 4524->4525 4526 402a4c 4525->4526 4527 404696 4528 4046a6 4527->4528 4529 4046cc 4527->4529 4531 404242 19 API calls 4528->4531 4530 4042a9 8 API calls 4529->4530 4532 4046d8 4530->4532 4533 4046b3 SetDlgItemTextW 4531->4533 4533->4529 4534 40159b 4535 402bbf 18 API calls 4534->4535 4536 4015a2 SetFileAttributesW 4535->4536 4537 4015b4 4536->4537 4538 40541c 4539 4055c6 4538->4539 4540 40543d GetDlgItem GetDlgItem GetDlgItem 4538->4540 4542 4055f7 4539->4542 4543 4055cf GetDlgItem CreateThread CloseHandle 4539->4543 4583 404277 SendMessageW 4540->4583 4545 405622 4542->4545 4546 405647 4542->4546 4547 40560e ShowWindow ShowWindow 4542->4547 4543->4542 4544 4054ad 4549 4054b4 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4544->4549 4548 405682 4545->4548 4551 405636 4545->4551 4552 40565c ShowWindow 4545->4552 4553 4042a9 8 API calls 4546->4553 4585 404277 SendMessageW 4547->4585 4548->4546 4558 405690 SendMessageW 4548->4558 4556 405522 4549->4556 4557 405506 SendMessageW SendMessageW 4549->4557 4559 40421b SendMessageW 4551->4559 4554 40567c 4552->4554 4555 40566e 4552->4555 4560 405655 4553->4560 4562 40421b SendMessageW 4554->4562 4561 4052dd 25 API calls 4555->4561 4563 405535 4556->4563 4564 405527 SendMessageW 4556->4564 4557->4556 4558->4560 4565 4056a9 CreatePopupMenu 4558->4565 4559->4546 4561->4554 4562->4548 4567 404242 19 API calls 4563->4567 4564->4563 4566 4061a0 18 API calls 4565->4566 4568 4056b9 AppendMenuW 4566->4568 4569 405545 4567->4569 4570 4056d6 GetWindowRect 4568->4570 4571 4056e9 TrackPopupMenu 4568->4571 4572 405582 GetDlgItem SendMessageW 4569->4572 4573 40554e ShowWindow 4569->4573 4570->4571 4571->4560 4575 405704 4571->4575 4572->4560 4574 4055a9 SendMessageW SendMessageW 4572->4574 4576 405571 4573->4576 4577 405564 ShowWindow 4573->4577 4574->4560 4578 405720 SendMessageW 4575->4578 4584 404277 SendMessageW 4576->4584 4577->4576 4578->4578 4579 40573d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4578->4579 4581 405762 SendMessageW 4579->4581 4581->4581 4582 40578b GlobalUnlock SetClipboardData CloseClipboard 4581->4582 4582->4560 4583->4544 4584->4572 4585->4545 4586 401f1d 4587 402bbf 18 API calls 4586->4587 4588 401f24 4587->4588 4589 406558 5 API calls 4588->4589 4590 401f33 4589->4590 4591 401fb7 4590->4591 4592 401f4f GlobalAlloc 4590->4592 4592->4591 4593 401f63 4592->4593 4594 406558 5 API calls 4593->4594 4595 401f6a 4594->4595 4596 406558 5 API calls 4595->4596 4597 401f74 4596->4597 4597->4591 4601 4060c5 wsprintfW 4597->4601 4599 401fa9 4602 4060c5 wsprintfW 4599->4602 4601->4599 4602->4591 4603 40229d 4604 4022a5 4603->4604 4605 4022ab 4603->4605 4606 402bbf 18 API calls 4604->4606 4607 4022b9 4605->4607 4608 402bbf 18 API calls 4605->4608 4606->4605 4609 402bbf 18 API calls 4607->4609 4611 4022c7 4607->4611 4608->4607 4609->4611 4610 402bbf 18 API calls 4612 4022d0 WritePrivateProfileStringW 4610->4612 4611->4610 3846 40249e 3847 402cc9 19 API calls 3846->3847 3848 4024a8 3847->3848 3849 402ba2 18 API calls 3848->3849 3850 4024b1 3849->3850 3851 40281e 3850->3851 3852 4024d5 RegEnumValueW 3850->3852 3853 4024c9 RegEnumKeyW 3850->3853 3852->3851 3854 4024ee RegCloseKey 3852->3854 3853->3854 3854->3851 4613 40149e 4614 402288 4613->4614 4615 4014ac PostQuitMessage 4613->4615 4615->4614 3863 40231f 3864 402324 3863->3864 3865 40234f 3863->3865 3866 402cc9 19 API calls 3864->3866 3867 402bbf 18 API calls 3865->3867 3868 40232b 3866->3868 3869 402356 3867->3869 3870 402335 3868->3870 3874 40236c 3868->3874 3875 402bff RegOpenKeyExW 3869->3875 3871 402bbf 18 API calls 3870->3871 3872 40233c RegDeleteValueW RegCloseKey 3871->3872 3872->3874 3876 402c90 3875->3876 3880 402c2a 3875->3880 3876->3874 3877 402c50 RegEnumKeyW 3878 402c62 RegCloseKey 3877->3878 3877->3880 3881 406558 5 API calls 3878->3881 3879 402c87 RegCloseKey 3879->3876 3880->3877 3880->3878 3880->3879 3882 402bff 5 API calls 3880->3882 3883 402c72 3881->3883 3882->3880 3884 402c76 RegDeleteKeyExW 3883->3884 3885 402c9a 3883->3885 3884->3876 3885->3876 3886 402ca2 RegDeleteKeyW 3885->3886 3886->3876 3887 402cb2 3886->3887 3887->3876 4616 401ca3 4617 402ba2 18 API calls 4616->4617 4618 401ca9 IsWindow 4617->4618 4619 401a05 4618->4619 4620 402a27 SendMessageW 4621 402a41 InvalidateRect 4620->4621 4622 402a4c 4620->4622 4621->4622 3345 40242a 3356 402cc9 3345->3356 3347 402434 3348 402bbf 18 API calls 3347->3348 3349 40243d 3348->3349 3350 402448 RegQueryValueExW 3349->3350 3353 40281e 3349->3353 3351 402468 3350->3351 3352 40246e RegCloseKey 3350->3352 3351->3352 3360 4060c5 wsprintfW 3351->3360 3352->3353 3357 402bbf 18 API calls 3356->3357 3358 402ce2 3357->3358 3359 402cf0 RegOpenKeyExW 3358->3359 3359->3347 3360->3352 4630 40172d 4631 402bbf 18 API calls 4630->4631 4632 401734 SearchPathW 4631->4632 4633 40174f 4632->4633 4634 404a33 4635 404a43 4634->4635 4636 404a5f 4634->4636 4645 4058a7 GetDlgItemTextW 4635->4645 4638 404a92 4636->4638 4639 404a65 SHGetPathFromIDListW 4636->4639 4640 404a7c SendMessageW 4639->4640 4641 404a75 4639->4641 4640->4638 4643 40140b 2 API calls 4641->4643 4642 404a50 SendMessageW 4642->4636 4643->4640 4645->4642 4646 4027b4 4647 4027ba 4646->4647 4648 4027c2 FindClose 4647->4648 4649 402a4c 4647->4649 4648->4649 3515 4033b6 SetErrorMode GetVersion 3516 4033eb 3515->3516 3517 4033f1 3515->3517 3518 406558 5 API calls 3516->3518 3603 4064e8 GetSystemDirectoryW 3517->3603 3518->3517 3520 403407 lstrlenA 3520->3517 3521 403417 3520->3521 3606 406558 GetModuleHandleA 3521->3606 3524 406558 5 API calls 3525 403426 #17 OleInitialize SHGetFileInfoW 3524->3525 3612 40617e lstrcpynW 3525->3612 3527 403463 GetCommandLineW 3613 40617e lstrcpynW 3527->3613 3529 403475 GetModuleHandleW 3530 40348d 3529->3530 3531 405b5f CharNextW 3530->3531 3532 40349c CharNextW 3531->3532 3533 4035c6 GetTempPathW 3532->3533 3535 4034b5 3532->3535 3614 403385 3533->3614 3535->3535 3540 405b5f CharNextW 3535->3540 3546 4035af 3535->3546 3550 4035b1 3535->3550 3536 4035de 3537 4035e2 GetWindowsDirectoryW lstrcatW 3536->3537 3538 403638 DeleteFileW 3536->3538 3539 403385 12 API calls 3537->3539 3624 402e41 GetTickCount GetModuleFileNameW 3538->3624 3543 4035fe 3539->3543 3540->3535 3542 40364c 3544 403703 ExitProcess CoUninitialize 3542->3544 3547 4036ef 3542->3547 3552 405b5f CharNextW 3542->3552 3543->3538 3545 403602 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3543->3545 3548 403839 3544->3548 3549 403719 3544->3549 3551 403385 12 API calls 3545->3551 3546->3533 3654 4039c7 3547->3654 3556 403841 GetCurrentProcess OpenProcessToken 3548->3556 3557 4038bd ExitProcess 3548->3557 3555 4058c3 MessageBoxIndirectW 3549->3555 3711 40617e lstrcpynW 3550->3711 3558 403630 3551->3558 3569 40366b 3552->3569 3561 403727 ExitProcess 3555->3561 3562 403859 LookupPrivilegeValueW AdjustTokenPrivileges 3556->3562 3563 40388d 3556->3563 3558->3538 3558->3544 3562->3563 3564 406558 5 API calls 3563->3564 3565 403894 3564->3565 3568 4038a9 ExitWindowsEx 3565->3568 3572 4038b6 3565->3572 3566 4036c9 3571 405c3a 18 API calls 3566->3571 3567 40372f 3714 405846 3567->3714 3568->3557 3568->3572 3569->3566 3569->3567 3574 4036d5 3571->3574 3727 40140b 3572->3727 3574->3544 3712 40617e lstrcpynW 3574->3712 3576 403750 lstrcatW lstrcmpiW 3576->3544 3578 40376c 3576->3578 3577 403745 lstrcatW 3577->3576 3580 403771 3578->3580 3581 403778 3578->3581 3717 4057ac CreateDirectoryW 3580->3717 3722 405829 CreateDirectoryW 3581->3722 3582 4036e4 3713 40617e lstrcpynW 3582->3713 3587 40377d SetCurrentDirectoryW 3588 403798 3587->3588 3589 40378d 3587->3589 3726 40617e lstrcpynW 3588->3726 3725 40617e lstrcpynW 3589->3725 3592 4061a0 18 API calls 3593 4037d7 DeleteFileW 3592->3593 3594 4037e4 CopyFileW 3593->3594 3600 4037a6 3593->3600 3594->3600 3595 40382d 3597 40601f 38 API calls 3595->3597 3596 40601f 38 API calls 3596->3600 3598 403834 3597->3598 3598->3544 3599 4061a0 18 API calls 3599->3600 3600->3592 3600->3595 3600->3596 3600->3599 3601 40585e 2 API calls 3600->3601 3602 403818 CloseHandle 3600->3602 3601->3600 3602->3600 3604 40650a wsprintfW LoadLibraryExW 3603->3604 3604->3520 3607 406574 3606->3607 3608 40657e GetProcAddress 3606->3608 3609 4064e8 3 API calls 3607->3609 3610 40341f 3608->3610 3611 40657a 3609->3611 3610->3524 3611->3608 3611->3610 3612->3527 3613->3529 3615 406412 5 API calls 3614->3615 3617 403391 3615->3617 3616 40339b 3616->3536 3617->3616 3618 405b32 3 API calls 3617->3618 3619 4033a3 3618->3619 3620 405829 2 API calls 3619->3620 3621 4033a9 3620->3621 3622 405d82 2 API calls 3621->3622 3623 4033b4 3622->3623 3623->3536 3730 405d53 GetFileAttributesW CreateFileW 3624->3730 3626 402e84 3653 402e91 3626->3653 3731 40617e lstrcpynW 3626->3731 3628 402ea7 3629 405b7e 2 API calls 3628->3629 3630 402ead 3629->3630 3732 40617e lstrcpynW 3630->3732 3632 402eb8 GetFileSize 3633 402fb9 3632->3633 3651 402ecf 3632->3651 3634 402d9f 33 API calls 3633->3634 3636 402fc0 3634->3636 3635 403358 ReadFile 3635->3651 3638 402ffc GlobalAlloc 3636->3638 3636->3653 3734 40336e SetFilePointer 3636->3734 3637 403054 3640 402d9f 33 API calls 3637->3640 3639 403013 3638->3639 3645 405d82 2 API calls 3639->3645 3640->3653 3642 402fdd 3643 403358 ReadFile 3642->3643 3646 402fe8 3643->3646 3644 402d9f 33 API calls 3644->3651 3647 403024 CreateFileW 3645->3647 3646->3638 3646->3653 3648 40305e 3647->3648 3647->3653 3733 40336e SetFilePointer 3648->3733 3650 40306c 3652 4030e7 45 API calls 3650->3652 3651->3633 3651->3635 3651->3637 3651->3644 3651->3653 3652->3653 3653->3542 3655 406558 5 API calls 3654->3655 3656 4039db 3655->3656 3657 4039e1 3656->3657 3658 4039f3 3656->3658 3744 4060c5 wsprintfW 3657->3744 3659 40604b 3 API calls 3658->3659 3660 403a23 3659->3660 3661 403a42 lstrcatW 3660->3661 3663 40604b 3 API calls 3660->3663 3664 4039f1 3661->3664 3663->3661 3735 403c9d 3664->3735 3667 405c3a 18 API calls 3668 403a74 3667->3668 3669 403b08 3668->3669 3671 40604b 3 API calls 3668->3671 3670 405c3a 18 API calls 3669->3670 3672 403b0e 3670->3672 3673 403aa6 3671->3673 3674 403b1e LoadImageW 3672->3674 3677 4061a0 18 API calls 3672->3677 3673->3669 3680 403ac7 lstrlenW 3673->3680 3684 405b5f CharNextW 3673->3684 3675 403bc4 3674->3675 3676 403b45 RegisterClassW 3674->3676 3679 40140b 2 API calls 3675->3679 3678 403b7b SystemParametersInfoW CreateWindowExW 3676->3678 3687 4036ff 3676->3687 3677->3674 3678->3675 3683 403bca 3679->3683 3681 403ad5 lstrcmpiW 3680->3681 3682 403afb 3680->3682 3681->3682 3686 403ae5 GetFileAttributesW 3681->3686 3688 405b32 3 API calls 3682->3688 3683->3687 3690 403c9d 19 API calls 3683->3690 3685 403ac4 3684->3685 3685->3680 3689 403af1 3686->3689 3687->3544 3691 403b01 3688->3691 3689->3682 3692 405b7e 2 API calls 3689->3692 3693 403bdb 3690->3693 3745 40617e lstrcpynW 3691->3745 3692->3682 3695 403be7 ShowWindow 3693->3695 3696 403c6a 3693->3696 3698 4064e8 3 API calls 3695->3698 3746 4053b0 OleInitialize 3696->3746 3700 403bff 3698->3700 3699 403c70 3701 403c74 3699->3701 3702 403c8c 3699->3702 3703 403c0d GetClassInfoW 3700->3703 3707 4064e8 3 API calls 3700->3707 3701->3687 3709 40140b 2 API calls 3701->3709 3706 40140b 2 API calls 3702->3706 3704 403c21 GetClassInfoW RegisterClassW 3703->3704 3705 403c37 DialogBoxParamW 3703->3705 3704->3705 3708 40140b 2 API calls 3705->3708 3706->3687 3707->3703 3710 403c5f 3708->3710 3709->3687 3710->3687 3711->3546 3712->3582 3713->3547 3715 406558 5 API calls 3714->3715 3716 403734 lstrcatW 3715->3716 3716->3576 3716->3577 3718 4057fd GetLastError 3717->3718 3719 403776 3717->3719 3718->3719 3720 40580c SetFileSecurityW 3718->3720 3719->3587 3720->3719 3721 405822 GetLastError 3720->3721 3721->3719 3723 405839 3722->3723 3724 40583d GetLastError 3722->3724 3723->3587 3724->3723 3725->3588 3726->3600 3728 401389 2 API calls 3727->3728 3729 401420 3728->3729 3729->3557 3730->3626 3731->3628 3732->3632 3733->3650 3734->3642 3736 403cb1 3735->3736 3753 4060c5 wsprintfW 3736->3753 3738 403d22 3739 4061a0 18 API calls 3738->3739 3740 403d2e SetWindowTextW 3739->3740 3741 403a52 3740->3741 3742 403d4a 3740->3742 3741->3667 3742->3741 3743 4061a0 18 API calls 3742->3743 3743->3742 3744->3664 3745->3669 3754 40428e 3746->3754 3748 4053d3 3752 4053fa 3748->3752 3757 401389 3748->3757 3749 40428e SendMessageW 3750 40540c OleUninitialize 3749->3750 3750->3699 3752->3749 3753->3738 3755 4042a6 3754->3755 3756 404297 SendMessageW 3754->3756 3755->3748 3756->3755 3759 401390 3757->3759 3758 4013fe 3758->3748 3759->3758 3760 4013cb MulDiv SendMessageW 3759->3760 3760->3759 3761 402537 3762 402562 3761->3762 3763 40254b 3761->3763 3765 402596 3762->3765 3766 402567 3762->3766 3764 402ba2 18 API calls 3763->3764 3771 402552 3764->3771 3768 402bbf 18 API calls 3765->3768 3767 402bbf 18 API calls 3766->3767 3769 40256e WideCharToMultiByte lstrlenA 3767->3769 3770 40259d lstrlenW 3768->3770 3769->3771 3770->3771 3772 4025e0 3771->3772 3773 4025d2 3771->3773 3775 4025c3 3771->3775 3774 405e05 WriteFile 3773->3774 3774->3772 3778 405e34 SetFilePointer 3775->3778 3779 405e50 3778->3779 3780 4025ca 3778->3780 3781 405dd6 ReadFile 3779->3781 3780->3772 3780->3773 3782 405e5c 3781->3782 3782->3780 3783 405e75 SetFilePointer 3782->3783 3784 405e9d SetFilePointer 3782->3784 3783->3784 3785 405e80 3783->3785 3784->3780 3786 405e05 WriteFile 3785->3786 3786->3780 3787 401b37 3788 401b44 3787->3788 3789 401b88 3787->3789 3792 401bcd 3788->3792 3797 401b5b 3788->3797 3790 401bb2 GlobalAlloc 3789->3790 3791 401b8d 3789->3791 3794 4061a0 18 API calls 3790->3794 3805 402288 3791->3805 3808 40617e lstrcpynW 3791->3808 3793 4061a0 18 API calls 3792->3793 3792->3805 3795 402282 3793->3795 3794->3792 3800 4058c3 MessageBoxIndirectW 3795->3800 3806 40617e lstrcpynW 3797->3806 3798 401b9f GlobalFree 3798->3805 3800->3805 3801 401b6a 3807 40617e lstrcpynW 3801->3807 3803 401b79 3809 40617e lstrcpynW 3803->3809 3806->3801 3807->3803 3808->3798 3809->3805 4650 4014b8 4651 4014be 4650->4651 4652 401389 2 API calls 4651->4652 4653 4014c6 4652->4653 3816 4015b9 3817 402bbf 18 API calls 3816->3817 3818 4015c0 3817->3818 3819 405bdd 4 API calls 3818->3819 3831 4015c9 3819->3831 3820 401629 3822 40165b 3820->3822 3823 40162e 3820->3823 3821 405b5f CharNextW 3821->3831 3825 401423 25 API calls 3822->3825 3824 401423 25 API calls 3823->3824 3826 401635 3824->3826 3833 401653 3825->3833 3835 40617e lstrcpynW 3826->3835 3828 405829 2 API calls 3828->3831 3829 405846 5 API calls 3829->3831 3830 401642 SetCurrentDirectoryW 3830->3833 3831->3820 3831->3821 3831->3828 3831->3829 3832 40160f GetFileAttributesW 3831->3832 3834 4057ac 4 API calls 3831->3834 3832->3831 3834->3831 3835->3830 4661 40293b 4662 402ba2 18 API calls 4661->4662 4663 402941 4662->4663 4664 402964 4663->4664 4665 40297d 4663->4665 4671 40281e 4663->4671 4666 402969 4664->4666 4667 40297a 4664->4667 4668 402993 4665->4668 4669 402987 4665->4669 4675 40617e lstrcpynW 4666->4675 4676 4060c5 wsprintfW 4667->4676 4670 4061a0 18 API calls 4668->4670 4672 402ba2 18 API calls 4669->4672 4670->4671 4672->4671 4675->4671 4676->4671

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 4033b6-4033e9 SetErrorMode GetVersion 1 4033eb-4033f3 call 406558 0->1 2 4033fc 0->2 1->2 7 4033f5 1->7 4 403401-403415 call 4064e8 lstrlenA 2->4 9 403417-40348b call 406558 * 2 #17 OleInitialize SHGetFileInfoW call 40617e GetCommandLineW call 40617e GetModuleHandleW 4->9 7->2 18 403495-4034af call 405b5f CharNextW 9->18 19 40348d-403494 9->19 22 4034b5-4034bb 18->22 23 4035c6-4035e0 GetTempPathW call 403385 18->23 19->18 25 4034c4-4034c8 22->25 26 4034bd-4034c2 22->26 32 4035e2-403600 GetWindowsDirectoryW lstrcatW call 403385 23->32 33 403638-403652 DeleteFileW call 402e41 23->33 28 4034ca-4034ce 25->28 29 4034cf-4034d3 25->29 26->25 26->26 28->29 30 403592-40359f call 405b5f 29->30 31 4034d9-4034df 29->31 51 4035a1-4035a2 30->51 52 4035a3-4035a9 30->52 34 4034e1-4034e9 31->34 35 4034fa-403533 31->35 32->33 50 403602-403632 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403385 32->50 46 403703-403713 ExitProcess CoUninitialize 33->46 47 403658-40365e 33->47 40 4034f0 34->40 41 4034eb-4034ee 34->41 42 403550-40358a 35->42 43 403535-40353a 35->43 40->35 41->35 41->40 42->30 49 40358c-403590 42->49 43->42 48 40353c-403544 43->48 56 403839-40383f 46->56 57 403719-403729 call 4058c3 ExitProcess 46->57 54 4036f3-4036fa call 4039c7 47->54 55 403664-40366f call 405b5f 47->55 58 403546-403549 48->58 59 40354b 48->59 49->30 60 4035b1-4035bf call 40617e 49->60 50->33 50->46 51->52 52->22 53 4035af 52->53 62 4035c4 53->62 71 4036ff 54->71 77 403671-4036a6 55->77 78 4036bd-4036c7 55->78 67 403841-403857 GetCurrentProcess OpenProcessToken 56->67 68 4038bd-4038c5 56->68 58->42 58->59 59->42 60->62 62->23 75 403859-403887 LookupPrivilegeValueW AdjustTokenPrivileges 67->75 76 40388d-40389b call 406558 67->76 72 4038c7 68->72 73 4038cb-4038cf ExitProcess 68->73 71->46 72->73 75->76 84 4038a9-4038b4 ExitWindowsEx 76->84 85 40389d-4038a7 76->85 81 4036a8-4036ac 77->81 82 4036c9-4036d7 call 405c3a 78->82 83 40372f-403743 call 405846 lstrcatW 78->83 86 4036b5-4036b9 81->86 87 4036ae-4036b3 81->87 82->46 98 4036d9-4036ef call 40617e * 2 82->98 96 403750-40376a lstrcatW lstrcmpiW 83->96 97 403745-40374b lstrcatW 83->97 84->68 90 4038b6-4038b8 call 40140b 84->90 85->84 85->90 86->81 91 4036bb 86->91 87->86 87->91 90->68 91->78 96->46 99 40376c-40376f 96->99 97->96 98->54 101 403771-403776 call 4057ac 99->101 102 403778 call 405829 99->102 109 40377d-40378b SetCurrentDirectoryW 101->109 102->109 110 403798-4037c1 call 40617e 109->110 111 40378d-403793 call 40617e 109->111 115 4037c6-4037e2 call 4061a0 DeleteFileW 110->115 111->110 118 403823-40382b 115->118 119 4037e4-4037f4 CopyFileW 115->119 118->115 120 40382d-403834 call 40601f 118->120 119->118 121 4037f6-403816 call 40601f call 4061a0 call 40585e 119->121 120->46 121->118 130 403818-40381f CloseHandle 121->130 130->118
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNELBASE ref: 004033D9
                                                                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 004033DF
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403408
                                                                                                                                                                                                                                  • #17.COMCTL32(00000007,00000009), ref: 0040342B
                                                                                                                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 00403432
                                                                                                                                                                                                                                  • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 0040344E
                                                                                                                                                                                                                                  • GetCommandLineW.KERNEL32(00429240,NSIS Error), ref: 00403463
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00000000), ref: 00403476
