Play interactive tour

Edit tour

Windows Analysis Report TeamViewer.exe

Overview

General Information

Sample Name:	TeamViewer.exe
Analysis ID:	544547
MD5:	33a585da49e0ae52cdc1ba8266baef9a
SHA1:	56da8ed161186095ff2692a048099df2631bb0ff
SHA256:	f6f1e16e6c7a591421b1dbff169dede8891728eb982f19cf5d4b5bab6ef5d672
Infos:
Most interesting Screenshot:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses 32bit PE files

PE file contains strange resources

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

TeamViewer.exe (PID: 7148 cmdline: "C:\Users\user\Desktop\TeamViewer.exe" MD5: 33A585DA49E0AE52CDC1BA8266BAEF9A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: TeamViewer.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: TeamViewer.exe

Static PE information: certificate valid

Source: TeamViewer.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: E:\WS\TV_12.0_RC_pub\BuildTarget\Release2013\TeamViewer.pdb source: TeamViewer.exe

Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: TeamViewer.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: TeamViewer.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: TeamViewer.exe	String found in binary or memory: http://www.dns-sd.org/ServiceTypes.html
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: http://www.teamviewer.com
Source: TeamViewer.exe	String found in binary or memory: http://www.teamviewer.com/https://www.teamviewer.com:443/Proxy_IPProxy_Type
Source: TeamViewer.exe	String found in binary or memory: https://cloudstorageintegration.teamviewer.com/Content/revision.txt
Source: TeamViewer.exe	String found in binary or memory: https://cloudstorageintegration.teamviewer.com/Content/revision.txtCloudStorageServiceRevision:
Source: TeamViewer.exe	String found in binary or memory: https://configdl.teamviewer.com/configs/https://configdl.teamviewer.com/rev/CustomConfigurationIPCNe
Source: TeamViewer.exe	String found in binary or memory: https://feedbackservice.teamviewer.comhttps://feedbackservice-test.teamviewer.com/feedback?lng=%1%&s
Source: TeamViewer.exe	String found in binary or memory: https://profilepicture-test.teamviewer.com/upload
Source: TeamViewer.exe	String found in binary or memory: https://profilepicture-test.teamviewer.com/uploadhttps://profilepicture.teamviewer.com/uploadAccount
Source: TeamViewer.exe	String found in binary or memory: https://profilepicture.teamviewer.com/upload
Source: TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: TeamViewer.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: TeamViewer.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\TeamViewer.exe

File read: C:\Users\user\Desktop\TeamViewer.exe

Jump to behavior

Source: TeamViewer.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TeamViewer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\TeamViewer.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\TeamViewer_LogMutex

Source: C:\Users\user\Desktop\TeamViewer.exe

File created: C:\Users\user\AppData\Roaming\TeamViewer\

Jump to behavior

Source: TeamViewer.exe	String found in binary or memory: kernel32LoadLibraryExW\/AddDllDirectory0123456789abcdef0123456789ABCDEF0123456789%d.%d.%d.%d%lxSchannel: TLS 1.3 is not yet supportedschannel: SSL/TLS connection with %s port %hu (step 1/3)
Source: TeamViewer.exe	String found in binary or memory: WebControlClientBrowserWin: BrowserProcessTerminated timed outWebControlClientBrowerWin: CreatePipe function failed for childWebControlClientBrowerWin: Child Pipe handle are NULLWebControlClientBrowerWin: CreatePipe function failed for parentWebControlClientBrowerWin: Parent pipe handle are NULLWebControlClientBrowserWin::SendData: WebControlClient not available.WebControlClientBrowserWin::SendData: WriteFile function failed. Error: %1%WebControlClientBrowserWin::VerifyToken: ReadFile function failed. Error: %1%WebControlClientBrowserWin::VerifyToken: Invalid token. Authentication failed--startedAsWebControlClient --processParameter 0?
Source: TeamViewer.exe	String found in binary or memory: \Monitoring_FailureActionsOverrideInitialCheckDelayMinutesTraceEventLogParsingAllThirdPartyProductNamesThirdPartyName\Secure\AntiMalware/install/update/uninstall.json.logFailureActionsSoftware\ITbrainITbrain BackupSYSTEM\CurrentControlSet\Services\ITbrain Backup serviceITbrainBackupServiceBackupInstallerParametersITbrain_Backup_Service.exeITbrain MonitoringITbrainMonitoringServiceUninstallThirdPartyForceAMInstallationUninstallTimeoutMinutesDefinitionsUpdateTimerMinutesITbrain Anti-Malware serviceITbrainAntiMalwareServiceITbrain_AntiMalware_WSCHandler.exeITbrain_AntiMalware_Service.exeUninstallPathUpdateResultInstallerAdditionalCapabilitiesUninstallFlagsAdditionalUpdateInformationAdditionalInstallInformationITbrain_Monitoring_Service.exeITbrain Monitoring serviceAntiMalwareInstaller.exeITbrainBackupInstaller.exeMonitoringInstaller.exeInstallSuccessInstallResultTV_INTLControlCenterImplementationInterface::AccountInfo::Deserialize: invalid BCommandControlCenterImplementationInterface::AccountInfo::Deserialize : could not deserialize MAC keyControlCenterImplementationInterface::AccountInfo::Deserialize : could not deserialize signatureKeyControlCenterImplementationInterface::CallbackData::Deserialize: invalid BCommand@Jg
Source: TeamViewer.exe	String found in binary or memory: App_SVMobF_QJlegacyEnum_param >= bytearray_paramlegacyEnum_param == bytearray_paramUserManagementShareGroupAlwaysSetConnectionReportingRS_ProcessesRS_LogfilesRS_ScreenshotRS_AppsApi_V1RS_Screen_V9RS_ConnectionRS_Configuration_FILEDirectXGrabAdditionalLicensedSessionsFastVideoRemoteSoundRS_Configuration_WLANRS_Configuration_EMAILRS_ScreenRS_FiletransferLeaveNoteDontUseThisValueRS_Screen_V12InSessionDashboardWebApiPolicyManagementRS_Mobile2MobileIncomingConnectionReportingServicecampIntegrationApi_V2RS_Screen_V10AddNewDeviceDownloadSettingPoliciesSessionCodeCanStartChatSalesforceIntegrationSharedGroups_V11RS_Screen_V11ActivationOnAccountAllowedActivationOnCompanyAllowedRemoteWebControl_RasPi_CommercialSublicensingAllowedFileTransfer_QueuingRecentlyContactedPartnersLinkWithAccountAllowedActivationOnDeviceAllowedSupportCaseNotificationFileTransfer_RecentFilesEasyRolloutPolicyComplianceCheckRemoteWebControl_RasPiRemoteWebControl_NASInSessionDashboard_ExtendedSC_DefaultAssigneeZendeskIntegrationSwitchSidesIntuneIntegrationServiceNowIntegrationBlackScreenRemotePrintingUninitialized%2% -- %1% previous log entries omitted --%1% -- next log entries will be omitted --startupLogger started.CRASH: DesktopHang, Errorcode=CLogfile::Open(): grant permissionsCLogging::SetExeAbbreviationCouldn't access Log-File since
Source: TeamViewer.exe	String found in binary or memory: CloudStorageAccessManagerImpl::RequestSaveCloudStorageAuthentications: Encryption errorCloudStorageAccessManagerImpl::OnSaveCloudStorageAuthentications: Error on store CloudStorage Providers. ErrorCode: %1%CloudStorageAccessManagerImpl::OnSaveCloudStorageAuthentications: Error on store CloudStorage Providers. Not a AccountStorageCommand.CloudStorageAccessManagerImpl::OnSaveCloudStorageAuthentications: Stored CloudStorage Providers updated/added.CloudStorageAccessManagerImpl::OnSaveCloudStorageAuthentications: Error from AccountStorageProvider at store data. Reason: %1%CloudStorageAccessManagerImpl::ParseJsonToAuthData: Error on Parse from Json.CloudStorageAccessManagerImpl::UpdateAuthData: Existing CloudStorage Provider would update. Provider: %1%CloudStorageAccessManagerImpl::UpdateAuthData: New CloudStorage Provider added to Account. Provider: %1%CloudStorageAccessManagerImpl::OnLoadCloudStorageKey: Error on load CloudStorage Key. ErrorCode: %1%CloudStorageAccessManagerImpl::OnLoadCloudStorageKey: Error on load CloudStorage Key. Not a AccountStorageCommand.CloudStorageAccessManagerImpl::OnLoadCloudStorageKey: CloudStorage Key loaded.CloudStorageAccessManagerImpl::OnLoadCloudStorageKey: Invalid cloud storage key was loaded.CloudStorageAccessManagerImpl::OnLoadCloudStorageKey: Error from AccountStorageProvider at load data. Reason: %1%CloudStorageAccessManagerImpl::OnCloudStorageKeyCreate: Error on store CloudStorage Key. ErrorCode: %1%CloudStorageAccessManagerImpl::OnCloudStorageKeyCreate: Error on store CloudStorage Key. Not a AccountStorageCommand.CloudStorageAccessManagerImpl::OnCloudStorageKeyCreate: Stored new CloudStorage Key.ConnectedStoragesCloudStorageKeyoauthDataprovideraccessTokenrefreshTokenCloudStorageAccessManagerImpl::InitAccountStorageConnector: SuccessfullCloudStorageAccessManagerImpl::InitAccountStorageConnector: ErrorCloudStorageAccessManagerImpl::OnCloudStorageAuthenticationsReceived: Error on load CloudStorage Providers. SystemErrorCode: %1%CloudStorageAccessManagerImpl::OnCloudStorageAuthenticationsReceived: Error on load CloudStorage Providers. Not a AccountStorageCommand.CloudStorageAccessManagerImpl::OnCloudStorageAuthenticationsReceived: Encryption errorCloudStorageAccessManagerImpl::OnCloudStorageAuthenticationsReceived: No CloudStorage Connections exist.CloudStorageAccessManagerImpl::OnCloudStorageAuthenticationsReceived: Error from AccountStorageProvider at load data. Reason: %1%CloudStorageAccessManagerImpl::OnCloudStorageKeyCreate: A CloudStorage Key already exists. Load the existing key.CloudStorageAccessManagerImpl::OnCloudStorageKeyCreate: Error on load the existing key. Can not use AccountStorageProvider.CloudStorageAccessManagerImpl::OnCloudStorageKeyCreate: Error from AccountStorageProvider at store key. Reason: %1%
Source: TeamViewer.exe	String found in binary or memory: %1% : discarding bcmd %2%tvnetwork::blitz::BlitzPersistentParticipantManager::SendCommandToRoutertvnetwork::blitz::BlitzPersistentParticipantManager::SetUseStreams%1% - do nothing%1% - unknown command class %2%%1% - do nothing.%1% - "%2%"tvnetwork::blitz::BlitzPersistentParticipantManager::SetParticipantNamePrefixtvnetwork::blitz::BlitzPersistentParticipantManager::InitRCToOldVersion__FSTREXP __FUNCTION__: not supported.%1%: -end- subscrProcess =%2%, tvSessionID=%3%tvnetwork::blitz::BlitzPersistentParticipantManager::SendPMSynchronizationComplete%1%: -start- subscrProcess=%2%, tvSessionID=%3%tvnetwork::blitz::BlitzPersistentParticipantManager::Synchronizetvnetwork::blitz::BlitzPersistentParticipantManager::RemoveSubscriberProcess%1% - unknown cmd class %2%__FSTREXP __FUNCTION__: won't be implemented%1%: process type=%2%tvnetwork::blitz::BlitzPersistentParticipantManager::AddCapabilitiesToCommandtvnetwork::blitz::BlitzPersistentParticipantManager::ReceivedPendingParticipantChanged%1% - joining meetings prohibitedMachineSettings::LoadAll() couldn't open HKEY_LOCAL_MACHINEMachineSettings::LoadAll() fallback to HKEY_CURRENT_USERMachineSettings::LoadAll_Impl() couldn't open HKEY_CURRENT_USERMachineSettingsImpl: Sending all Settings but IPC is not yet authenticated.MachineSettingsImpl: Synchronizing internal Settings but IPC is not yet authenticated.MachineSettings::LoadAll() Couldn't delete temp folder.MachineSettings::SetPrivateKeysFromSettingsRemoteSettings: MachineSettings::SynchroniseAllRemoteableMachineSettings()MachineSettings::ModifySetFun_CustomServerAllRemoteableMachineSettingsMachineSettingsImpl: Synchronizing remoteable Settings but IPC is not yet authenticated.MachineSettings::SetInstallerTempSettingsAMachineSettings::SetInstallerTempSettingsWMachineSettings::SetFun_AlwaysOnline() write P_AUTOSTART_GUIImported installer settings: %1%MachineSettings::SetInstallerTempSettings: permanent password invalidMachineSettings::SetInstallerTempSettings: importing additional permanent passwordsMachineSettings::SetInstallerTempSettings: importing permanent passwordMachineSettings::SetInstallerTempSettings SecurityPasswordExportedMachineSettings::SetInstallerTempSettings P_SECURITY_MPM_PWDS_EXPORTEDMachineSettings::SetInstallerTempSettings: additional permanent passwords invalid`g