                                                                                                                                                                                                                                  • CharNextW.USER32(00000000,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00000020), ref: 0040349D
                                                                                                                                                                                                                                    • Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                                                                                                                                                                                                    • Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000400,00437800), ref: 004035D7
                                                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(00437800,000003FB), ref: 004035E8
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00437800,\Temp), ref: 004035F4
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp), ref: 00403608
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00437800,Low), ref: 00403610
                                                                                                                                                                                                                                  • SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low), ref: 00403621
                                                                                                                                                                                                                                  • SetEnvironmentVariableW.KERNEL32(TMP,00437800), ref: 00403629
                                                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(00437000), ref: 0040363D
                                                                                                                                                                                                                                    • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32(?), ref: 00403703
                                                                                                                                                                                                                                  • CoUninitialize.COMBASE(?), ref: 00403708
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00403729
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00437800,~nsu,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00000000,?), ref: 0040373C
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00437800,0040A328,00437800,~nsu,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00000000,?), ref: 0040374B
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00000000,?), ref: 00403756
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00000000,?), ref: 00403762
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(00437800,00437800), ref: 0040377E
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,?), ref: 004037D8
                                                                                                                                                                                                                                  • CopyFileW.KERNEL32(C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe,00420EE8,00000001), ref: 004037EC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000), ref: 00403819
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403848
                                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 0040384F
                                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403864
                                                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32 ref: 00403887
                                                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 004038AC
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 004038CF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Processlstrcat$ExitFile$Handle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                                                                  • String ID: "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE$.tmp$C:\Program Files\TeamViewer$C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                                                  • API String ID: 354199918-3051870712
                                                                                                                                                                                                                                  • Opcode ID: adc4d748d9836f5a15988fa3e2f94b2f0245c9efab62edd68d6b1bb0daacd0ec
                                                                                                                                                                                                                                  • Instruction ID: be8551fa6605ebbbfda7487142ffb020be8bd547a3943651712312bea09c5587
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: adc4d748d9836f5a15988fa3e2f94b2f0245c9efab62edd68d6b1bb0daacd0ec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AED10571200300ABE7207F659D49A2B3AEDEB4074AF50443FF881B62D2DB7C8956876E

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 338 40596f-405995 call 405c3a 341 405997-4059a9 DeleteFileW 338->341 342 4059ae-4059b5 338->342 343 405b2b-405b2f 341->343 344 4059b7-4059b9 342->344 345 4059c8-4059d8 call 40617e 342->345 346 405ad9-405ade 344->346 347 4059bf-4059c2 344->347 351 4059e7-4059e8 call 405b7e 345->351 352 4059da-4059e5 lstrcatW 345->352 346->343 349 405ae0-405ae3 346->349 347->345 347->346 353 405ae5-405aeb 349->353 354 405aed-405af5 call 4064c1 349->354 355 4059ed-4059f1 351->355 352->355 353->343 354->343 362 405af7-405b0b call 405b32 call 405927 354->362 358 4059f3-4059fb 355->358 359 4059fd-405a03 lstrcatW 355->359 358->359 361 405a08-405a24 lstrlenW FindFirstFileW 358->361 359->361 363 405a2a-405a32 361->363 364 405ace-405ad2 361->364 378 405b23-405b26 call 4052dd 362->378 379 405b0d-405b10 362->379 367 405a52-405a66 call 40617e 363->367 368 405a34-405a3c 363->368 364->346 366 405ad4 364->366 366->346 380 405a68-405a70 367->380 381 405a7d-405a88 call 405927 367->381 370 405ab1-405ac1 FindNextFileW 368->370 371 405a3e-405a46 368->371 370->363 377 405ac7-405ac8 FindClose 370->377 371->367 374 405a48-405a50 371->374 374->367 374->370 377->364 378->343 379->353 384 405b12-405b21 call 4052dd call 40601f 379->384 380->370 385 405a72-405a76 call 40596f 380->385 391 405aa9-405aac call 4052dd 381->391 392 405a8a-405a8d 381->392 384->343 390 405a7b 385->390 390->370 391->370 394 405aa1-405aa7 392->394 395 405a8f-405a9f call 4052dd call 40601f 392->395 394->370 395->370
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,74DF3420,74DF2EE0,00000000), ref: 00405998
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Windows\TEMP\nseC5E0.tmp\*.*,\*.*,C:\Windows\TEMP\nseC5E0.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 004059E0
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,0040A014,?,C:\Windows\TEMP\nseC5E0.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 00405A03
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Windows\TEMP\nseC5E0.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 00405A09
                                                                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(C:\Windows\TEMP\nseC5E0.tmp\*.*,?,?,?,0040A014,?,C:\Windows\TEMP\nseC5E0.tmp\*.*,?,?,74DF3420,74DF2EE0,00000000), ref: 00405A19
                                                                                                                                                                                                                                  • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AB9
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00405AC8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                                  • String ID: "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE$C:\Windows\TEMP\nseC5E0.tmp\*.*$\*.*
                                                                                                                                                                                                                                  • API String ID: 2035342205-1628145164
                                                                                                                                                                                                                                  • Opcode ID: caf8ebbf86a4c95ad3815d748c14af6cf0a222b2c55ec9266b14322c72a8a4f6
                                                                                                                                                                                                                                  • Instruction ID: 6c547db7f4d1248ed83a6ec2b2b7cf99957869ea0eb35c9edb1a86952611c1c3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: caf8ebbf86a4c95ad3815d748c14af6cf0a222b2c55ec9266b14322c72a8a4f6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A41B530A40914A6CB21AB659CC9AAF7678EF41724F20427FF801711D1D77C5986DE6E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
                                                                                                                                                                                                                                  • Instruction ID: 84f5b91c3f937eb173619b21672ae23043901769df73ed9f159891f0fc81c8d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72F18671D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7385A8ACF45
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(74DF3420,00426778,00425F30,00405C83,00425F30,00425F30,00000000,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0), ref: 004064CC
                                                                                                                                                                                                                                  • FindClose.KERNELBASE(00000000), ref: 004064D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                  • String ID: xgB
                                                                                                                                                                                                                                  • API String ID: 2295610775-399326502
                                                                                                                                                                                                                                  • Opcode ID: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
                                                                                                                                                                                                                                  • Instruction ID: 909a2899cbbcfc21b24ab628f9350e7a3c7b3772aa6d432f74911df6ac2d0bb5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8BD0C9315045209BC2111778AE4C85B7A98AF553317628A36B466F12A0C674CC22869C
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1974802433-0
                                                                                                                                                                                                                                  • Opcode ID: 760ba12aea5bac669ea06a92ce868f6cfbbc58d79179603cd607c726fd559e33
                                                                                                                                                                                                                                  • Instruction ID: ca82d2f7608ddbe9a9db451b4e667c54ef54e9945bbc135f2cbc761c4928cd6d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 760ba12aea5bac669ea06a92ce868f6cfbbc58d79179603cd607c726fd559e33
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3CF08275600114DBC711EBE4DD49AAEB374FF00324F2045BBE105F31E1D7B499559B2A

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 131 4039c7-4039df call 406558 134 4039e1-4039f1 call 4060c5 131->134 135 4039f3-403a2a call 40604b 131->135 143 403a4d-403a76 call 403c9d call 405c3a 134->143 139 403a42-403a48 lstrcatW 135->139 140 403a2c-403a3d call 40604b 135->140 139->143 140->139 149 403b08-403b10 call 405c3a 143->149 150 403a7c-403a81 143->150 156 403b12-403b19 call 4061a0 149->156 157 403b1e-403b43 LoadImageW 149->157 150->149 151 403a87-403aaf call 40604b 150->151 151->149 160 403ab1-403ab5 151->160 156->157 158 403bc4-403bcc call 40140b 157->158 159 403b45-403b75 RegisterClassW 157->159 174 403bd6-403be1 call 403c9d 158->174 175 403bce-403bd1 158->175 162 403c93 159->162 163 403b7b-403bbf SystemParametersInfoW CreateWindowExW 159->163 165 403ac7-403ad3 lstrlenW 160->165 166 403ab7-403ac4 call 405b5f 160->166 167 403c95-403c9c 162->167 163->158 168 403ad5-403ae3 lstrcmpiW 165->168 169 403afb-403b03 call 405b32 call 40617e 165->169 166->165 168->169 173 403ae5-403aef GetFileAttributesW 168->173 169->149 177 403af1-403af3 173->177 178 403af5-403af6 call 405b7e 173->178 184 403be7-403c01 ShowWindow call 4064e8 174->184 185 403c6a-403c72 call 4053b0 174->185 175->167 177->169 177->178 178->169 192 403c03-403c08 call 4064e8 184->192 193 403c0d-403c1f GetClassInfoW 184->193 190 403c74-403c7a 185->190 191 403c8c-403c8e call 40140b 185->191 190->175 196 403c80-403c87 call 40140b 190->196 191->162 192->193 194 403c21-403c31 GetClassInfoW RegisterClassW 193->194 195 403c37-403c68 DialogBoxParamW call 40140b call 403917 193->195 194->195 195->167 196->175
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                                                                                                                                                                                                    • Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,74DF3420,00437800,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00000000), ref: 00403A48
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,C:\Program Files\TeamViewer,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,74DF3420), ref: 00403AC8
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,C:\Program Files\TeamViewer,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403ADB
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(004281E0), ref: 00403AE6
                                                                                                                                                                                                                                  • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files\TeamViewer), ref: 00403B2F
                                                                                                                                                                                                                                    • Part of subcall function 004060C5: wsprintfW.USER32 ref: 004060D2
                                                                                                                                                                                                                                  • RegisterClassW.USER32(004291E0), ref: 00403B6C
                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B84
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BB9
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403BEF
                                                                                                                                                                                                                                  • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403C1B
                                                                                                                                                                                                                                  • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403C28
                                                                                                                                                                                                                                  • RegisterClassW.USER32(004291E0), ref: 00403C31
                                                                                                                                                                                                                                  • DialogBoxParamW.USER32(?,00000000,00403D6A,00000000), ref: 00403C50
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE$(7B$.DEFAULT\Control Panel\International$.exe$C:\Program Files\TeamViewer$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                                                  • API String ID: 1975747703-3034445695
                                                                                                                                                                                                                                  • Opcode ID: d6eb97ecc45ceecdb0e2d203f76fda1198e4e833a1627c35b81ac0c75580ce77
                                                                                                                                                                                                                                  • Instruction ID: e7f44595d902892b35b801f2f0c3734befc0b18a393fec54347386a87508d522
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d6eb97ecc45ceecdb0e2d203f76fda1198e4e833a1627c35b81ac0c75580ce77
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8661C570244200BAD730AF669D49E2B3A7CEB84B49F40453FF981B62E2DB7D5912C63D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 205 402e41-402e8f GetTickCount GetModuleFileNameW call 405d53 208 402e91-402e96 205->208 209 402e9b-402ec9 call 40617e call 405b7e call 40617e GetFileSize 205->209 210 4030e0-4030e4 208->210 217 402fb9-402fc7 call 402d9f 209->217 218 402ecf-402ee6 209->218 225 403098-40309d 217->225 226 402fcd-402fd0 217->226 220 402ee8 218->220 221 402eea-402ef7 call 403358 218->221 220->221 227 403054-40305c call 402d9f 221->227 228 402efd-402f03 221->228 225->210 229 402fd2-402fea call 40336e call 403358 226->229 230 402ffc-403048 GlobalAlloc call 406677 call 405d82 CreateFileW 226->230 227->225 231 402f83-402f87 228->231 232 402f05-402f1d call 405d0e 228->232 229->225 253 402ff0-402ff6 229->253 256 40304a-40304f 230->256 257 40305e-40308e call 40336e call 4030e7 230->257 236 402f90-402f96 231->236 237 402f89-402f8a call 402d9f 231->237 232->236 251 402f1f-402f26 232->251 244 402f98-402fa6 call 406609 236->244 245 402fa9-402fb3 236->245 249 402f8f 237->249 244->245 245->217 245->218 249->236 251->236 255 402f28-402f2f 251->255 253->225 253->230 255->236 258 402f31-402f38 255->258 256->210 264 403093-403096 257->264 258->236 260 402f3a-402f41 258->260 260->236 262 402f43-402f63 260->262 262->225 265 402f69-402f6d 262->265 264->225 266 40309f-4030b0 264->266 267 402f75-402f7d 265->267 268 402f6f-402f73 265->268 269 4030b2 266->269 270 4030b8-4030bd 266->270 267->236 271 402f7f-402f81 267->271 268->217 268->267 269->270 272 4030be-4030c4 270->272 271->236 272->272 273 4030c6-4030de call 405d0e 272->273 273->210