Source: TeamViewer.exe	String found in binary or memory: CPacketCache::Add(): size of Cache is %1% (stream=%2%)empty PacketCacheCPacketCache::Add invalid CCmd addedCPersistentParticipantManager::Synchronize: -end- subscr=%1%, tvSession=%2%, %3%CPersistentParticipantManager::Synchronize: -start- subscr=%1%, tvSession=%2%, %3%CPersistentParticipantManager: Initialization finished, toUpdateDestinations=%1%, %2%CPersistentParticipantManager::StartSynchronisations: m_toUpdateDestinations \|= %1%, %2%CPersistentParticipantManager::SendPMSynchronizationComplete %1%CPersistentParticipantManager::SendSubscribers() Stream ID doesn't existCPersistentParticipantManager::SendStream() Stream ID doesn't existCPersistentParticipantManager::RemoveSubscriberProcess: process type=%1%CPersistentParticipantManager as admin add new participant %1% (ID %2%) with role %3%CPersistentParticipantManager::AddParticipant %1% already added.CPersistentParticipantManager::AddParticipant: %1% type=%2% name=%3%CPersistentParticipantManager::ValidateAndDistributeCommand command with invalid state receivedCPersistentParticipantManager::SendPMStateToParticipant: %1% Initialization finished. %2%CPersistentParticipantManager::RemoveParticipant: %1%The PersistentParticipantManager has been nominated as admin pmCPersistentParticipantManager :Bad format in defaultName stringCPersistentParticipantManager::SendCommandToRouter: discarding bcmd %1%CPersistentParticipantManager::OnParticipantRoleChanged the participant %1% has changed the role from %2% to %3% tvnetwork::CPersistentParticipantManager::SendOrderedMeetingSettings%1% out of range bit %2%
Source: TeamViewer.exe	String found in binary or memory: CTerminalServer::StartGUIProcess() Filename for GUI process is %1%CTerminalServer::StartGUIProcess() GUI start error in session %1%: no valid executable foundCTerminalServer::StartGUIProcess() GUI start error in session %1%: No user name available!!!CTerminalServer::StartGUIProcess() Not starting GUI, reusing existingCTerminalServer::StartGUIProcess() GUI start exception in session %1%: CTerminalServer::StartGUIProcess() GUI process %1% started for user %2% in session %3%CTerminalServer::StartGUIProcess() ModifyNTFSPermissions (CTerminalServer::StartGUIProcess() Event %1% sent to GUI.ModifyNTFSPermissions (--startedAsAdmin --IPCport Starting admin process for ID %1% in session %2%, username %3%Connect to existing desktop processCTerminalServer::LoginTSResponse() SessionID not foundCTerminalServer::LoginTSResponse sessionID=%1% userID=%2%CTerminalServer::StartAdminProcess()Admin process started, PID=%1%CTerminalServer::GetUsername() No valid user name for session %1% - try to use fallback!CTerminalServer::GetUsername() Failed to get user name for session %1%! LE = %2%CTerminalServer::GetUsername() Failed to get domain name for session %1%! LE = %2%CTerminalServer::QueryAutostartGUI() SaveInteger user registryForce Autostart GUI for session ID %1%CTerminalServer::GetUsernameEx() GetOwnSessionIDCTerminalServer::GetUsernameEx() GetUserTokenCTerminalServer::QueryAutostartGUI() read default registryCTerminalServer::QueryAutostartGUI() read user registryStarting GUI after remote rebootCTerminalServer::QueryAutostartGUI() write user registryConsoleCTerminalServer::UpdateSessionInfoInternal GetOwnSessionIDCTerminalServer::UpdateSessionInfo() WTSEnumerateSessions failed %1%Multi User Mode is disabled.Failed to find new session ID '%1%' in session list.CTerminalServer::UpdateSessionInfoInternal: WTSQuerySessionInformation(%1%, WTSSessionInfoEx) failed. LastError: %2%CTerminalServer::UpdateSessionInfoInternal: %1% is unlockedCTerminalServer::UpdateSessionInfoInternal: %1% is lockedCTerminalServer::StartDesktopProcess(): Direct LAN connection failed, TargetSession=%1% SessionFound=%2% WTSActive=%3% GUIRunning=%4% AlwaysOnline=%5% ConsoleSession=%6% UserLoggedIn=%7%CTerminalServer::StartDesktopProcess(): External connection failed for ID %1%, SessionFound=%2% UserLoggedIn=%3% MultiUserFallbackMode=%4% SessionID=%5% User=%6%CTerminalServer::StartDesktopInSessionInternal(): Not responding Desktop process killedCTerminalServer::StartDesktopInSessionInternal(): Killing old process failed %1%Could not start the Desktop process.CTerminalServer::StartDesktopInSessionInternal CreateProcessWithTokenCTerminalServer::StartDesktop_Execute CreateProcessAsUser--IPCport CTerminalServer::RepeatedlyCheckForUserLogin() Don't start GUI for session %1%CTerminalServer::RepeatedlyCheckForUserLogin() User not logged inCTerminalServer::RepeatedlyCheckForUserLogin() No process foundCTerminalServer::RepeatedlyCheckForUserLogin() Invalid state %1% for session %2%CTerminalServer::Repeate
Source: TeamViewer.exe	String found in binary or memory: fBackupStorageHandler::HandleCreateNewAccountKey(): Error from AccountStorageProvider at store key. Reason: %1%BackupStorageHandler::GetAccountTokenInternal(): accountStorageConnector is invalidBackupStorageHandler::HandleGetAccountTokenInternal(): Error on load BackupStorage Providers. SystemErrorCode: %1%BackupStorageHandler::HandleGetAccountTokenInternal(): Error on load BackupStorage Providers. Not a AccountStorageCommand.BackupStorageHandler::HandleGetAccountTokenInternal(): Encryption errorBackupStorageHandler::HandleGetAccountTokenInternal(): No AccountToken exists.BackupStorageHandler::HandleGetAccountTokenInternal(): Error from AccountStorageProvider at load data. Reason: %1%BackupStorageHandler::StoreAccountToken(): storage not correctly initialized. m_accountStorageConnector: %1%BackupStorageHandler::HandleGetAccountKey(): Invalid backup storage key was loaded.BackupStorageHandler::HandleGetAccountKey(): Error from AccountStorageProvider at load data. Reason: %1%BackupStorageHandler::CreateNewAccountKey(): accountStorageConnector is invalidBackupStorageHandler::HandleCreateNewAccountKey(): Error on store BackupStorage Key. ErrorCode: %1%BackupStorageHandler::HandleCreateNewAccountKey(): Error on store BackupStorage Key. Not an AccountStorageCommand.BackupStorageHandler::HandleCreateNewAccountKey(): Stored new BackupStorage Key.BackupStorageHandler::HandleCreateNewAccountKey(): A BackupStorage Key already exists. Load the existing key.BackupStorageHandler::HandleCreateNewAccountKey(): Error on load the existing key. Can not use AccountStorageProvider.BackupStorageHandler::GetAccountToken(): accountStorageConnector not initializedBackupStorageHandler::InitAccountStorageConnector: Error: root not validBackupStorageHandler::InitAccountStorageConnector: SuccessfulBackupStorageHandler::InitAccountStorageConnector: Error: Account Storage Connector not validBackupStorageHandler::GetAccountKey(): accountStorageConnector not initializedBackupStorageHandler::HandleGetAccountKey(): Error on load BackupStorage Key. ErrorCode: %1%BackupStorageHandler::HandleGetAccountKey(): Error on load BackupStorage Key. Not an AccountStorageCommand.BackupStorageHandler::HandleGetAccountKey(): BackupStorage Key loaded.BackupStorageKeyBackupAccountTokenBackupStorageHandler::StoreAccountTokenInternal(): accountStorageConnector is invalidBackupStorageHandler::StoreAccountTokenInternal(): Encryption errorBackupStorageHandler::HandleStoreAccountTokenInternal(): Error on store BackupStorage Provider. ErrorCode: %1%BackupStorageHandler::HandleStoreAccountTokenInternal(): Error on store BackupStorage Provider. Not a AccountStorageCommand.BackupStorageHandler::HandleStoreAccountTokenInternal(): Stored BackupStorage Providers updated/added.BackupStorageHandler::HandleStoreAccountTokenInternal(): Error from AccountStorageProvider at store data. Reason: %1%
Source: TeamViewer.exe	String found in binary or memory: TeamViewer will quit for security reasons. Please reinstall TeamViewer.Critical Error--ProxySettings EmbeddingRestart of GUI process failed.Restart of GUI process failed!PasswordB64,BBase64 Password from TV Managermode,mMode from TV Managerid,iPartnerID from TV ManagerPassword,PPassword from TV Managersupdateflag for triggering silent updateac,aAccessControl rights from TV Managerquality,qSelected connection quality in TV Managercqsupdateflag for updating CQSProxy UsernameProxy IP and PortDon't restart elevatedProxy Password Base64 encodedplayPlay a TeamViewerSession file (.tvs)controlInitiate TeamViewer with Control File (.tvc)Configuration IDIndicates that TeamViewer is started by web connectorInstall the API.configurationRestore session to partner (after tv restart)QS was restarted as admin userIndicates that TeamViewer is started by consoleReload all settings on startupHttpRedirectionProtocol::Register failed with 0x%08xFailed to load resource DLL (TeamViewer_StaticRes.dll)!ReloadSettings: Not connected to service. Unable to reload settings.ReloadSettings: Reloading Machine SettingsTVDesktopApplicationWin::LoadResourceDLLs: Current used TV language set to: %1%One or more files of your TeamViewer version are missing or have been modified. Some of the TeamViewer functionality will not be available. Please reinstall TeamViewer.Failed to load resource DLL (TeamViewer_Resource.dll)!CMain::LoadResourceDLLs(): No custom resource dll foundTeamViewer Tray IconCMain::run: another instance is already running, exiting processConfigUpdateRunningMain: To load an ini-file, please open TeamViewer.ini and set NoSave to 1.StartInTrayMain Window could not be created. Error %1%UninstallAPIInstallAPIGUI running in system account, trying to restart it.CustomConfiguration Update in network timed out.GUI started in System account and can't be restarted under a different user.Could not get token for session %1%.--ConfigUpdateRunningCustomConfiguration Update in network pending. Restarting GUI.Failed to restart GUI: --StartInTrayMinimize,MMinimize on startupgw,gGateway for CustomQuickSupportStartedByInstallerReloadSettingsnoInstallation,nOnly execute TeamViewer without installingConfig update running in networksendtoError parsing command line: Hide TeamViewer in trayIndicates that TeamViewer was started by COM.Uninstall the API.Send a list of files to a partner in your partner listIndicates that TeamViewer was started by the installer.PasswordB64PasswordCommand Line Parameter --ac is not in valid range. Using standard settingsactvc control file acceptedTrying to read control file: fileTransfertvc control file not acceptedCMain::ParseSendToArguments: explorer --sendto invocation: %1%CMain::ParseSendToArguments: bad_any_cast explorer --sendto invocation: %1%RICHED20.DLLCommand Line Parameter --quality is not in valid range. Using standard settingsqualitylist of files is emptyCMain::SendCmdToRunningInstance: send CT_SYNC_API_SERVER to other TV instance[RemoteSettings]