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402E55
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe,00000400), ref: 00402E71
                                                                                                                                                                                                                                    • Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe,80000000,00000003), ref: 00405D57
                                                                                                                                                                                                                                    • Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe,C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe,80000000,00000003), ref: 00402EBA
                                                                                                                                                                                                                                  • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403001
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE, xrefs: 00402E41
                                                                                                                                                                                                                                  • soft, xrefs: 00402F31
                                                                                                                                                                                                                                  • Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040304A
                                                                                                                                                                                                                                  • Inst, xrefs: 00402F28
                                                                                                                                                                                                                                  • dVA, xrefs: 004030C6
                                                                                                                                                                                                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403098
                                                                                                                                                                                                                                  • C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe, xrefs: 00402E5B, 00402E6A, 00402E7E, 00402E9B
                                                                                                                                                                                                                                  • Null, xrefs: 00402F3A
                                                                                                                                                                                                                                  • Error launching installer, xrefs: 00402E91
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                                                  • String ID: "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE$C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$dVA$soft
                                                                                                                                                                                                                                  • API String ID: 2803837635-3649123712
                                                                                                                                                                                                                                  • Opcode ID: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
                                                                                                                                                                                                                                  • Instruction ID: e866f1dd798e5fb15c0a347603bcfded6ce2f229c2e481af73dd86df93422dd6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9761C431A00215ABDB209F75DD49B9E7BB8EB00359F20817FF500F62D1DABD9A448B5D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 276 4061a0-4061ab 277 4061ad-4061bc 276->277 278 4061be-4061d4 276->278 277->278 279 4061da-4061e7 278->279 280 4063ec-4063f2 278->280 279->280 283 4061ed-4061f4 279->283 281 4063f8-406403 280->281 282 4061f9-406206 280->282 285 406405-406409 call 40617e 281->285 286 40640e-40640f 281->286 282->281 284 40620c-406218 282->284 283->280 287 4063d9 284->287 288 40621e-40625a 284->288 285->286 290 4063e7-4063ea 287->290 291 4063db-4063e5 287->291 292 406260-40626b GetVersion 288->292 293 40637a-40637e 288->293 290->280 291->280 294 406285 292->294 295 40626d-406271 292->295 296 406380-406384 293->296 297 4063b3-4063b7 293->297 301 40628c-406293 294->301 295->294 298 406273-406277 295->298 299 406394-4063a1 call 40617e 296->299 300 406386-406392 call 4060c5 296->300 302 4063c6-4063d7 lstrlenW 297->302 303 4063b9-4063c1 call 4061a0 297->303 298->294 305 406279-40627d 298->305 314 4063a6-4063af 299->314 300->314 307 406295-406297 301->307 308 406298-40629a 301->308 302->280 303->302 305->294 310 40627f-406283 305->310 307->308 312 4062d6-4062d9 308->312 313 40629c-4062b9 call 40604b 308->313 310->301 315 4062e9-4062ec 312->315 316 4062db-4062e7 GetSystemDirectoryW 312->316 322 4062be-4062c2 313->322 314->302 318 4063b1 314->318 320 406357-406359 315->320 321 4062ee-4062fc GetWindowsDirectoryW 315->321 319 40635b-40635f 316->319 323 406372-406378 call 406412 318->323 319->323 324 406361-406365 319->324 320->319 326 4062fe-406308 320->326 321->320 322->324 327 4062c8-4062d1 call 4061a0 322->327 323->302 324->323 329 406367-40636d lstrcatW 324->329 331 406322-406338 SHGetSpecialFolderLocation 326->331 332 40630a-40630d 326->332 327->319 329->323 335 406353 331->335 336 40633a-406351 SHGetPathFromIDListW CoTaskMemFree 331->336 332->331 334 40630f-406320 332->334 334->319 334->331 335->320 336->319 336->335
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersion.KERNEL32(00000000,00422708,?,00405314,00422708,00000000,00000000,00000000), ref: 00406263
                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 004062E1
                                                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(004281E0,00000400), ref: 004062F4
                                                                                                                                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406330
                                                                                                                                                                                                                                  • SHGetPathFromIDListW.SHELL32(?,004281E0), ref: 0040633E
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(?), ref: 00406349
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040636D
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(004281E0,00000000,00422708,?,00405314,00422708,00000000,00000000,00000000), ref: 004063C7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion, xrefs: 004062AF
                                                                                                                                                                                                                                  • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406367
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                                  • API String ID: 900638850-730719616
                                                                                                                                                                                                                                  • Opcode ID: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
                                                                                                                                                                                                                                  • Instruction ID: 57c77dc533264c97ace6329bd87f7d674c2bea75a5b3d90d15d675b8bae5a73d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E611571A00104EBDF209F24CC40AAE37A5AF15314F56817FED56BA2D0D73D8AA2CB9D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 402 402d9f-402dae 403 402db0-402db7 402->403 404 402dc8-402dce 402->404 405 402dc0-402dc6 403->405 406 402db9-402dba DestroyWindow 403->406 407 402dd0-402dd1 call 406594 404->407 408 402dd8-402de4 GetTickCount 404->408 410 402e3e-402e40 405->410 406->405 412 402dd6 407->412 409 402de6-402dec 408->409 408->410 413 402e1b-402e38 CreateDialogParamW ShowWindow 409->413 414 402dee-402df5 409->414 412->410 413->410 414->410 415 402df7-402e19 call 402d83 wsprintfW call 4052dd 414->415 415->410
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DestroyWindow.USER32(00000000,00000000), ref: 00402DBA
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402DD8
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 00402E06
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(00422708,00402E19,00402E19,00422708,00000000,00000000,00000000), ref: 00405338
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(00422708,00422708), ref: 0040534A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                                                                                                                                                                                  • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402E2A
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000005), ref: 00402E38
                                                                                                                                                                                                                                    • Part of subcall function 00402D83: MulDiv.KERNEL32(00000000,00000064,00001796), ref: 00402D98
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                                                                                                                  • String ID: ... %d%%
                                                                                                                                                                                                                                  • API String ID: 722711167-2449383134
                                                                                                                                                                                                                                  • Opcode ID: 55d24c5390b907b95f49b66e4ea6ad5927533a63874c6edf844c1ebc3ef3af3f
                                                                                                                                                                                                                                  • Instruction ID: 67f39cb704aca6262626a7976268bb3bb8a333bdab68892006d91dd8afb4411f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 55d24c5390b907b95f49b66e4ea6ad5927533a63874c6edf844c1ebc3ef3af3f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96016D70541614EBC721AB60EF4DA9B7A68AF00706B14417FF885F12E0CBF85865CBEE

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 420 402d04-402d14 421 402d16-402d28 SetTimer 420->421 422 402d2f-402d36 420->422 421->422 423 402d38-402d49 call 402d83 422->423 424 402d7d-402d80 422->424 427 402d50-402d78 wsprintfW SetWindowTextW SetDlgItemTextW 423->427 428 402d4b 423->428 427->424 428->427
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 00402D56
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00402D66
                                                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D78
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                                  • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                                                                                  • API String ID: 1451636040-1158693248
                                                                                                                                                                                                                                  • Opcode ID: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
                                                                                                                                                                                                                                  • Instruction ID: 006a23aec332b8a1771af90dfa9c1e08c84c5b856183a3bf167901723993fe13
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FF0367050020CABEF206F50DD49BEA3B69FF44305F00803AFA55B51D0DBF959558F59

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 429 4064e8-406508 GetSystemDirectoryW 430 40650a 429->430 431 40650c-40650e 429->431 430->431 432 406510-406519 431->432 433 40651f-406521 431->433 432->433 434 40651b-40651d 432->434 435 406522-406555 wsprintfW LoadLibraryExW 433->435 434->435
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 0040653A
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040654E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                                  • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                                                  • API String ID: 2200240437-1946221925
                                                                                                                                                                                                                                  • Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
                                                                                                                                                                                                                                  • Instruction ID: c6b4a3c42f63eea3762d57d51081eb848d485012b63e63803453d9912f42ff06
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3AF0FC70500219BADB10AB64ED0DF9B366CAB00304F10403AA646F10D0EB7CD725CBA8

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 436 402bff-402c28 RegOpenKeyExW 437 402c93-402c97 436->437 438 402c2a-402c35 436->438 439 402c50-402c60 RegEnumKeyW 438->439 440 402c62-402c74 RegCloseKey call 406558 439->440 441 402c37-402c3a 439->441 449 402c76-402c85 RegDeleteKeyExW 440->449 450 402c9a-402ca0 440->450 442 402c87-402c8a RegCloseKey 441->442 443 402c3c-402c47 call 402bff 441->443 447 402c90-402c92 442->447 448 402c4c-402c4e 443->448 447->437 448->439 448->440 449->437 450->447 451 402ca2-402cb0 RegDeleteKeyW 450->451 451->447 452 402cb2 451->452 452->437
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
                                                                                                                                                                                                                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 00402C65
                                                                                                                                                                                                                                  • RegDeleteKeyExW.KERNELBASE(?,?,00000000,00000003), ref: 00402C83
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                                                                                                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseDelete$EnumOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 345360480-0
                                                                                                                                                                                                                                  • Opcode ID: 4ec6df6a7822e6832b209296c93603dddbd7b2fdc8aeab19611781db4307b28d
                                                                                                                                                                                                                                  • Instruction ID: b9f5b7c8593eadded22e2ca3cbb8d83d08b5e31647f9888e60cfbaa55d101d4e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ec6df6a7822e6832b209296c93603dddbd7b2fdc8aeab19611781db4307b28d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66116A71504119FFEF10AF90DF8CEAE3B79FB14384B10007AF905E11A0D7B58E55AA69

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 453 4031ef-403217 GetTickCount 454 403347-40334f call 402d9f 453->454 455 40321d-403248 call 40336e SetFilePointer 453->455 460 403351-403355 454->460 461 40324d-40325f 455->461 462 403261 461->462 463 403263-403271 call 403358 461->463 462->463 466 403277-403283 463->466 467 403339-40333c 463->467 468 403289-40328f 466->468 467->460 469 403291-403297 468->469 470 4032ba-4032d6 call 406697 468->470 469->470 471 403299-4032b9 call 402d9f 469->471 476 403342 470->476 477 4032d8-4032e0 470->477 471->470 478 403344-403345 476->478 479 4032e2-4032ea call 405e05 477->479 480 403303-403309 477->480 478->460 484 4032ef-4032f1 479->484 480->476 481 40330b-40330d 480->481 481->476 483 40330f-403322 481->483 483->461 485 403328-403337 SetFilePointer 483->485 486 4032f3-4032ff 484->486 487 40333e-403340 484->487 485->454 486->468 488 403301 486->488 487->478 488->483
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00403203
                                                                                                                                                                                                                                    • Part of subcall function 0040336E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 00403236
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(00415664,00000000,00000000,00414ED0,00004000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000), ref: 00403331
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointer$CountTick
                                                                                                                                                                                                                                  • String ID: @@@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD@@@$dVA
                                                                                                                                                                                                                                  • API String ID: 1092082344-3936939755
                                                                                                                                                                                                                                  • Opcode ID: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
                                                                                                                                                                                                                                  • Instruction ID: 2fd669d0756999c0d63da40b5d988076205959dac08f3783f289fe1fafb1afdd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19314B72500204DBD710DF69EEC49663FA9F74075A718423FE900F22E0CBB55D458B9D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 489 406697-4066ba 490 4066c4-4066c7 489->490 491 4066bc-4066bf 489->491 493 4066ca-4066d3 490->493 492 4070e4-4070e8 491->492 494 4070e1 493->494 495 4066d9 493->495 494->492 496 4066e0-4066e4 495->496 497 406820-406ec7 495->497 498 406785-406789 495->498 499 4067f5-4067f9 495->499 502 4066ea-4066f7 496->502 503 4070cc-4070df 496->503 508 406ee1-406ef7 497->508 509 406ec9-406edf 497->509 500 407035-40703f 498->500 501 40678f-4067a8 498->501 504 407044-40704e 499->504 505 4067ff-406813 499->505 500->503 507 4067ab-4067af 501->507 502->494 510 4066fd-406743 502->510 503->492 504->503 511 406816-40681e 505->511 507->498 512 4067b1-4067b7 507->512 513 406efa-406f01 508->513 509->513 514 406745-406749 510->514 515 40676b-40676d 510->515 511->497 511->499 516 4067e1-4067f3 512->516 517 4067b9-4067c0 512->517 518 406f03-406f07 513->518 519 406f28-406f34 513->519 520 406754-406762 GlobalAlloc 514->520 521 40674b-40674e GlobalFree 514->521 522 40677b-406783 515->522 523 40676f-406779 515->523 516->511 524 4067c2-4067c5 GlobalFree 517->524 525 4067cb-4067db GlobalAlloc 517->525 526 4070b6-4070c0 518->526 527 406f0d-406f25 518->527 519->493 520->494 529 406768 520->529 521->520 522->507 523->522 523->523 524->525 525->494 525->516 526->503 527->519 529->515
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • @@@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD@@@, xrefs: 00406697
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: @@@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD@@@
                                                                                                                                                                                                                                  • API String ID: 0-2705140028
                                                                                                                                                                                                                                  • Opcode ID: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
                                                                                                                                                                                                                                  • Instruction ID: 5389f57cfb4a3ea8b0a271fe5c21418892ef356aef38e154ca47b5156c43700c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 37816831D04229CBDF24CFA8C844BADBBB0FF44305F11816AD956BB281D7785986DF45

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 530 401767-40178c call 402bbf call 405ba9 535 401796-4017a8 call 40617e call 405b32 lstrcatW 530->535 536 40178e-401794 call 40617e 530->536 541 4017ad-4017ae call 406412 535->541 536->541 545 4017b3-4017b7 541->545 546 4017b9-4017c3 call 4064c1 545->546 547 4017ea-4017ed 545->547 555 4017d5-4017e7 546->555 556 4017c5-4017d3 CompareFileTime 546->556 549 4017f5-401811 call 405d53 547->549 550 4017ef-4017f0 call 405d2e 547->550 557 401813-401816 549->557 558 401885-4018ae call 4052dd call 4030e7 549->558 550->549 555->547 556->555 559 401867-401871 call 4052dd 557->559 560 401818-401856 call 40617e * 2 call 4061a0 call 40617e call 4058c3 557->560 572 4018b0-4018b4 558->572 573 4018b6-4018c2 SetFileTime 558->573 570 40187a-401880 559->570 560->545 593 40185c-40185d 560->593 574 402a55 570->574 572->573 576 4018c8-4018d3 CloseHandle 572->576 573->576 577 402a57-402a5b 574->577 579 4018d9-4018dc 576->579 580 402a4c-402a4f 576->580 581 4018f1-4018f4 call 4061a0 579->581 582 4018de-4018ef call 4061a0 lstrcatW 579->582 580->574 588 4018f9-40228d call 4058c3 581->588 582->588 588->577 588->580 593->570 594 40185f-401860 593->594 594->559
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017A8
                                                                                                                                                                                                                                  • CompareFileTime.KERNEL32(-00000014,?,0040A5D8,0040A5D8,00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017CD
                                                                                                                                                                                                                                    • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(00422708,00402E19,00402E19,00422708,00000000,00000000,00000000), ref: 00405338
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(00422708,00422708), ref: 0040534A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1941528284-0
                                                                                                                                                                                                                                  • Opcode ID: 691a1510b89acce80dd3805f8ce29c63c215ef208285089eafd6533280d8da0c
                                                                                                                                                                                                                                  • Instruction ID: b64174440326d41e90dd14f1ad6608c73badddfa8ee8632f400ec40acf256ac3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 691a1510b89acce80dd3805f8ce29c63c215ef208285089eafd6533280d8da0c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C41C431900515BACF117FB5CC46DAE3679EF05329B20827BF422F51E2DA3C86629A6D

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 596 405d82-405d8e 597 405d8f-405dc3 GetTickCount GetTempFileNameW 596->597 598 405dd2-405dd4 597->598 599 405dc5-405dc7 597->599 601 405dcc-405dcf 598->601 599->597 600 405dc9 599->600 600->601
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00405DA0
                                                                                                                                                                                                                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,004033B4,00437000,00437800,00437800,00437800,00437800,00437800,00437800,004035DE), ref: 00405DBB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE, xrefs: 00405D82
                                                                                                                                                                                                                                  • nsa, xrefs: 00405D8F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountFileNameTempTick
                                                                                                                                                                                                                                  • String ID: "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE$nsa
                                                                                                                                                                                                                                  • API String ID: 1716503409-1472656423
                                                                                                                                                                                                                                  • Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
                                                                                                                                                                                                                                  • Instruction ID: a69a53d4b23f3d63feeda802a3e8a765614c71270742c911b33c62312df6cecc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32F06D76600608BBDB008B59DD09AABBBB8EF91710F10803BEE01F7190E6B09A548B64

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 602 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 609 4023c7-4023cf 602->609 610 402a4c-402a5b 602->610 612 4023d1-4023de call 402bbf lstrlenW 609->612 613 4023e2-4023e5 609->613 612->613 615 4023f5-4023f8 613->615 616 4023e7-4023f4 call 402ba2 613->616 620 402409-40241d RegSetValueExW 615->620 621 4023fa-402404 call 4030e7 615->621 616->615 624 402422-4024fc RegCloseKey 620->624 625 40241f 620->625 621->620 624->610 625->624
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(0040B5D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(?,?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateValuelstrlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1356686001-0
                                                                                                                                                                                                                                  • Opcode ID: 67c77c8d659d9d4bc82cacddac1e216fe0077c84403bdf1d9c96e54a2d3d16bf
                                                                                                                                                                                                                                  • Instruction ID: d84b147cfae213de6894e87518a1957a70c03431d85ade02b305fde94438308f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 67c77c8d659d9d4bc82cacddac1e216fe0077c84403bdf1d9c96e54a2d3d16bf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E511C071E00108BFEB10AFA4DE89DAE777DEB14358F11403AF904B71D1DBB85E409668

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 627 401e66-401e81 call 402bbf call 4052dd call 40585e 634 401e87-401e8a 627->634 635 40281e-402825 627->635 637 401edb-401ee4 CloseHandle 634->637 638 401e8c-401e9c WaitForSingleObject 634->638 636 402a4c-402a5b 635->636 637->636 640 401eac-401eae 638->640 641 401eb0-401ec0 GetExitCodeProcess 640->641 642 401e9e-401eaa call 406594 WaitForSingleObject 640->642 644 401ec2-401ecd call 4060c5 641->644 645 401ecf-401ed2 641->645 642->640 644->637 645->637 648 401ed4 645->648 648->637
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(00422708,00402E19,00402E19,00422708,00000000,00000000,00000000), ref: 00405338
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(00422708,00422708), ref: 0040534A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                                                                                                                                                                                    • Part of subcall function 0040585E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
                                                                                                                                                                                                                                    • Part of subcall function 0040585E: CloseHandle.KERNEL32(?), ref: 00405894
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(?,00000000,000000EB,00000000), ref: 00401EDE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3585118688-0
                                                                                                                                                                                                                                  • Opcode ID: a78f467d102d634b70d0cd300a6522cd21a94210720227bbe75178bdad148be0
                                                                                                                                                                                                                                  • Instruction ID: 5702df78c33f9bd13decba52644e1012fe72a42f767711efff684f6f7274af03
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a78f467d102d634b70d0cd300a6522cd21a94210720227bbe75178bdad148be0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF11A131900508EBCF21AF91CD4499E7AB6AF40314F21407BFA05B61F1D7798A92DB99
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(?,?,00437800), ref: 004057EF
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00405803
                                                                                                                                                                                                                                  • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405818
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00405822
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3449924974-0
                                                                                                                                                                                                                                  • Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
                                                                                                                                                                                                                                  • Instruction ID: b278f7ea68de5888e34302da86fdb06c438f4ef9b03e74a9ab654546e4f81ce2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89010871D00619DADF10DBA0D9447EFBFB8EB04304F00803ADA44B6190E7789618DFA9
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 0040310C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointer
                                                                                                                                                                                                                                  • String ID: dVA
                                                                                                                                                                                                                                  • API String ID: 973152223-1571107130
                                                                                                                                                                                                                                  • Opcode ID: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
                                                                                                                                                                                                                                  • Instruction ID: 040f2acbe5348ef8c996952313d322865bd2faa87b76d8d9ba7109e69b0e4b3d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22316B30200219EBDB108F55ED84ADA3F68EB08359F20813AF905EA1D0DB79DF50DBA9
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(?,?,00425F30,?,00405C51,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405BEB
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405C93
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0), ref: 00405CA3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                                  • String ID: 0_B
                                                                                                                                                                                                                                  • API String ID: 3248276644-2128305573
                                                                                                                                                                                                                                  • Opcode ID: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
                                                                                                                                                                                                                                  • Instruction ID: 790be11e20efdccda9c73cacd4945748764c6204d4d0b11914a12a4c94a1ccfd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41F0F925108F6515F62233790D05EAF2554CF82394755067FF891B12D1DB3C9D938C7D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
                                                                                                                                                                                                                                  • Instruction ID: 95c87b37ce546c92696c349aad8761a6baa0f42cb897a758cf539d426e2a5a70
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65A13471D00229CBDF28CFA8C844AADBBB1FF44305F15816AD956BB281D7785A86DF44
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
                                                                                                                                                                                                                                  • Instruction ID: dd225a6952a4a1885b566de7f95e3528e0c965b1b64db9b9769652e5c735704b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D913370D04229CBDF28CFA8C844BADBBB1FF44305F15816AD856BB291C7789A86DF45
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
                                                                                                                                                                                                                                  • Instruction ID: c728d5504c89e28601c55753f21d2f559f3974f1a6ce44cf054f885a45476dee
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06813471D04228CFDF24CFA8C844BADBBB1FB44305F25816AD856BB291C7789A86DF45
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
                                                                                                                                                                                                                                  • Instruction ID: 7cecadd07089ef5f508d2048bcf4206a214b5fe31ba49bd0cdf53ec9cfb3ce0b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35712175D04228CBDF28CFA8C844BADBBB1FB44305F15816AD806BB281D7789A96DF44
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
                                                                                                                                                                                                                                  • Instruction ID: f96eec566abe8136b7696836c8602221009d3abbc3cba5cf828ad5cd02611e0d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56713371D04228CBEF28CFA8C844BADBBB1FF44305F15816AD856BB281C7789996DF45
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
                                                                                                                                                                                                                                  • Instruction ID: 17f295adf0ba2181094cfffbed918b39bb4908eb68d6975640ddb9889f0749db
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2714531D04229CBEF28CF98C844BADBBB1FF44305F11816AD816BB291C7785A96DF44
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(00422708,00402E19,00402E19,00422708,00000000,00000000,00000000), ref: 00405338