Source: TeamViewer.exe	String found in binary or memory: in-addr
Source: TeamViewer.exe	String found in binary or memory: %-7s ARP %s from owner %.6a %.4a for %-15.4a -- re-starting probing for %s
Source: TeamViewer.exe	String found in binary or memory: _keepalivemDNS_ReconfirmByValueSendARP: No interface with InterfaceID %p found %sArp %-7s %s %.6a %.4a for %.4a -- H-MAC %.6a I-MAC %.6a %sTLSTCPUDPnewoldsleep proxy for %d recordsReached maximum number of restarts for probing - %sSendQueries: No active interface %d to send %s question: %d %##s (%s)lost:won: mDNS_UpdateAllowSleep: Sleep disabled because we are proxying %d recordstie: ResolveSimultaneousProbe: %p Pkt Record: %08lX %sResolveSimultaneousProbe: %p Our Record %d %s %08lX %s%s does not support NetWakeResolveSimultaneousProbe: %##s (%s): No Update Record foundUnknown DNS packet type %02X%02X from %#-15a:%-5d to %#-15a:%-5d length %d on %p (ignored)SendARP: No interface with InterfaceID %p foundNo sleep proxy server on %s%-7s ARP from %.6a %.4a for %.4a -- Invalid H-MAC %.6a I-MAC %.6a %smDNS_UpdateAllowSleep: Sleep disabled because %s does not support NetWakeAnnouncement Request %04XResponse mDNSCoreReceiveResponse: Setting aware for %##s (%s) on %#a%-7s ARP %s from owner %.6a %.4a for %-15.4a -- re-starting probing for %s%s%-7s Conflicting ARP from %.6a %.4a for %.4a -- waking H-MAC %.6a I-MAC %.6a %smDNS_UpdateAllowSleep: Sleep disabled because %s has no sleep proxy servermDNSCoreReceiveRawARP %02XNo sleep proxy server with better metric on %smDNSCoreReceivemDNS_StartBrowsemDNS_UpdateAllowSleep: Sleep disabled because %s has no sleep proxy server with a better metricmDNS_StartBrowsemDNSCoreReceiveRawNDSendNDP: No interface with InterfaceID %p found %smDNSCoreReceiveResponse: CRDNSSECQuestion set for record %s, question %##s (%s)mDNSCoreReceiveResponse: Server %p responded with code %d to DNSSEC Query %##s (%s), clear DO flagGenerateNegativeResponse: ERROR!! CurrentQuestion not setClearKeepaliveProxyRecords ERROR m->CurrentRecord already set %s
Source: TeamViewer.exe	String found in binary or memory: %-7s NDP %s from owner %.6a %.16a for %.16a -- re-starting probing for %s
Source: TeamViewer.exe	String found in binary or memory: %d.%d.%d.%d.in-addr.arpa.
Source: TeamViewer.exe	String found in binary or memory: _keepaliveUpdateQuestionDuplicates transferred nta pointer for %##s (%s) (Self-Referential)Reached maximum number of restarts for probing - %smDNS_UpdateAnswerQuestionByFollowingCNAME: %p %##s (%s) NOT following CNAME referral %d%s for %sUpdateQuestionDuplicates did not transfer tcp pointerAttempt to update record with invalid rdata: %sClearIdenticalProxyRecords ERROR m->CurrentRecord already set %sAnswerCurrentQuestionWithResourceRecordmDNS_UpdateAnswerQuestionByFollowingCNAME: %p %##s (%s) following CNAME referral %d for %sUpdateQuestionDuplicates transferred LLQ state for %##s (%s)%s: Locking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)ClearIdenticalProxyRecords: Removing %3d H-MAC %.6a I-MAC %.6a %d %d %sAnswerQuestionByFollowingCNAME: Resolving a .local CNAME %p %##s (%s) Record %sAnswerCurrentQuestionWithResourceRecord%-7s NDP from %.6a %.16a for %.16a -- Invalid H-MAC %.6a I-MAC %.6a %s%s: Unlocking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)mDNSCoreReceiveResponse: CNAME loop domain name %##smDNS_AddMcastResolver: Adding %##s, InterfaceID %p, timeout %uClearProxyRecords ERROR m->CurrentRecord already set %sAnswerCurrentQuestionWithResourceRecordSolicitation %s: Locking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)AdvertisementmDNS_AddMcastResolver%-7s NDP %s from owner %.6a %.16a for %.16a -- re-starting probing for %ss%s: Lock not held! mDNS_busy (%ld) mDNS_reentrancy (%ld)mDNS_Update%-7s Conflicting NDP from %.6a %.16a for %.16a -- waking H-MAC %.6a I-MAC %.6a %sAnswerCurrentQuestionWithResourceRecordAddExcessive update rate for %##s; delaying announcement by %ld second%smDNSCoreReceiveRawND%s: Unlocking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)AnswerLocalQuestionWithLocalAuthRecord: ERROR!! CurrentQuestion NULL while answering with %sNote: Mcast Resolver domain %##s (%p) registered more than onceUpdateKeepaliveRData: not a valid record %s for keepalive %#a:%d %#a:%dRmvt=%d i=%d c=%d h=%#a d=%#a l=%u r=%u m=%sAnswerLocalQuestionWithLocalAuthRecord: NOT delivering %s event for local record type %X %smDNS_DeregisterClearProxyRecords: Removing %3d AC %2d %02X H-MAC %.6a I-MAC %.6a %d %d %smDNS_DeregistermDNS_AddMcastResolver: ERROR!! - malloct=%d i=%d c=%d H=%#a D=%#a l=%u r=%u m=%smDNSCoreReceiveResponse: Accepting response for query: %##s (%s)AnswerLocalQuestionWithLocalAuthRecordmDNSResponder: Dropping LinkLocal packet %sCacheRecordDeferredAdd ERROR m->CurrentQuestion already set: %##s (%s)%s: Locking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)mDNSPlatformRetrieveTCPInfo: mDNSPlatformRetrieveTCPInfo failed %dt=%d i=%d c=%d h=%#a d=%#a l=%u r=%u m=%.6a s=%u a=%u w=%umDNSPlatformRetrieveTCPInfo: InterfaceID mismatch mti.IntfId = %p InterfaceID = %pAnswerLocalQuestionWithLocalAuthRecordt=%d i=%d c=%d H=%#a D=%#a l=%u r=%u m=%.6a s=%u a=%u w=%u%s: Unlocking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)PenaltyTimeForServer: PenaltyTime negative %d, (server penaltyTime %d, timenow %d) resetting the penaltym
Source: TeamViewer.exe	String found in binary or memory: _keepaliveUpdateQuestionDuplicates transferred nta pointer for %##s (%s) (Self-Referential)Reached maximum number of restarts for probing - %smDNS_UpdateAnswerQuestionByFollowingCNAME: %p %##s (%s) NOT following CNAME referral %d%s for %sUpdateQuestionDuplicates did not transfer tcp pointerAttempt to update record with invalid rdata: %sClearIdenticalProxyRecords ERROR m->CurrentRecord already set %sAnswerCurrentQuestionWithResourceRecordmDNS_UpdateAnswerQuestionByFollowingCNAME: %p %##s (%s) following CNAME referral %d for %sUpdateQuestionDuplicates transferred LLQ state for %##s (%s)%s: Locking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)ClearIdenticalProxyRecords: Removing %3d H-MAC %.6a I-MAC %.6a %d %d %sAnswerQuestionByFollowingCNAME: Resolving a .local CNAME %p %##s (%s) Record %sAnswerCurrentQuestionWithResourceRecord%-7s NDP from %.6a %.16a for %.16a -- Invalid H-MAC %.6a I-MAC %.6a %s%s: Unlocking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)mDNSCoreReceiveResponse: CNAME loop domain name %##smDNS_AddMcastResolver: Adding %##s, InterfaceID %p, timeout %uClearProxyRecords ERROR m->CurrentRecord already set %sAnswerCurrentQuestionWithResourceRecordSolicitation %s: Locking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)AdvertisementmDNS_AddMcastResolver%-7s NDP %s from owner %.6a %.16a for %.16a -- re-starting probing for %ss%s: Lock not held! mDNS_busy (%ld) mDNS_reentrancy (%ld)mDNS_Update%-7s Conflicting NDP from %.6a %.16a for %.16a -- waking H-MAC %.6a I-MAC %.6a %sAnswerCurrentQuestionWithResourceRecordAddExcessive update rate for %##s; delaying announcement by %ld second%smDNSCoreReceiveRawND%s: Unlocking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)AnswerLocalQuestionWithLocalAuthRecord: ERROR!! CurrentQuestion NULL while answering with %sNote: Mcast Resolver domain %##s (%p) registered more than onceUpdateKeepaliveRData: not a valid record %s for keepalive %#a:%d %#a:%dRmvt=%d i=%d c=%d h=%#a d=%#a l=%u r=%u m=%sAnswerLocalQuestionWithLocalAuthRecord: NOT delivering %s event for local record type %X %smDNS_DeregisterClearProxyRecords: Removing %3d AC %2d %02X H-MAC %.6a I-MAC %.6a %d %d %smDNS_DeregistermDNS_AddMcastResolver: ERROR!! - malloct=%d i=%d c=%d H=%#a D=%#a l=%u r=%u m=%smDNSCoreReceiveResponse: Accepting response for query: %##s (%s)AnswerLocalQuestionWithLocalAuthRecordmDNSResponder: Dropping LinkLocal packet %sCacheRecordDeferredAdd ERROR m->CurrentQuestion already set: %##s (%s)%s: Locking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)mDNSPlatformRetrieveTCPInfo: mDNSPlatformRetrieveTCPInfo failed %dt=%d i=%d c=%d h=%#a d=%#a l=%u r=%u m=%.6a s=%u a=%u w=%umDNSPlatformRetrieveTCPInfo: InterfaceID mismatch mti.IntfId = %p InterfaceID = %pAnswerLocalQuestionWithLocalAuthRecordt=%d i=%d c=%d H=%#a D=%#a l=%u r=%u m=%.6a s=%u a=%u w=%u%s: Unlocking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)PenaltyTimeForServer: PenaltyTime negative %d, (server penaltyTime %d, timenow %d) resetting the penaltym
Source: TeamViewer.exe	String found in binary or memory: getifaddrs_ipv6.,%d.%d.%d.%d.in-addr.arpa.SendWakeupPacket error: sent %d bytes: %d