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(00422708,00422708), ref: 0040534A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                                                                                                                                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 334405425-0
                                                                                                                                                                                                                                  • Opcode ID: 3af2946ff99008b209debd4f1eb8d373454f26c3ddb3991e3b063650c9d6d31f
                                                                                                                                                                                                                                  • Instruction ID: 135227bab5bbd0cb957ad13063370cb04025123e1843093ab7a3381522db9c00
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3af2946ff99008b209debd4f1eb8d373454f26c3ddb3991e3b063650c9d6d31f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D21A731900219EBCF20AFA5CE48A9E7E71BF00354F20427BF511B51E1DBBD8A81DA5D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,?,0040B5D8,000000FF,0040ADD8,00000400,?,?,00000021), ref: 00402583
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(0040ADD8,?,?,0040B5D8,000000FF,0040ADD8,00000400,?,?,00000021), ref: 0040258E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3109718747-0
                                                                                                                                                                                                                                  • Opcode ID: e7f3211d175e5301a81dcf8418a50b190afa44f623bbf1836edc17c3b72aee6a
                                                                                                                                                                                                                                  • Instruction ID: 4789cac02ba757069cd1743e95fa376523a080456913a55bd7acca95e4ec0b97
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e7f3211d175e5301a81dcf8418a50b190afa44f623bbf1836edc17c3b72aee6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA11E772A01204BADB10AFB18F4EE9E32659F54355F20403BF502F65C1DAFC8E51576E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,004281E0,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,004281E0,?), ref: 00406075
                                                                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,004281E0,?), ref: 00406096
                                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,004281E0,?), ref: 004060B9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                                                  • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                                                                                                                                                                                  • Instruction ID: 0186f18981595c0b19feb364ea02d5f95392918b8fa258a18f8687652683a575
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4501483115020AEADF21CF66ED08E9B3BA8EF84390B01402AF845D2220D735D964DBA5
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                                                  • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                                                                                                                                                                                                  • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
                                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Enum$CloseOpenValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 167947723-0
                                                                                                                                                                                                                                  • Opcode ID: 60ac1395f0a982b77a3977587a1bd86f46e362b2f506b0714e0df90dc524a01b
                                                                                                                                                                                                                                  • Instruction ID: c7ec42ec2a5b8cbcf97019b844e04a4f9c539befeef3331d530b96059407f5ff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60ac1395f0a982b77a3977587a1bd86f46e362b2f506b0714e0df90dc524a01b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCF03171A14204EBEB209F65DE8CABF767DEF80354B10843FF505B61D0DAB84D419B69
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00405D2E: GetFileAttributesW.KERNELBASE(?,?,00405933,?,?,00000000,00405B09,?,?,?,?), ref: 00405D33
                                                                                                                                                                                                                                    • Part of subcall function 00405D2E: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405D47
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405B09), ref: 00405942
                                                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000000,00405B09), ref: 0040594A
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405962
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1655745494-0
                                                                                                                                                                                                                                  • Opcode ID: 4d7e10e481d95c5c5c7c05f6c7e2fdde8e74fc3924f4c20308c7a9621a850695
                                                                                                                                                                                                                                  • Instruction ID: ecea3d8082f0941e5ee01c5501cf82e541f4c7e763f85e657b920a2cf98d934c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d7e10e481d95c5c5c7c05f6c7e2fdde8e74fc3924f4c20308c7a9621a850695
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6EE09B72105A91D6D21067349E0CB5F2AD8DF96335F09493EF595F11D0C778880ACA7D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(FFFFFFFF,00437800,00403708,?), ref: 004038E7
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(FFFFFFFF,00437800,00403708,?), ref: 004038FB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Windows\TEMP\nseC5E0.tmp\, xrefs: 0040390B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID: C:\Windows\TEMP\nseC5E0.tmp\
                                                                                                                                                                                                                                  • API String ID: 2962429428-3537077208
                                                                                                                                                                                                                                  • Opcode ID: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
                                                                                                                                                                                                                                  • Instruction ID: 23b98c188a40640ee87c89e263e7d2a3484f90a0975adae1b2ea6fd77d705eba
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78E086B14407149AC124AF7CAD495853A185F453357248726F178F20F0C778996B5E9D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414BCB,@@@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD@@@,004032EF,@@@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD@@@,00414BCB,00414ED0,00004000,?,00000000,00403119,00000004), ref: 00405E19
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • @@@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD@@@, xrefs: 00405E05
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                                                  • String ID: @@@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD@@@
                                                                                                                                                                                                                                  • API String ID: 3934441357-2705140028
                                                                                                                                                                                                                                  • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                                                                                                                                                                                  • Instruction ID: dac0b8971ba2920abb5474f128329a0fa477ab7403896bbfc0984bb8014ca22f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AE08632100119ABCF105F50DC00EEB376CEB00350F004832FA65E2040E230EA219BE4
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,@@@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD@@@,0040336B,0040A230,0040A230,0040326F,00414ED0,00004000,?,00000000,00403119), ref: 00405DEA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • @@@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD@@@, xrefs: 00405DD6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                                  • String ID: @@@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD@@@
                                                                                                                                                                                                                                  • API String ID: 2738559852-2705140028
                                                                                                                                                                                                                                  • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                                                                                                                                                                                  • Instruction ID: f39de87387fc754cac4ceee649b5e38243fe2bf9183d254406dbd5143e25ae03
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57E0EC3221125AABDF509F65DC08AEB7B6DEF05360F008837F955E6160D631E9219BE8
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(?,?,00425F30,?,00405C51,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405BEB
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
                                                                                                                                                                                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                                                                                                                                                                                                    • Part of subcall function 004057AC: CreateDirectoryW.KERNELBASE(?,?,00437800), ref: 004057EF
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,00436000,?,00000000,000000F0), ref: 00401645
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1892508949-0
                                                                                                                                                                                                                                  • Opcode ID: 2305ffb504cd1727ef0d2f6d990949bd10217623809cec2c7a11ebe9bcb6ddd7
                                                                                                                                                                                                                                  • Instruction ID: 18abe7de9e9977a76830232601504265d2e6edcedfe07fce7f69d5744a4425eb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2305ffb504cd1727ef0d2f6d990949bd10217623809cec2c7a11ebe9bcb6ddd7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F911E631500504EBCF207FA0CD0199E3AB2EF44364B25453BF906B61F2DA3D4A819E5E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040245B
                                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3677997916-0
                                                                                                                                                                                                                                  • Opcode ID: 7c5d0e18f6a429da2bc85dc3c2d089be0215a696c23f31d9e61351b332a472c5
                                                                                                                                                                                                                                  • Instruction ID: a4ed2935f8c713a64b441f8b02302a8faa8aa65f3841d01997d269d515fb9b23
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c5d0e18f6a429da2bc85dc3c2d089be0215a696c23f31d9e61351b332a472c5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D119131911205EBDB10CFA0CA489AEB7B4EF44354B20843FE446B72D0D6B85A41DB19
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                  • Opcode ID: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
                                                                                                                                                                                                                                  • Instruction ID: d65e0694727b7210e6f7bc09f77efd2c0147e56cffd904cd4a2c980f2ed28b93
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D01D131724210EBEB195B789D04B2A3698E714314F1089BAF855F62F1DA788C128B5D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 849931509-0
                                                                                                                                                                                                                                  • Opcode ID: af1b21a11892d4ef4174ae2b41b7854131aa20919259ada3e53a4d904ddc093b
                                                                                                                                                                                                                                  • Instruction ID: b5033fe3495a5d5fbf66e52db86fe43622c16bf705f2fe0f4142c4154f9543e6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af1b21a11892d4ef4174ae2b41b7854131aa20919259ada3e53a4d904ddc093b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45F04F32A04110ABEB11BFB59B4EABE726A9B40314F15807BF501B71D5D9FC99025629
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 004065AB
                                                                                                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004065BB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$DispatchPeek
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1770753511-0
                                                                                                                                                                                                                                  • Opcode ID: ef2e4593c0240a07502a9f68f436a2f199b7ff7db9f8b56736ff16cb35fdca16
                                                                                                                                                                                                                                  • Instruction ID: 3df2e48da143b1230ddfac55cbc283c178fe6404b28bee855849021750633643
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef2e4593c0240a07502a9f68f436a2f199b7ff7db9f8b56736ff16cb35fdca16
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EBE086B790111876CA10A799AD05ECB776C9B95750F014036F611F3085D678E5118AB4
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                                                                                                                                                                                                    • Part of subcall function 004064E8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
                                                                                                                                                                                                                                    • Part of subcall function 004064E8: wsprintfW.USER32 ref: 0040653A
                                                                                                                                                                                                                                    • Part of subcall function 004064E8: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040654E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2547128583-0
                                                                                                                                                                                                                                  • Opcode ID: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
                                                                                                                                                                                                                                  • Instruction ID: 8c1a5bb66f910ccc430fc34c4425cef617f316e2833151c7c1ff8c8a0ee84b40
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C3E086326042206BD6105B706E0893762BC9ED8740302483EF946F2084D778DC329A6D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,74DF3420,00000000,74DF2EE0,00403909,00437800,00403708,?), ref: 0040394C
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 00403953
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Free$GlobalLibrary
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1100898210-0
                                                                                                                                                                                                                                  • Opcode ID: f4316848cbc6ebdc68634a281282690bfac6e24f3e15d004bec6d27d8a9ac131
                                                                                                                                                                                                                                  • Instruction ID: 420717e04dc644aaadfe3aeddcd4797dc829437e29e913c3c6529364dabb0ba4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4316848cbc6ebdc68634a281282690bfac6e24f3e15d004bec6d27d8a9ac131
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41E012739011309BC6225F95ED44B5E7B6D6F95B32F0A423AE9807B26087B45D838FD8
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe,80000000,00000003), ref: 00405D57
                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AttributesCreate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 415043291-0
                                                                                                                                                                                                                                  • Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