Source: TeamViewer.exe

Binary string: DriverConnector::InitAdapterConfig: succeeded with instance id %1% (%2%)DriverConnector::PostInstallInit: QueryVPNRegKey failedDriverConnector::PostInstallInit: NotifyChangeKeyValue failed (%1%)DriverConnector::PostInstallInit: InitAdapterConfig failedDriverConnectorInitNetCfgInstanceIdDriverConnector::InitAdapterConfig: QueryStringValue failed for value NetCfgInstanceId (%1%)DriverConnector::InitAdapterConfig: GetAdapterIndex failed for path %1% (%2%)DriverConnector::PostInstallInit: timeout while waiting for configuration changesDriverConnector::PostInstallInit: timeout, last tried instance id was %1%DriverConnector::PostInstallInit: initialized with instance id %1%.dgtDriverConnector::PostInstallInit: InitAdapterConfig failed, retrying...DriverConnector::PostInstallInit: Open failed for instance id %1%DriverConnector::PostInstallInit: Open failed for instance id %1%, retrying...NdisUpdatedNetworkInterfaceDriverConnector::WaitForEventWithTimeout: NotifyChangeKeyValue failed (%1%)QueryVPNRegKey: RegOpenKeyEx: MatchingDeviceID) has no 'MatchingDeviceID' entry. Continuing...' (SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}QueryVPNRegKey: Could not find registry key for network adapters.teamviewervpnQueryVPNRegKey: RegEnumKeyEx: TeamViewer VPNNameDriverConnector::RenameConnection: SetStringValue failed for key %1% (%2%)DriverConnector::RenameConnection: succeeded for key %1%QueryVPNRegKey: Subkey '%1%\%2%\ConnectionSYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}DriverConnector::RenameConnection: Open failed for key %1% (%2%)Driver.DHCP.FailedDriver.GetMAC.FailedDriver.TAP_IOCTL_SET_MEDIA_STATUS.RejectedDriver.Invalid.IP\\.\Global\ devpath=DriverConnector.Open: CreateFile failed with error DriverConnector.Open: DeviceIOControl(MTU) failedDriver.GetDriverIPAddress.GetAdaptersInfo.Error = Driver.GetDriverIPAddress.Memory allocation errorDriver.GetDriverIPAddress.GetAdaptersInfo2.Error = DriverConnector.RemoveIPAddresses: DeleteIPAddress(%1%) failed with error %2%) failed with error DriverConnector.Open: IpRenewAddress(DriverConnector.Open: FlushIpNetTable(DriverConnector.Close: CloseHandle failed\DEVICE\TCPIP_Startup VPN failed