                                                                                                                                                                                                                                  • Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,00405933,?,?,00000000,00405B09,?,?,?,?), ref: 00405D33
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405D47
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                                                                                                                                                                                  • Instruction ID: 62c1218995ad43f24aa052634507c0d83541fa9dca801c4eab67991220ff17ac
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40D01272504520AFC2513738EF0C89BBF95EB543B17028B35FAF9A22F0DB304C568A98
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,004033A9,00437800,00437800,00437800,00437800,00437800,004035DE), ref: 0040582F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040583D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1375471231-0
                                                                                                                                                                                                                                  • Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
                                                                                                                                                                                                                                  • Instruction ID: d963a2520b22da8993c1f0374a54a6368e12bf2bf52e26206a68f99a8800bbf8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DC04C31204B029AD7506B609F097177954AB50781F11C8396946E00A0DE348465DE2D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00401BA7
                                                                                                                                                                                                                                  • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BB9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocFree
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3394109436-0
                                                                                                                                                                                                                                  • Opcode ID: 554d17eb3c6d1829cbb52a784c7af5d6f88ef092a67b5b7707c292645e37930e
                                                                                                                                                                                                                                  • Instruction ID: 7cdfc3cbb2e69f4264c6c6693aec6085e55c642d7687a467de19211c04d07d9e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 554d17eb3c6d1829cbb52a784c7af5d6f88ef092a67b5b7707c292645e37930e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67219672A00100EBDB20EB94CD85D5E77B6AF84314B21453BF502F72E1DA7898618F5D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 0040168E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileMove
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3562171763-0
                                                                                                                                                                                                                                  • Opcode ID: a51ebfd131b5ce1ad24a1fd58dead1362408043bc730019d15f3e82182553067
                                                                                                                                                                                                                                  • Instruction ID: f96437beda5fd31dd1875ddb5f908f1f3267c620ccf54a3d4895ce3c899c2c08
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a51ebfd131b5ce1ad24a1fd58dead1362408043bc730019d15f3e82182553067
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50F0B431604114D7CB20BF7A4F0DD5E32A59F82338B25437BF912B62E6DAFC8A41956E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindNextFileW.KERNELBASE(00000000,?,?), ref: 004027E2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFindNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2029273394-0
                                                                                                                                                                                                                                  • Opcode ID: cc0804f4c103f793c784cf4c7483c4fcd77a3d298a483efa9ec2adbee381f28d
                                                                                                                                                                                                                                  • Instruction ID: 03c77e44a5bd49d5adcbbbc7357f2d618ce2ff781a2b40b59b4f28f65829b406
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc0804f4c103f793c784cf4c7483c4fcd77a3d298a483efa9ec2adbee381f28d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9E06576600115DBCB50DFD0DE48AAEB3B4AF04314F10447BD101F61D1E6F889519B6D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0
                                                                                                                                                                                                                                    • Part of subcall function 004060C5: wsprintfW.USER32 ref: 004060D2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointerwsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 327478801-0
                                                                                                                                                                                                                                  • Opcode ID: a43271754c7f07c99b9378ce98c7c6ca1c5cab0cf9015cd4f7670726b0543b0b
                                                                                                                                                                                                                                  • Instruction ID: 0f14848d4f24c16631b00b750435c060a764b4453362ef8260df6bafad2d34e7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a43271754c7f07c99b9378ce98c7c6ca1c5cab0cf9015cd4f7670726b0543b0b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FE01A71601114ABDB11EBA59E4ACAE766AAB40328B10443BF501F14E1CAB988619A2E
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                                                                                                                  • Opcode ID: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
                                                                                                                                                                                                                                  • Instruction ID: ef45ff86538a2d51f1b0222ec8c1b297abd10be8bd22699319dc95f068cee933
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CCE08676244108BFDB00DFA8DE47FD537ECAB14700F004031BA08D70D1C674E5508768
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PrivateProfileString
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1096422788-0
                                                                                                                                                                                                                                  • Opcode ID: 2412c5e6e38f405480bfb5068b9d3e64da5a88d06b16ee9e0a03aeafae2b93d0
                                                                                                                                                                                                                                  • Instruction ID: 815fd251d1ef055c124add3867079dbd89389a2e6f50d5753089410e689aa70c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2412c5e6e38f405480bfb5068b9d3e64da5a88d06b16ee9e0a03aeafae2b93d0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91E04F30800208BBDF01AFA4CE49DBD3B79AF00344F14043AF940AB0D5E7F89A819749
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MoveFileExW.KERNELBASE(?,?,00000005,00405B21,?,00000000,000000F1,?,?,?,?,?), ref: 00406029
                                                                                                                                                                                                                                    • Part of subcall function 00405EAD: lstrcpyW.KERNEL32(00426DC8,NUL,?,00000000,?,?,00406040,?,?), ref: 00405EBC
                                                                                                                                                                                                                                    • Part of subcall function 00405EAD: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00406040,?,?), ref: 00405EE0
                                                                                                                                                                                                                                    • Part of subcall function 00405EAD: GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00405EE9
                                                                                                                                                                                                                                    • Part of subcall function 00405EAD: GetShortPathNameW.KERNEL32(004275C8,004275C8,00000400), ref: 00405F06
                                                                                                                                                                                                                                    • Part of subcall function 00405EAD: wsprintfA.USER32 ref: 00405F24
                                                                                                                                                                                                                                    • Part of subcall function 00405EAD: GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405F5F
                                                                                                                                                                                                                                    • Part of subcall function 00405EAD: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F6E
                                                                                                                                                                                                                                    • Part of subcall function 00405EAD: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                                                                                                                                                                                                    • Part of subcall function 00405EAD: SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00405FFC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$NamePathShortlstrcpy$AllocCloseGlobalHandleMovePointerSizewsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2305538632-0
                                                                                                                                                                                                                                  • Opcode ID: c3375b46b30391636c211c7ba3bb6b5856b401a82baf414915ce8378752f4d8e
                                                                                                                                                                                                                                  • Instruction ID: 18bddb7de20ac1970eb55a3559b5efcfaddd6cd83010f6772ef5631c43e5a1b0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3375b46b30391636c211c7ba3bb6b5856b401a82baf414915ce8378752f4d8e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CBD0C73124C601BFDB255B10DD0591B7BA5FB90355F11C43EF595900B2E7368461EF0D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 973152223-0
                                                                                                                                                                                                                                  • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                                                                                                                                                                                  • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404C71
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000408), ref: 00404C7C
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CC6
                                                                                                                                                                                                                                  • LoadBitmapW.USER32(0000006E), ref: 00404CD9
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000FC,00405251), ref: 00404CF2
                                                                                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D06
                                                                                                                                                                                                                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D18
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404D2E
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D3A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D4C
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00404D4F
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D7A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D86
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E1C
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E47
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E5B
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00404E8A
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E98
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000005), ref: 00404EA9
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FA6
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040500B
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405020
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405044
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405064
                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(?), ref: 00405079
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 00405089
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405102
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001102,?,?), ref: 004051AB
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051BA
                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004051DA
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000000), ref: 00405228
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003FE), ref: 00405233
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 0040523A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                                  • String ID: $M$N
                                                                                                                                                                                                                                  • API String ID: 1638840714-813528018
                                                                                                                                                                                                                                  • Opcode ID: 2479b366cad44d8d2a02fbd124e29c277f71441e1411fda8dea8c44bba4244d6
                                                                                                                                                                                                                                  • Instruction ID: ce840dee0c3a5b827351c7f25dbf2e3605d0905f5c54158640504e6bfb71dde6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2479b366cad44d8d2a02fbd124e29c277f71441e1411fda8dea8c44bba4244d6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C023EB0A00209EFDF209F64CD45AAE7BB5FB84355F10817AE610BA2E1C7799D52CF58
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000403), ref: 0040547A
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00405489
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004054C6
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000002), ref: 004054CD
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054EE
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054FF
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405512
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405520
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405533
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405555
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000008), ref: 00405569
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 0040558A
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040559A
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055B3
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055BF
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003F8), ref: 00405498
                                                                                                                                                                                                                                    • Part of subcall function 00404277: SendMessageW.USER32(00000028,?,00000001,004040A3), ref: 00404285
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004055DC
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000053B0,00000000), ref: 004055EA
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004055F1
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00405615
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000008), ref: 0040561A
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000008), ref: 00405664
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405698
                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 004056A9
                                                                                                                                                                                                                                  • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056BD
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004056DD
                                                                                                                                                                                                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056F6
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040572E
                                                                                                                                                                                                                                  • OpenClipboard.USER32(00000000), ref: 0040573E
                                                                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 00405744
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405750
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 0040575A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040576E
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040578E
                                                                                                                                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00405799
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 0040579F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                                  • String ID: (7B${
                                                                                                                                                                                                                                  • API String ID: 590372296-525222780
                                                                                                                                                                                                                                  • Opcode ID: 7d3ad4f7b905998d9e0ff1ed48f107a225979fc90d670cd13e2faa1d61a6de43
                                                                                                                                                                                                                                  • Instruction ID: 3349dadf3efb3a8fdffdb79f187be012afacb07b5928e089a4a7fd9dccbac2fd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d3ad4f7b905998d9e0ff1ed48f107a225979fc90d670cd13e2faa1d61a6de43
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60B15670900608FFDB119FA0DD89EAE3B79FB48354F40847AFA45A61A0CB754E52DF68
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DA6
                                                                                                                                                                                                                                  • ShowWindow.USER32(?), ref: 00403DC3
                                                                                                                                                                                                                                  • DestroyWindow.USER32 ref: 00403DD7
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DF3
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00403E14
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E28
                                                                                                                                                                                                                                  • IsWindowEnabled.USER32(00000000), ref: 00403E2F
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 00403EDD
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 00403EE7
                                                                                                                                                                                                                                  • SetClassLongW.USER32(?,000000F2,?), ref: 00403F01
                                                                                                                                                                                                                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F52
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000003), ref: 00403FF8
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?), ref: 00404019
                                                                                                                                                                                                                                  • EnableWindow.USER32(?,?), ref: 0040402B
                                                                                                                                                                                                                                  • EnableWindow.USER32(?,?), ref: 00404046
                                                                                                                                                                                                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040405C
                                                                                                                                                                                                                                  • EnableMenuItem.USER32(00000000), ref: 00404063
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040407B
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040408E
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00423728,?,00423728,00429240), ref: 004040B7
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,00423728), ref: 004040CB
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,0000000A), ref: 004041FF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                                                                  • String ID: (7B
                                                                                                                                                                                                                                  • API String ID: 184305955-3251261122
                                                                                                                                                                                                                                  • Opcode ID: dd9405652fbbb87ab488d8a14d0aeb81f33be68f6094b2cdc8f2b1d388c01c08
                                                                                                                                                                                                                                  • Instruction ID: 4530f9416eb169af0d44378ddba5762a1eee688012323a74912104aead4a3b33
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dd9405652fbbb87ab488d8a14d0aeb81f33be68f6094b2cdc8f2b1d388c01c08
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5C1FFB1640200FFCB206F61EE84E2B3AA8EB95745F40057EF641B21F1CB7999529B6D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040447D
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404491
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044AE
                                                                                                                                                                                                                                  • GetSysColor.USER32(?), ref: 004044BF
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044CD
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044DB
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 004044E0
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044ED
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404502
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,0000040A), ref: 0040455B
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000), ref: 00404562
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0040458D
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045D0
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 004045DE
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 004045E1
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(0000070B,open,004281E0,00000000,00000000,00000001), ref: 004045F6
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00404602
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 00404605
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404634
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404646
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                                                                                                                                                  • String ID: N$VC@$open
                                                                                                                                                                                                                                  • API String ID: 3615053054-3831744127
                                                                                                                                                                                                                                  • Opcode ID: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
                                                                                                                                                                                                                                  • Instruction ID: ef28e404984a924d02769b335405a58d84a4f5c10dd13b46e9d300bde90bb2c1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 717191B1A00209BFDB10AF60DD45E6A7B69FB94344F00843AFB05B62E0D779AD51CF98
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                                  • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                                  • String ID: F
                                                                                                                                                                                                                                  • API String ID: 941294808-1304234792
                                                                                                                                                                                                                                  • Opcode ID: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
                                                                                                                                                                                                                                  • Instruction ID: fbc3582f0be17511ef24b6208279bd62f68a22b1f89f17edcf88e24f0ff4dafb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E418A71800209AFCF058F95DE459AFBBB9FF44310F00842EF991AA1A0C738EA55DFA4
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrcpyW.KERNEL32(00426DC8,NUL,?,00000000,?,?,00406040,?,?), ref: 00405EBC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00406040,?,?), ref: 00405EE0
                                                                                                                                                                                                                                  • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00405EE9
                                                                                                                                                                                                                                    • Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
                                                                                                                                                                                                                                    • Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA
                                                                                                                                                                                                                                  • GetShortPathNameW.KERNEL32(004275C8,004275C8,00000400), ref: 00405F06
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 00405F24
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405F5F
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F6E
                                                                                                                                                                                                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00405FFC
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0040600D
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406014
                                                                                                                                                                                                                                    • Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe,80000000,00000003), ref: 00405D57
                                                                                                                                                                                                                                    • Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                                                                                                                                                                  • String ID: %ls=%ls$NUL$[Rename]
                                                                                                                                                                                                                                  • API String ID: 222337774-899692902
                                                                                                                                                                                                                                  • Opcode ID: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
                                                                                                                                                                                                                                  • Instruction ID: 52ae09e4e2a5e81e4d5588e003ad531eff1fe7f7ae6e2de5146a23cae23f7ad9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB315330241B19BBD2206B209D08F2B3A5CEF85758F15043BF942F62C2EA7CC9118EBD
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003FB), ref: 0040472C
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00404756
                                                                                                                                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00404807
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404812
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 00404844
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,004281E0), ref: 00404850
                                                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404862
                                                                                                                                                                                                                                    • Part of subcall function 004058A7: GetDlgItemTextW.USER32(?,?,00000400,00404899), ref: 004058BA
                                                                                                                                                                                                                                    • Part of subcall function 00406412: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,00437800,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00403391,00437800,00437800,004035DE), ref: 00406475
                                                                                                                                                                                                                                    • Part of subcall function 00406412: CharNextW.USER32(?,?,?,00000000), ref: 00406484
                                                                                                                                                                                                                                    • Part of subcall function 00406412: CharNextW.USER32(?,00000000,74DF3420,00437800,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00403391,00437800,00437800,004035DE), ref: 00406489
                                                                                                                                                                                                                                    • Part of subcall function 00406412: CharPrevW.USER32(?,?,74DF3420,00437800,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00403391,00437800,00437800,004035DE), ref: 0040649C
                                                                                                                                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404925
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404940
                                                                                                                                                                                                                                    • Part of subcall function 00404A99: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3A
                                                                                                                                                                                                                                    • Part of subcall function 00404A99: wsprintfW.USER32 ref: 00404B43
                                                                                                                                                                                                                                    • Part of subcall function 00404A99: SetDlgItemTextW.USER32(?,00423728), ref: 00404B56
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: (7B$A$C:\Program Files\TeamViewer
                                                                                                                                                                                                                                  • API String ID: 2624150263-460036527
                                                                                                                                                                                                                                  • Opcode ID: b1c988a2c75076f1e590c134e256cc95cfc43452e7a67f3061b6eea54995cb3a
                                                                                                                                                                                                                                  • Instruction ID: d5aaf60bd55b21875b9c8b9a8d0b3d7e01f34e6f89f3adcbdcc63617e1d21faf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1c988a2c75076f1e590c134e256cc95cfc43452e7a67f3061b6eea54995cb3a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7A191F1A00209ABDB11AFA5CC45AAF77B8EF84354F10847BF601B62D1D77C99418B6D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 004042C6
                                                                                                                                                                                                                                  • GetSysColor.USER32(00000000), ref: 004042E2
                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 004042EE
                                                                                                                                                                                                                                  • SetBkMode.GDI32(?,?), ref: 004042FA
                                                                                                                                                                                                                                  • GetSysColor.USER32(?), ref: 0040430D
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,?), ref: 0040431D
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00404337
                                                                                                                                                                                                                                  • CreateBrushIndirect.GDI32(?), ref: 00404341
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2320649405-0
                                                                                                                                                                                                                                  • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                                                                                                                                                                                  • Instruction ID: 2a82f640caf94e13ad52f77eccc7f6a005bf570db5d4005cc44859485eb84fad
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F215171600704ABCB219F68DE08B4BBBF8AF81714F04892DED95E26A0D738E904CB64
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                                                                                                                                                                                                    • Part of subcall function 00405E34: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E4A
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                                                                  • String ID: 9
                                                                                                                                                                                                                                  • API String ID: 163830602-2366072709
                                                                                                                                                                                                                                  • Opcode ID: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
                                                                                                                                                                                                                                  • Instruction ID: fbd7f9394f7a40dbbdef10ea3a20ac1ae57b35180e29dd1ddeb30b88b5afce05
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19510774D00219ABDF209F94CA88AAEB779FF04344F50447BE501B72E0D7B99982DB69
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00402E19,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00422708,00402E19,00402E19,00422708,00000000,00000000,00000000), ref: 00405338
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(00422708,00422708), ref: 0040534A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2531174081-0
                                                                                                                                                                                                                                  • Opcode ID: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
                                                                                                                                                                                                                                  • Instruction ID: d14990956ab1253184f877e9e8298894284f42a30aea32824f5004b5108fa95f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62217F71900518BACF119FA6DD44ACFBFB8EF85354F10807AF904B62A1C7B94A51DFA8
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,00437800,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00403391,00437800,00437800,004035DE), ref: 00406475
                                                                                                                                                                                                                                  • CharNextW.USER32(?,?,?,00000000), ref: 00406484
                                                                                                                                                                                                                                  • CharNextW.USER32(?,00000000,74DF3420,00437800,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00403391,00437800,00437800,004035DE), ref: 00406489
                                                                                                                                                                                                                                  • CharPrevW.USER32(?,?,74DF3420,00437800,"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE,00403391,00437800,00437800,004035DE), ref: 0040649C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE, xrefs: 00406412
                                                                                                                                                                                                                                  • *?|<>/":, xrefs: 00406464
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Char$Next$Prev
                                                                                                                                                                                                                                  • String ID: "C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe" /RESTORE$*?|<>/":
                                                                                                                                                                                                                                  • API String ID: 589700163-1805722269
                                                                                                                                                                                                                                  • Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
                                                                                                                                                                                                                                  • Instruction ID: c1b46f2de1f90aebbf911330ce555e940da56993e608f70b6a8db31027969b8c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5311C85680121299DB307B588C40AB7A2B8EF55754F52803FEDCA732C1E77C5C9286BD
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BC2
                                                                                                                                                                                                                                  • GetMessagePos.USER32 ref: 00404BCA
                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00404BE4
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BF6
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C1C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                                  • String ID: f
                                                                                                                                                                                                                                  • API String ID: 41195575-1993550816
                                                                                                                                                                                                                                  • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                                                                                                                                                                                  • Instruction ID: 45e0f6331f39cfe7836e80c9775163861a3897288b26a0b158bc224782e9bc0b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9015271901218BAEB00DB94DD45FFEBBBCAF54711F10012BBA51B61D0C7B495018B54
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 004028E9
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00402914
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2667972263-0
                                                                                                                                                                                                                                  • Opcode ID: 268536b817805fd7c6aa0ddf0c0313c96854f1d95891718e15f9d7c13f840f6f
                                                                                                                                                                                                                                  • Instruction ID: 9003099e8900d80eaa65f9bf21adae6f43ee9946aaa6f9d478ae9c17af360c06
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 268536b817805fd7c6aa0ddf0c0313c96854f1d95891718e15f9d7c13f840f6f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6216F72801118BBCF216FA5CE49D9E7F79EF09364F24423AF550762E0CB794E419B98
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3A
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 00404B43
                                                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,00423728), ref: 00404B56
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: %u.%u%s%s$(7B
                                                                                                                                                                                                                                  • API String ID: 3540041739-1320723960
                                                                                                                                                                                                                                  • Opcode ID: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
                                                                                                                                                                                                                                  • Instruction ID: 8555a1dc09e6b234f76c08cd80d60a8511de1cbf1cdbca66d7a603e4fd23a7b2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E911EB736441283BDB0095AD9C45F9E3298DB85378F150237FA26F71D1DA79D82286EC
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00401D00
                                                                                                                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                                                                                                                                                                                                  • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1849352358-0
                                                                                                                                                                                                                                  • Opcode ID: 6491dc860a80c02085eecb14b1266a63ebbf57ab5d60057a90a3d7af6463b562
                                                                                                                                                                                                                                  • Instruction ID: c287ee2e14a47dfcdc45124cadc9b4dd0eb33b5564dd8f2f51e592e83ba53e14
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6491dc860a80c02085eecb14b1266a63ebbf57ab5d60057a90a3d7af6463b562
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33F0E172600504AFD701DBE4DE88CEEBBBDEB48311B104476F541F51A1CA749D018B38
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 00401D59
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                                                                                                                                                                                                  • CreateFontIndirectW.GDI32(0040CDE0), ref: 00401DD1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3808545654-0
                                                                                                                                                                                                                                  • Opcode ID: 020d429652f6eb968a81cc61bdee73d82fb2a6d644655b906a561d6cebbfb8f5
                                                                                                                                                                                                                                  • Instruction ID: 9e8fd183d3d9d3ef172346538d4b27734d94fdc92d2c471f4f64b2fa811a60c8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 020d429652f6eb968a81cc61bdee73d82fb2a6d644655b906a561d6cebbfb8f5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F601A271544641EFEB016BB0AF4AF9A3F75BB65301F104579F152B61E2CA7C0006AB2D
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Timeout
                                                                                                                                                                                                                                  • String ID: !
                                                                                                                                                                                                                                  • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                                  • Opcode ID: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
                                                                                                                                                                                                                                  • Instruction ID: 9ab6cbc1baff8286944736a18d7265b6422843b7a732a624d4201333bc7942cf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2219071940209BEEF01AFB5CE4AABE7B75EF44744F10403EFA01B61D1D6B88A409B69
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 00405280
                                                                                                                                                                                                                                  • CallWindowProcW.USER32(?,?,?,?), ref: 004052D1
                                                                                                                                                                                                                                    • Part of subcall function 0040428E: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                                  • Opcode ID: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
                                                                                                                                                                                                                                  • Instruction ID: 35360b72f4910b777185a6264b25dc7760dbd7dc789205491e41d57b326ac1ec
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B019E71210708ABDF208F11DD84E9B3A35EF94321F60443AFA00761D1C77A8D529E6A
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00405894
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Error launching installer, xrefs: 00405871
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                                  • String ID: Error launching installer
                                                                                                                                                                                                                                  • API String ID: 3712363035-66219284
                                                                                                                                                                                                                                  • Opcode ID: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
                                                                                                                                                                                                                                  • Instruction ID: 0fb7bd0647ee639374dbc29985885c8cd5f4694ddcbbc5ba66c50ad851a9a680
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22E04FB0A002097FEB009B64ED45F7B77ACEB04208F408431BD00F2150D77498248A78
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
                                                                                                                                                                                                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CE0
                                                                                                                                                                                                                                  • CharNextA.USER32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CF1
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2254845796.0000000000401000.00000020.00000001.01000000.00000015.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254791967.0000000000400000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254890679.0000000000408000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000040A000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000425000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000427000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.000000000042C000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000430000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000435000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2254908183.0000000000438000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2255062187.0000000000486000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_TeamViewer_.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 190613189-0
                                                                                                                                                                                                                                  • Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
                                                                                                                                                                                                                                  • Instruction ID: b09c91cad7c2282b041c35ea214dbdd3f15ee75aa50bf55fe933874c09a5e2ef
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BFF0F631104954FFD702DFA5DD04E9FBBA8EF06350B2180BAE841F7210D674DE01ABA8