Source: classification engine

Classification label: clean1.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\TeamViewer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: TeamViewer.exe

Static file information: File size 41074192 > 1048576

Source: TeamViewer.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: TeamViewer.exe

Static PE information: certificate valid

Source: TeamViewer.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1f85600
Source: TeamViewer.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x49de00
Source: TeamViewer.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x156c00
Source: TeamViewer.exe	Static PE information: Raw size of .reloc is bigger than: 0x100000 < 0x162e00

Source: TeamViewer.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: TeamViewer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TeamViewer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TeamViewer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TeamViewer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TeamViewer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TeamViewer.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: TeamViewer.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: TeamViewer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: E:\WS\TV_12.0_RC_pub\BuildTarget\Release2013\TeamViewer.pdb source: TeamViewer.exe

Source: TeamViewer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TeamViewer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TeamViewer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TeamViewer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TeamViewer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: TeamViewer.exe

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\TeamViewer.exe

Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Jump to behavior

Source: TeamViewer.exe	Binary or memory string: fvmconnect.exerdpclip.exevboxtray.exevirtualbox.exeClipboardSnapshotImplThreadWin::CreateCommonDataStream: unable to seek marshalled stream to the beginning, hr= 0x%1$xClipboardSnapshotImplThreadWin::SnapshotExtractAndCache: size of format %1% is too big %2% (%3%)ClipboardSnapshotImplThreadWin::CreateCommonDataStream: unable to seek stream to the beginning, hr= 0x%1$xClipboardSnapshotImplThreadWin::CreateCommonDataStream: unable to unmarshal inter thread interface, hr= 0x%1$xClipboardSnapshotImplThreadWin::SnapshotInit Owning process: %1%ClipboardSnapshotImplThreadWin::SnapshotInit: OleGetClipboard failed: 0x%1$xClipboardSnapshotImplThreadWin::SnapshotIsTeamViewerProvidedContent: error extracting the id of the providerClipboardSnapshotImplThreadWin::SnapshotIsTeamViewerProvidedContent: no DataObjectClipboardSnapshotImplThreadWin::SnapshotCreateInternal: snapshot owner is in exclude list: %1%ClipboardSnapshotImplThreadWin::SnapshotCreateInternal: ignoring rdp provided snapshotClipboardSnapshotImplThreadWin::SnapshotCreate: EnumFormatEtc failed: 0x%1$xClipboardSnapshotImplThreadWin::SnapshotCreateInternal: no DataObjectClipboardSnapshotImplThreadWin::SnapshotCreateInternal: No filetransfer allowed. Skipping file formats.ClipboardSnapshotImplThreadWin::SnapshotCreate: Reset EnumFormatEtc failed: 0x%1$xClipboardSnapshotImplThreadWin::SnapshotIsRdpProvided: no DataObjectClipboardSnapshotImplThreadWin::SnapshotCreate: Snapshot created successfully
Source: TeamViewer.exe, 00000000.00000000.671273281.0000000003027000.00000002.00020000.sdmp, TeamViewer.exe, 00000000.00000002.693425168.0000000003027000.00000002.00020000.sdmp	Binary or memory string: vmconnect.exerdpclip.exevboxtray.exevirtualbox.exeClipboardSnapshotImplThreadWin::CreateCommonDataStream: unable to seek marshalled stream to the beginning, hr= 0x%1$xClipboardSnapshotImplThreadWin::SnapshotExtractAndCache: size of format %1% is too big %2% (%3%)ClipboardSnapshotImplThreadWin::CreateCommonDataStream: unable to seek stream to the beginning, hr= 0x%1$xClipboardSnapshotImplThreadWin::CreateCommonDataStream: unable to unmarshal inter thread interface, hr= 0x%1$xClipboardSnapshotImplThreadWin::SnapshotInit Owning process: %1%ClipboardSnapshotImplThreadWin::SnapshotInit: OleGetClipboard failed: 0x%1$xClipboardSnapshotImplThreadWin::SnapshotIsTeamViewerProvidedContent: error extracting the id of the providerClipboardSnapshotImplThreadWin::SnapshotIsTeamViewerProvidedContent: no DataObjectClipboardSnapshotImplThreadWin::SnapshotCreateInternal: snapshot owner is in exclude list: %1%ClipboardSnapshotImplThreadWin::SnapshotCreateInternal: ignoring rdp provided snapshotClipboardSnapshotImplThreadWin::SnapshotCreate: EnumFormatEtc failed: 0x%1$xClipboardSnapshotImplThreadWin::SnapshotCreateInternal: no DataObjectClipboardSnapshotImplThreadWin::SnapshotCreateInternal: No filetransfer allowed. Skipping file formats.ClipboardSnapshotImplThreadWin::SnapshotCreate: Reset EnumFormatEtc failed: 0x%1$xClipboardSnapshotImplThreadWin::SnapshotIsRdpProvided: no DataObjectClipboardSnapshotImplThreadWin::SnapshotCreate: Snapshot created successfully

Source: TeamViewer.exe

Binary or memory string: Shell_TrayWndShell_SecondaryTrayWndThumbnailClassTaskListThumbnailWndDV2ControlHostBaseBarteamviewerdebug.exeStartmenusidebar.exe\VarFileInfo\Translation\StringFileInfo\%04x%04x\FileDescription.exeWindowObserverGUI::BlacklistChildWindow: Send IPC command failedWindowObserverGUI::SelectAllWindows: %1%;%2%BBarWindowClassSysShadow#32771ImmersiveLauncherProgmanApplicationFrameWindowWorkerWTVWidgetWinWindowObserverGUI::SetSingleWindowWindowObserverGUI::SessionEnded: %1%WindowObserverGUI::SessionStart: %1%; type: %2%WindowObserverGUI::GetMonitorsForWindow(): GetWindowRect() failed with error %1%WindowObserverGUI.ProcessApplSelHandleList0

Source: C:\Users\user\Desktop\TeamViewer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TeamViewer.exe	0%	Virustotal		Browse
TeamViewer.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://feedbackservice.teamviewer.comhttps://feedbackservice-test.teamviewer.com/feedback?lng=%1%&s	0%	Avira URL Cloud	safe
http://www.dns-sd.org/ServiceTypes.html	0%	Virustotal		Browse
http://www.dns-sd.org/ServiceTypes.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cloudstorageintegration.teamviewer.com/Content/revision.txt	TeamViewer.exe	false		high
https://feedbackservice.teamviewer.comhttps://feedbackservice-test.teamviewer.com/feedback?lng=%1%&s	TeamViewer.exe	false	Avira URL Cloud: safe	unknown
https://profilepicture-test.teamviewer.com/upload	TeamViewer.exe	false		high
https://configdl.teamviewer.com/configs/https://configdl.teamviewer.com/rev/CustomConfigurationIPCNe	TeamViewer.exe	false		high
http://www.dns-sd.org/ServiceTypes.html	TeamViewer.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cloudstorageintegration.teamviewer.com/Content/revision.txtCloudStorageServiceRevision:	TeamViewer.exe	false		high
http://schemas.xmlsoap.org/soap/encoding/	TeamViewer.exe	false		high
http://www.teamviewer.com/https://www.teamviewer.com:443/Proxy_IPProxy_Type	TeamViewer.exe	false		high
https://profilepicture.teamviewer.com/upload	TeamViewer.exe	false		high
https://profilepicture-test.teamviewer.com/uploadhttps://profilepicture.teamviewer.com/uploadAccount	TeamViewer.exe	false		high
http://www.teamviewer.com	TeamViewer.exe, 00000000.00000002.698096020.0000000004F25000.00000004.00000040.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	TeamViewer.exe	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544547
Start date:	23.12.2021
Start time:	16:09:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TeamViewer.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.winEXE@1/1@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.50.102.62, 23.54.113.53, 20.82.210.154 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer12_Logfile.log Download File
Process:	C:\Users\user\Desktop\TeamViewer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	704
Entropy (8bit):	5.11490801066245
Encrypted:	false
SSDEEP:	12:AKQ8DIwKwATwU7NWKRR3PUamAYRfKBCmAP59puMaUR7kDlm72Zu+uMQ:/BDswATL7NF33vmznm85ruMaskDl7ZuJ
MD5:	8D069B8A39D2B01E1D9939192FA9B13E
SHA1:	D39932C05F51599E2AAABBFB36F7E6A48584DDCA
SHA-256:	7733A3AB602A6B17509D89B353433DEC6110F98B94AF09ABE6B98005D377A359
SHA-512:	85A8756CAAE08BF90D7558BD19787192DAE1BC15A4D2AE23684519F3CA63F2740512F52722B60825045A4DB9B6286CA398774BE15FFC9B4CD0F8D93EF9234F40
Malicious:	false
Reputation:	low
Preview:	2021/12/23 16:10:41.217 7148 7152 0 Logger started...2021/12/23 16:10:41.217 7148 7152 0 StringCompare locale: English_United States.1252..2021/12/23 16:10:41.310 7148 7152 0+ Thread: Main..2021/12/23 16:10:42.014 7148 7152 0+ GetSimpleDisplayCertNameFromFile: Found cert name: 'TeamViewer Germany GmbH'...2021/12/23 16:10:42.060 7148 7152 0!! GetSimpleDisplayCertNameFromFile: File 'C:\Users\user\Desktop\TeamViewer_StaticRes.dll' does not exist...2021/12/23 16:10:42.060 7148 7152 0!! VerifyTeamViewerSignature() : WinVerifyTrust failed, result=2..2021/12/23 16:10:42.170 7148 7152 0!! Failed to verify Signature of C:\Users\user\Desktop\TeamViewer_StaticRes.dll, fatal=1..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.492986785182522
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TeamViewer.exe
File size:	41074192
MD5:	33a585da49e0ae52cdc1ba8266baef9a
SHA1:	56da8ed161186095ff2692a048099df2631bb0ff
SHA256:	f6f1e16e6c7a591421b1dbff169dede8891728eb982f19cf5d4b5bab6ef5d672
SHA512:	1dc49881cc6c8bca6c99edf2942c3bcd5ef16fe4fe70a844216140feff729c57f31f33de6042f449cc75ce9a90262a6e966cd9f48c73b67b3e3466ae73ae49ec
SSDEEP:	786432:eNtxzStoa7XfOkZj4s3ukz7ccjnvC3XwTdcm2:EtxzStFT914muktZd2
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........l..............Q.E......_]......\c......_b......_c.Z....u........O.H....u..........5....{)......u..............z.c.....z.b.;..

File Icon


Icon Hash:	71e0d49292c07033

Static PE Info

General
Entrypoint:	0x208c758
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6077F954 [Thu Apr 15 08:29:08 2021 UTC]
TLS Callbacks:	0x20848d0
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8a55ed51bb376589fccf283185d2199a

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/12/2020 1:00:00 AM 1/27/2022 12:59:59 AM
Subject Chain	CN=TeamViewer Germany GmbH, O=TeamViewer Germany GmbH, L=GÃ¶ppingen, S=Baden-WÃ¼rttemberg, C=DE
Version:	3
Thumbprint MD5:	B34F54FD9B9DF3D7D7760FDDBC0BC6C7
Thumbprint SHA-1:	C392906CC0C8DA3EAFA4CB47EC868947CE4FEF84
Thumbprint SHA-256:	8BE05580E4FE2B517C07A52A8F213264DFAA0F2E76161C6C2835B61958520F14
Serial:	032694CFEE1C05E1B2AA8FCF842A3539

Entrypoint Preview

Instruction
call 00007F4764E1F804h
jmp 00007F4764E02C65h
push 00000014h
push 0281A5A8h
call 00007F4764E0CA87h
call 00007F4764E09E78h
movzx esi, ax
push 00000002h
call 00007F4764E1F797h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F4764E02C66h
xor ebx, ebx
jmp 00007F4764E02C95h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F4764E02C4Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F4764E02C3Fh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F4764E02C6Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F4764E0C6ACh
test eax, eax
jne 00007F4764E02C6Ah
push 0000001Ch
call 00007F4764E02D41h
pop ecx
call 00007F4764E0C608h
test eax, eax
jne 00007F4764E02C6Ah
push 00000010h
call 00007F4764E02D30h
pop ecx
call 00007F4764E1F810h
and dword ptr [ebp-04h], 00000000h
call 00007F4764E0FCB1h
test eax, eax
jns 00007F4764E02C6Ah
push 0000001Bh
call 00007F4764E02D16h
pop ecx
call dword ptr [02387384h]
mov dword ptr [029B9D18h], eax
call 00007F4764E1F82Bh
mov dword ptr [029A276Ch], eax
call 00007F4764E1F3E8h
test eax, eax
jns 00007F4764E02C6Ah

Rich Headers

Programming Language:

[C++] VS2013 UPD5 build 40629
[ C ] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[C++] VS2013 build 21005
[ C ] VS2013 UPD5 build 40629
[C++] VS2008 SP1 build 30729
[ASM] VS2013 build 21005
[C++] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2423470	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x25bd000	0x4a6c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2728800	0x3610	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2608000	0x162da4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1f8ad80	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x21bebf8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x21bebb0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f87000	0x414	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x241e8a4	0x460	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f854ec	0x1f85600	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1f87000	0x49dcc8	0x49de00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2425000	0x195d28	0x156c00	False	0.144289068198	data	5.33812426289	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rodata	0x25bb000	0xb40	0xc00	False	0.1669921875	data	4.03817571349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x25bc000	0x9	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x25bd000	0x4a6c8	0x4a800	False	0.106471528943	data	4.00441319391	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2608000	0x162da4	0x162e00	False	0.513633349111	data	6.6781271819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
REGISTRY	0x25bd280	0x56a	ASCII text, with CRLF line terminators	German	Germany
TYPELIB	0x25bd7f0	0x39a4	data	German	Germany
RT_ICON	0x25c1538	0x468	GLS_BINARY_LSB_FIRST	German	Germany
RT_ICON	0x25c19a0	0x10a8	data	German	Germany
RT_ICON	0x25c2a48	0x25a8	data	German	Germany
RT_ICON	0x25c4ff0	0x42028	data	German	Germany
RT_GROUP_ICON	0x2607018	0x3e	data	German	Germany
RT_VERSION	0x25c1198	0x3a0	data	German	Germany
RT_MANIFEST	0x2607058	0x669	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, InterlockedIncrement, InterlockedDecrement, InterlockedCompareExchange, SetEvent, InitializeCriticalSectionAndSpinCount, CreateEventA, LeaveCriticalSection, RaiseException, InterlockedExchange, GetLastError, EnterCriticalSection, InterlockedExchangeAdd, DecodePointer, PostQueuedCompletionStatus, DeleteCriticalSection, TlsAlloc, CloseHandle, TlsFree, LoadLibraryExA, GetModuleHandleA, GetModuleFileNameA, GetSystemDirectoryA, GetCurrentProcess, FlushInstructionCache, SetLastError, InitializeCriticalSection, WaitForSingleObjectEx, DuplicateHandle, CreateSemaphoreA, ReleaseSemaphore, GetSystemTimeAsFileTime, TlsGetValue, SetWaitableTimer, WaitForSingleObject, SleepEx, CreateEventW, CreateWaitableTimerW, ResetEvent, OpenEventA, MulDiv, TlsSetValue, WideCharToMultiByte, CreateIoCompletionPort, FindResourceW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, Sleep, RegisterWaitForSingleObject, UnregisterWaitEx, GetProcAddress, FreeLibrary, GetPrivateProfileStringW, WritePrivateProfileStringW, GlobalAlloc, GlobalFree, GlobalSize, GlobalLock, GlobalUnlock, DeleteFileW, FindFirstFileW, GetFileAttributesW, FindClose, GetTickCount, GetVersionExW, LocalFree, LocalAlloc, lstrlenW, FormatMessageW, GetCommandLineW, GetModuleHandleW, GetModuleFileNameW, MultiByteToWideChar, CreateJobObjectW, SetInformationJobObject, AssignProcessToJobObject, ReadFile, WriteFile, CreatePipe, TzSpecificLocalTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, FileTimeToSystemTime, OutputDebugStringW, CreateDirectoryW, SetThreadPriority, GetCurrentThread, WaitForMultipleObjects, UnregisterWait, SizeofResource, LockResource, LoadResource, FindResourceExW, CopyFileW, GetLocalTime, GetTimeFormatW, VirtualAlloc, VirtualFree, CreateFileW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetUnhandledExceptionFilter, GetSystemDirectoryW, LoadLibraryW, FindNextFileW, FileTimeToLocalFileTime, SetFilePointer, GetLogicalDriveStringsW, GetDriveTypeW, GetDiskFreeSpaceExW, SetFileAttributesW, GetFileSize, CreateThread, ResumeThread, GetExitCodeThread, QueueUserAPC, MoveFileExW, GetTempPathW, ExpandEnvironmentStringsW, GetUserGeoID, GetGeoInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, GetSystemInfo, GlobalMemoryStatusEx, GetComputerNameW, MoveFileW, SystemTimeToFileTime, GetCurrentDirectoryW, LocalFileTimeToFileTime, SetFileTime, GetFileInformationByHandle, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, SetThreadAffinityMask, QueryPerformanceFrequency, SwitchToThread, FormatMessageA, VerifyVersionInfoW, VerSetConditionMask, TerminateThread, GetQueuedCompletionStatus, LoadLibraryExW, GetWindowsDirectoryW, SetDllDirectoryW, HeapSetInformation, GetVolumeInformationW, GetNativeSystemInfo, OpenEventW, CreateFileMappingA, OpenFileMappingA, MapViewOfFileEx, OpenProcess, WaitNamedPipeW, CreateProcessW, TerminateProcess, GetProcessId, ProcessIdToSessionId, WTSGetActiveConsoleSessionId, SetFilePointerEx, ReleaseMutex, CreateMutexW, OpenMutexW, GetPrivateProfileIntW, GetPrivateProfileSectionW, GetDateFormatW, lstrcmpiW, SetThreadExecutionState, GetComputerNameExW, SetEndOfFile, GetFileAttributesExW, SetErrorMode, DeviceIoControl, CompareFileTime, GetFullPathNameW, GetSystemPowerStatus, GetOverlappedResult, GetTempFileNameW, CreateFileA, FlushFileBuffers, LoadLibraryA, AreFileApisANSI, GetExitCodeProcess, GetPriorityClass, SetPriorityClass, lstrcmpW, GlobalHandle, OpenThread, GetComputerNameExA, CreateSemaphoreW, GetThreadPriority, ExpandEnvironmentStringsA, GetThreadTimes, CompareStringW, SetProcessShutdownParameters, GetStringTypeW, EncodePointer, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, IsProcessorFeaturePresent, GetStringTypeExW, LCMapStringW, LCMapStringA, GetUserDefaultLCID, GetStringTypeExA, GetEnvironmentVariableW, GetFileTime, RemoveDirectoryW, CreateDirectoryExW, WaitForMultipleObjectsEx, GetLogicalProcessorInformation, CreateWaitableTimerA, ExitThread, GetCPInfo, GetCommandLineA, RtlUnwind, ExitProcess, GetModuleHandleExW, UnhandledExceptionFilter, GetStartupInfoW, CreateTimerQueue, SignalObjectAndWait, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, IsValidLocale, EnumSystemLocalesW, GetConsoleCP, GetConsoleMode, GetStdHandle, GetFileType, IsValidCodePage, GetACP, GetOEMCP, ReadConsoleW, VirtualProtect, FreeLibraryAndExitThread, InterlockedFlushSList, QueryDepthSList, GetEnvironmentStringsW, FreeEnvironmentStringsW, FindFirstFileExW, SetStdHandle, WriteConsoleW, SetEnvironmentVariableA, PeekNamedPipe, lstrlenA

Version Infos

Description	Data
LegalCopyright	TeamViewer Germany GmbH
InternalName	TeamViewer
FileVersion	12.3.62584.0
CompanyName	TeamViewer Germany GmbH
PrivateBuild	TeamViewer Remote Control Application
LegalTrademarks	TeamViewer
ProductName	TeamViewer
ProductVersion	12.0.259192
FileDescription	TeamViewer 12
OriginalFilename	TeamViewer.exe
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• TeamViewer.exe

Click to jump to process

Memory Usage

• TeamViewer.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

System Behavior

Analysis Process: TeamViewer.exe PID: 7148 Parent PID: 5180

Function Logs

General

Start time:	16:10:36
Start date:	23/12/2021
Path:	C:\Users\user\Desktop\TeamViewer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TeamViewer.exe"
Imagebase:	0x10a0000
File size:	41074192 bytes
MD5 hash:	33A585DA49E0AE52CDC1BA8266BAEF9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Information Set

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report TeamViewer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: TeamViewer.exe PID: 7148 Parent PID: 5180

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried