hxxp://teamviewer[.]com

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
05/06/2023, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://teamviewer.com

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

Executes dropped EXE 16 IoCs

pid	Process
3984	TeamViewer_Setup_x64.exe
4484	TeamViewer_.exe
4348	TeamViewer_Service.exe
1188	MicrosoftEdgeWebview2Setup.exe
2224	MicrosoftEdgeUpdate.exe
3508	MicrosoftEdgeUpdate.exe
4704	MicrosoftEdgeUpdate.exe
3332	MicrosoftEdgeUpdateComRegisterShell64.exe
3400	MicrosoftEdgeUpdateComRegisterShell64.exe
4840	MicrosoftEdgeUpdateComRegisterShell64.exe
4412	MicrosoftEdgeUpdate.exe
5028	MicrosoftEdgeUpdate.exe
4116	MicrosoftEdgeUpdate.exe
4232	MicrosoftEdgeUpdate.exe
2136	MicrosoftEdge_X64_114.0.1823.37.exe
3936	setup.exe

Loads dropped DLL 64 IoCs

pid	Process
3984	TeamViewer_Setup_x64.exe
3984	TeamViewer_Setup_x64.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5B44BE66-4A80-4C24-9857-9840D975FA06}\LocalServer32\ = "C:\\Program Files\\TeamViewer\\TeamViewer.exe ToastActivated"	TeamViewer_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5B44BE66-4A80-4C24-9857-9840D975FA06}\LocalServer32	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4484-854-0x0000000072EA0000-0x0000000072EAA000-memory.dmp	upx
behavioral1/memory/4484-1202-0x0000000072EA0000-0x0000000072EAA000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_gd.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_it.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhTW.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.37\BHO\ie_to_edge_bho_64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_tr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.37\EdgeWebView.dat	setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dll	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ja.dll	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TVWebRTC.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_hi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_zh-CN.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_he.dll	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_nl.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\x64\tvmonitor.cat	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\MicrosoftEdgeUpdateOnDemand.exe	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\Printer\	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_bg.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_bn.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_sr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\uninstall.exe	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_de.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\teamviewervpn.cat	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_mk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddIn.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_th.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\psuser_64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_fr.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_sr-Cyrl-BA.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Note.exe	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.dll	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.inf	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.37\concrt140.dll	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\utils\	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_fi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_kn.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_ml.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sr.dll	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dll	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.inf	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\Printer\teamviewer_xpsdriverfilter.cat	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_nb.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_as.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_en.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_ko.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_gl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\outlook\ManagedAggregator.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\x64\VPN_Win7\TeamViewerVPN.inf	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\outlook\	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_pt.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_en-GB.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sk.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_is.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.37\114.0.1823.37.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\114.0.1823.37\EBWebView\x64\EmbeddedBrowserWebView.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\msedgeupdateres_de.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001af46-419.dat	nsis_installer_1
behavioral1/files/0x000600000001af46-419.dat	nsis_installer_2
behavioral1/files/0x000600000001af46-456.dat	nsis_installer_1
behavioral1/files/0x000600000001af46-456.dat	nsis_installer_2
behavioral1/files/0x000600000001af46-458.dat	nsis_installer_1
behavioral1/files/0x000600000001af46-458.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3332	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133304534526939599"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusMachine.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CurVer	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CurVer	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BDAE441E-F0FD-4C2A-8BF7-1451FCDFAE16}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BDAE441E-F0FD-4C2A-8BF7-1451FCDFAE16}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeamViewerSession\shell	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeamViewerPilotSessionReporting\shell\open	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tvoneweblogin	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\ = "Update3COMClass"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tvsqsupport1\shell\open\command\ = "\"C:\\Program Files\\TeamViewer\\TeamViewer.exe\" \"%1\""	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\LocalServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tvcontrol1\shell\open\command\ = "\"C:\\Program Files\\TeamViewer\\TeamViewer.exe\" \"%1\""	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blizzv1\ = "URL:blizzv1 Protocol"	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CurVer\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods\ = "26"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeamViewerPilotSessionReporting\shell\open\command	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tvvideocall1\shell	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CLSID\ = "{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}"	MicrosoftEdgeUpdate.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
4484	TeamViewer_.exe
2224	MicrosoftEdgeUpdate.exe
2224	MicrosoftEdgeUpdate.exe
4992	chrome.exe
4992	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 1868	3900	chrome.exe	66
PID 3900 wrote to memory of 1868	3900	chrome.exe	66
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 1576	3900	chrome.exe	68
PID 3900 wrote to memory of 4016	3900	chrome.exe	69
PID 3900 wrote to memory of 4016	3900	chrome.exe	69
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70
PID 3900 wrote to memory of 364	3900	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://teamviewer.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe96159758,0x7ffe96159768,0x7ffe96159778
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:2
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2772 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2736 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3032 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5416 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2760 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5600 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5428 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5332 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1760 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5572 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=816 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe
  "C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4484
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F
      4⤵
      Creates scheduled task(s)
      PID:3332
  - - C:\Program Files\TeamViewer\TeamViewer_Service.exe
      "C:\Program Files\TeamViewer\TeamViewer_Service.exe" -install
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:4348
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
      4⤵
      PID:3656
  - - C:\Program Files\TeamViewer\utils\MicrosoftEdgeWebview2Setup.exe
      "C:\Program Files\TeamViewer\utils\MicrosoftEdgeWebview2Setup.exe" /install
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1188
    - - C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\MicrosoftEdgeUpdate.exe" /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        5⤵
        Sets file execution options in registry
        Executes dropped EXE
        Checks system information in the registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2224
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:3332
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:3400
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:4840
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEMwREMxOEItN0JBRi00NDdBLTg0RTItOEJCMjQwQzYxNTQ1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntCQUQxQ0FERC0xRTM4LTQxMjktOEU3OC0xRUZBNzgwNkFEN0V9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTczLjQ1IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTkyNzk1MjQ0IiBpbnN0YWxsX3RpbWVfbXM9IjEwMDAiLz48L2FwcD48L3JlcXVlc3Q-
        6⤵
        Executes dropped EXE
        Checks system information in the registry
        
        PID:4412
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{0C0DC18B-7BAF-447A-84E2-8BB240C61545}"
        6⤵
        Executes dropped EXE
        
        PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4916 --field-trial-handle=1880,i,12907454480406077960,16223291388149517075,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4496

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:4116
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEMwREMxOEItN0JBRi00NDdBLTg0RTItOEJCMjQwQzYxNTQ1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFN0UzQjRBOS0yRDdBLTRDNUQtOEIxMy1DMDA4MTgyMUI4NTV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbmV4dHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk5Nzc0NTA5OSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4232
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A0488C1B-A26D-4EBD-952F-D1207B60FA5F}\MicrosoftEdge_X64_114.0.1823.37.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A0488C1B-A26D-4EBD-952F-D1207B60FA5F}\MicrosoftEdge_X64_114.0.1823.37.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:2136
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A0488C1B-A26D-4EBD-952F-D1207B60FA5F}\EDGEMITMP_80014.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A0488C1B-A26D-4EBD-952F-D1207B60FA5F}\EDGEMITMP_80014.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A0488C1B-A26D-4EBD-952F-D1207B60FA5F}\MicrosoftEdge_X64_114.0.1823.37.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\114.0.1823.37\MicrosoftEdge_X64_114.0.1823.37.exe

Filesize
140.5MB

MD5
793dd15a8e218b705e658c3b0d87ecce

SHA1
4a6a128e4e5d916525c8d968c933fb21215d9b4a

SHA256
1635e888d1ce89c978074e01f3f6393ca282870e3cc22e3cdc668986bab2d071

SHA512
57ceccbdca3634fc5b5e8a1a66e3710bc04aed41bcd5c8fb0c8c737dac22f276f97ce836f9fbd865c05f537cc5729842083cb4d47212e75f075d2ebba93017b5

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
ae0bd70d0d7e467457b9e39b29f78410

SHA1
b4a549508cbc9f975a191434d4d20ad3c28d5028

SHA256
4d9f16b00bda1db65b68cb486f7ae1bf5b32aedf7fd335e4a8ef2fa087870986

SHA512
cbe2b5ffe647f5318edd9825ea6536d6d14dab66920def0323fb5b4dc03a4f8b6781b9209e5a557ab4d270b3f2b170797e6bd807195c93869367c0a245a3168e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE4E2.tmp\MicrosoftEdgeUpdateSetup.exe

Filesize
1.5MB

MD5
b32d72daeee036e2b8f1c57e4a40e87a

SHA1
564caa330d077a3d26691338b3e38ee4879a929d

SHA256
65f6efdf6df4095971a95f4bf387590ae63109388344632a22458265ab7dd289

SHA512
b5d62ce1462d786c01d38e13d030ad6236ce63321819cf860cc6169f50f6309e627bc7709b305422851779e37dbae9fb358008aad8d6c124cd33cdec730288d5

Download Submit
C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe

Filesize
52.0MB

MD5
60caea5c5ff8bbe31c354f1e98df5098

SHA1
1099ec3dd93eb3fbdc61c95226e44ed27264d7d5

SHA256
ea38474a31383114d93e84d1a78688cf1b4772cde3ae276f5d680ba690982a93

SHA512
3ca65c85ae239b252b49b2ae16dd5fe505884d3f6dacd40d8a75a4d3b0783f4fd28f05a12ab29a538f15e899d538eee686e6839364d26e548488d16678729bad

Download Submit
C:\Program Files\TeamViewer\TeamViewer.exe

Filesize
77.4MB

MD5
461fc4ef3cef58fd3ed766ddc78e7a4f

SHA1
e0023d3cd50953747f0840488c008fe6b0c9e2f7

SHA256
111aa7518057341a590b4639bfffe95f5be2a9752d9936ac5519d4aeb3e336e9

SHA512
075afc2acdceb921ba433e3d9018b9eacdcd2a4fe849242b1b74557ddbea2989466bba56b7480cff76d6d604ada755bfc26902579bcf9644b6181107d2401edb

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Service.exe

Filesize
19.7MB

MD5
b870d85dddcb96365eca7c8bff305fe0

SHA1
ed0940baedf00cf6ac334a68c0927bfdacb1c257

SHA256
98ab16fb7b6ee9b63efdcbe9eda5d4241526e4b4ed31f3e08425813313a824e9

SHA512
00cc83c7e672b994ddb60bdb14da2d1a99981818efd7dbb288d41f3fd86b5c96e74ba5ee2c1cd43389b74efeb857340fca8922074a0e4c414bc6c3f2c67732a1

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
14KB

MD5
d6234897444656ce8b802c587d0069ca

SHA1
becee2030b378c4b302263b3a40aad7af0be83aa

SHA256
5135aa75486a5da6b680f4cf2b509bac57b0f27156fde9884adf573f64cb0a1c

SHA512
dc8867dd7ee9eddb20430a615d67557ea3b853e93cb80ab8888114cc7e75f71f31f05392e44831d41f12efa8c5336a572b1de9bf7bbdf4e12d4d93696542ce5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
27KB

MD5
924cad3455ebdc3bc3d85e06d9faac2f

SHA1
e0c85068201662f3c2fea02d1ad7364cc879701b

SHA256
e0ac20b42945b9a305e42a2ba71820ffa2eeab68e56b3d0a3e850cffceb0b0ae

SHA512
b78eb344be7e341fa54cf0155f2f9f157022f2374cbb15649d3a75ec3333caf0a1340e9bfbe646ff9e29d13be5b2c8f958c4df7f77f4d2d7c16dd9397db8d4d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
81KB

MD5
6e4f9cffc2407654c4025b91d529ba77

SHA1
75e1ca1aeaf219b7364eb2916b0fd92514de3afb

SHA256
ee4781f268cdbb15a244efd1549ccfbbdb2f9f7548c61853ecfb688b5adbb647

SHA512
0ac4bc294c5b0616f8c8549d54b1498d023e173ce72336d84387cdee71bf58b7b27193c07ffbc93b9442b9c17cba37f6d38dcdfea08e3942b7c261c56b49a0d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
88KB

MD5
2e30b94275b8acc83bec49192f4f75b0

SHA1
ae176cadbadcb882a3efc38b3480f702ccf2fcd2

SHA256
5efcadfec02837bf8cc6673a861cc09c13961ffe3c02fb7101e29ee9b68e6cf4

SHA512
2bbab62393a35b3423aa4b157243c46550eedde90de018725aeebbac2e7adc5a252db0e9c2a4dc0a2ec31ec90cc9b680c9b4ebcd9e4f217f4532700416b9917b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
20KB

MD5
78f9ed8056bd975459f239a26d89824c

SHA1
1bb6380e31225a3c91b39eb63c2e4cf8714a0ef0

SHA256
89061079770473930dbb5eb4a99e337e19b44f5a1f9e15dccb11b68ddea0ad6a

SHA512
ee3e19a3d3b209359f431afa8d70d4bcc07a23243954e5c79adfe0bf7b4ea9f5c3873ecfc811df3bbb8f5c5ee020e5cda3eeea03310cb2adb4541e4a302105fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
162KB

MD5
839a6afa03312253885699c84a96e70b

SHA1
7d58a182c70501beac223c48636c059632163e65

SHA256
90c81168c32945db973e0a1da67d6981293a0b3b996459c488ec409a188a7f1d

SHA512
d3759e7d1a16979833711e15b5064262ef5f3728b1f9941db34aa0b6fb9ea5891ac441bc708f3a56343763d017cd3257e368abccd5be816b9c8a9754f987b524

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
23KB

MD5
5bb5b01117aacd71cb1955ddcad3d156

SHA1
865f19011ddd428c748e4a521c7d545d31d72dac

SHA256
c5d4fa262a24ae6af1d6412eac0325f8806bff684240ab0a19ca3554b9419beb

SHA512
3d4af1d7e75efc7753e773784aef05462571826423345b343dfc42927001c963232cc5568e5102c417aff9aa15e589247f550d62b72a8a72e73c5ffb3a9817dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
86KB

MD5
7f8cb308d2d15798b515b513e21f288f

SHA1
6c40a59aa8de8ae888c04454ab91827e7f740980

SHA256
45c8407db86d4e115e5836435753c716d011eb70868c313df87803a84196c5e6

SHA512
e36e2e07bb73970a81ea9a27d6dce48ab7e4c5e394be0b06a6c464d3e49537fa1c5cb83970017a65a62eecf846aae81c04921324be7ed2dfc1cf3b1b7d872937

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
056a5a9a9ed51088ec21fb7dfc2a0ffa

SHA1
603e31339544e34e5e49bc02f9fa707801dec13f

SHA256
6f6bd4f1234e249ca0d2b84a8e39fa5deedbd8ccdb2ccfedf0ecad4361ff6b1a

SHA512
f585bf4a13e8b6ada912ba0d382b79eef6398ae15f0585d1718685bc9588e6267c39428d9afb9dd653e6cc4652da6546763c6107c8a02dfde168623ec21ca2e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0e707e323fc58342b51ac813366a6b59

SHA1
d740555f4f9dd164c1505b16b532e61a85d348c5

SHA256
36f1b4ad82dc8e255310524e9b14498df6f002b2d0b42528b79b5d8e85ada9fd

SHA512
5818d31f07ec194e7516f65755289470d52131737dda21e074c20400b69d3fc95f139e048abcbd4558163f36617b77e5228747b33267f28ee0b697c2739c7a19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
761456628fc4270efddf62a91efbb9a0

SHA1
7d37478e9022988c63ae8765181adfa4cae9811a

SHA256
38241f020b9b35543a85c1b8537578738805e842b2b71abf4c0808eb6571e7f2

SHA512
ebc05de04a73eb5411d87771f1af2be8ffa3ae819be49f59907963da1fc16c0625cda9bb85fc0189105f2a467a1a05766cfdcc30dcc3f3a8dbb0bc46a9330ec5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
bfd6695bb84b68797e9f9b464f816331

SHA1
862c1aa146b82fe4bbeab2d8295ac6205aa3eae2

SHA256
aaa773346d799020ded297a86af45696993b677022aaeeae00ddb4092fad98b6

SHA512
f1bc70379f584834364da0339a4803dc8fe160831701a51fbea41a9df956de35625fc03a3c95eb2fe8bf8af0ad40e2e87a09b74c4cb1c55b7a307e8b0680025e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
682fda15d5a0e7bc3f2999d9c2246a56

SHA1
87a5163b4c53d0e8fc4bb675144ee9b22a5feb2c

SHA256
3d0fba50c5d709b5d565607eb37f528f68637b4f930069f2e0b61706a779f0a1

SHA512
7609834d8a6c19e8e73ff525cb4b800cc8ddb29a59e5c22e827c69406a3f942c6a1bcc54cecf8983e37ebd5f0725d69fb4a6172778bf0f44331bcccbdb9c3c5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b7644a9ee998708254b4ebc68189eaa8

SHA1
4bf80126b3e2a6eff804bae4c1dffa495955769a

SHA256
cb8589a91240c1d772dc28fc47d7b67da3542231e5492e142ce6b21b06f2d565

SHA512
903546f8183a8b7f13122412049e17734a484c8932dd30926cb102dc79a00bec7883ec85efb0674081a4773c675067eb6ea36ec24335017f9875894d9527936d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
63e8502c9059b32e6efc7abe0e9aef09

SHA1
ac849cb4ecdd857d5d425a62f0bef44d771004d0

SHA256
0b196a732df2d0647c6f868d477a7f051309fa90fae3d69efae7f56996f21ce9

SHA512
7c3be33d6630a98a27cb924c5fbb9f40f095bf819e503624f6aee5c0d65e2d2517f4ecd2eaf4d11831dc55df2150592549f1ed50f8ec56a43467cb7566ed6d76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c4b81c455f2fc9ee0b9fd9541259915a

SHA1
4b360f4bc7dbb15af998f78ce4e23a647c4e4d33

SHA256
4f8e94c8b3caaf6ca0a9d1904d1c59942d38677dd47906310dc583e7a9274c0c

SHA512
d124250560373eccbe363da18159a57bcd69ae69bbd76a1b474fb01985d9d2de762583da896cf32b42e7ce30d8af71fc51e0c317629d12d96a603e985e09cfa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a4381e4ffe79f6e48080168de04aa923

SHA1
9997ffff4e9976df114c2186970676ee4eb919eb

SHA256
6d5360b0d2e80204edca15285dd02ec10ee09ab72186c6b280d1c4a24c690771

SHA512
831c72f7547b1a21d58bee6323c485dda77ccfdc86d39615a90fbc80528490b5b068e43e4adef590fa263ee4c98457143d3c6a9724de425a2d9caf500dc4a1ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
af59ac2bb8cbaed6118f0c3676f78645

SHA1
ca4a68034a872ee73ceac2d503167aaa52dfd797

SHA256
0b6c7d48f95492fcc6be2897efaf7bdcba18abf2e7cd63346de7507d3e111e73

SHA512
02438f16b525c461af59e9b3a4c34d4df150d56cb9e71825ed48b931d8bc7d0b87b8b05c1e228ff035e79175129ae641faec2757142d3c17ff18753785183b51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
d9fbce778d23b6b990a8a8e8ef454a12

SHA1
54d288b86f0e7710b82eb2dc99bd2c3adb02f9bf

SHA256
a7c9375ceeefd9eea7b465381feded70300e45e469b5547dd7f98f17ae14ee4e

SHA512
0ca8a9e6a424366af746ee3fa4b52837f681433c6a18612b884ec6054e8c3f843cc7bda8e925a971f00f57473fd2a089e6337f63eb6f524943e0e1285e6debf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
fcf805ff92fc991deb5413feffa3c45b

SHA1
78fbb58ff0b2ed179b1e95042d864a7e78a4b092

SHA256
c03cbae0c1c92e7ac21d3eeb32b26794459dc110d441e67805aa5d9ba5e5b876

SHA512
37b20ad67b620c9bfdfd3dbf0b71b848340e8a0747db35196e9df50174c33a1c0262dbf0461589a54e6083f9c8ab2be021376e255c76e3ca5be98946d4a2bd48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
05912b1b8dbcc2bc77f93dcbb6f520b3

SHA1
a8d5aa4b2463dde7a36a58315a2015ea2eb371b5

SHA256
42491943096f462e5efcbc86c0007fa04654672fd8a4eea18732447b229e2674

SHA512
e154f2171a43ce37f89aea1cf991acb6ea07f76d28e52777caae14baca82292e27affa05afb24d6b5689cfe3e29341cc4ed8c283cdb40e3559fcc1a34119bf27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe571443.TMP

Filesize
98KB

MD5
781d03ec63a0b7b1dbed0f6c2f2df771

SHA1
d1cbbb57c13a8234f5b984078a1b67cad3c275bb

SHA256
7d845be4f6daada2a6749a613c0f1dd237041b764fda6d14342b5f6452fb326b

SHA512
d506ccbcd13a171580a2234dae27ee114ef8218dc61bb8997ff19677e3ac79b3f8e7cd577bce7db571d4139a9ff3f4160fff6376948579f87b4ead0f8d10683a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV15Install.log

Filesize
4KB

MD5
70a541c583589a38c49d2a80dc069bfd

SHA1
bbaee3ff06c918e166a53cc0fa487d3113da0c7a

SHA256
8310abbdba58707b75d2700887e32608b19edd7dbaebc952f140049c06bfdefb

SHA512
96df651b798e83b190fc271a9d7daf7927e5fe09c96ce009d9f18dd20df10aae64e81c78c7d12a53a7febe6905a9e60ecaaaf855513c5141445a93995dbf943f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
52.0MB

MD5
60caea5c5ff8bbe31c354f1e98df5098

SHA1
1099ec3dd93eb3fbdc61c95226e44ed27264d7d5

SHA256
ea38474a31383114d93e84d1a78688cf1b4772cde3ae276f5d680ba690982a93

SHA512
3ca65c85ae239b252b49b2ae16dd5fe505884d3f6dacd40d8a75a4d3b0783f4fd28f05a12ab29a538f15e899d538eee686e6839364d26e548488d16678729bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
52.0MB

MD5
60caea5c5ff8bbe31c354f1e98df5098

SHA1
1099ec3dd93eb3fbdc61c95226e44ed27264d7d5

SHA256
ea38474a31383114d93e84d1a78688cf1b4772cde3ae276f5d680ba690982a93

SHA512
3ca65c85ae239b252b49b2ae16dd5fe505884d3f6dacd40d8a75a4d3b0783f4fd28f05a12ab29a538f15e899d538eee686e6839364d26e548488d16678729bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\install.ini

Filesize
78B

MD5
a3c26dd25fc88922e9297e2a9d04ac53

SHA1
807b0ca16c4080b6ce7ae8b09e7dcce7e52d5c19

SHA256
1c5231379c3025a42d51f956f649c445ebc550f9ad9b9f5cc4ae5e627ef456b3

SHA512
1d36ee7b43d82b72000520c0b0c37585576363fcd506aeab362c544000b0bf9702a357e118b2ae3499d8f8c9a7529f56169cc14e5281a5246ae9efd342c4fa59

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
50B

MD5
a48b05e8e36f7f4e9096ade8950b87e4

SHA1
c743c68fb5798389435927338d1c8ed1c59496a2

SHA256
72935bcb05a31b405a0e4a13eb0babd1640bbe03fad52ff85ffa91390d0e8eee

SHA512
7943a5c44c136347f199a1a3e1aa8af3f4ee9d5024d4588e3faa95f57dcd51292e606a057d567d45c8bc9d62ebfcfebd199654d1f1214b205124418c592f47f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\advanced_unicode.ini

Filesize
1KB

MD5
f68824a4130ebaf6bc7ab0f62256d7d7

SHA1
40af19a0d92b3c9e1a8b1eaab7d12c69e5df436a

SHA256
cd8149a2e89373075ee6db800b7f2496bacbfe21b23e4a06a3453632503b3965

SHA512
6a173aaa183be0e5a516cad484802dae1fc53a414f870f93ea846a9ef9f9df35153766ef632eb5e8ced8f94c2ed09a9decdf3465d46b0dcc44a6918d88e242cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\nsExec.dll

Filesize
18KB

MD5
9ea6ec7934495cc757639b5095362ca7

SHA1
ef2c14142b70689483576cc09083db4a2a363e02

SHA256
4d8c8353641bbb26bf9ea2ab2dbf126be6ef164b1ce80e3ef5030b873be166cd

SHA512
414b08f75bd7febb56784d8534cee028f6420776f07ce5797f66a78748c34b52f443aa35f72c8d7c81dd5366b34998b56d99a9d0d2b4b2b6bfc9775e4ff66531

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\nsis7z.dll

Filesize
187KB

MD5
7fe20cee9277556f4ef137e61d29d9f5

SHA1
d53c37dbf548914ed20c8ebb21186a95beef1ee3

SHA256
5d71aaeefbc81732017e9040c8087e6686a16dd54e6d9bcd5ba7a47af68cc925

SHA512
a90250214c6c5048b098e031fca5a8097854a8667330551d7694740e3bc83f7d77791d314e3ac75617ef1834b75c41e3e3d3c74da9794a207894c13fb2d4bef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\start_unicode.ini

Filesize
1KB

MD5
e1e5f83035cb20fd89b7de415465eb28

SHA1
9444cf7198dbf73700d19f4725d8d06efec87366

SHA256
483e0ae06bf051ffd48e0374d6d16454ad7ebc0794bfc4572e4c40155b4b4e2f

SHA512
b3aaa4d68a0d79a5ad8471ea8ebe9cea3f2ec202fcec32da1c39555d7e17b77738411f3b6b75a99c904014d2f0dee93644813775fb1c22e3c5694ac2713c31bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\start_unicode.ini

Filesize
2KB

MD5
55ec66cb4928d53530712459b4cb78ae

SHA1
37d54eb924ab5dcadaafb8c24aa6af9bbce2786b

SHA256
deddf1e8fb187015b8e7a86274557e41af715d3f98a9d0d67143a4e973ad6147

SHA512
7317c64ca690b94e92a7900bc58c6830616af57c617822c2ccb27240324a748b2eaede83a8e7367bf29ea2e19039ea9f5e6a3453b565c3f602afb36cde8b97d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\start_unicode.ini

Filesize
2KB

MD5
63cbc3c25720f810371cd9ce74d5ffd9

SHA1
5c72e7f9912256d0465e60146c325287bbd10f2a

SHA256
8791154afbb88010fc38298f150dd2e19c016bb06ca47a019c13a53c40305e86

SHA512
5900430718185a123b28dde6bbf16123598097c533560f2109086d33f665495e539ab733cb3abb0a5adf3ae3cd2b3618e5a67126a23609438f8725118f0a21a5

Download Submit
C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe

Filesize
52.6MB

MD5
74deb667a23dea38242cbb34c2c1a84b

SHA1
cfdf52af5449c2c9f58ecb1dd7f8995ccf05c1f9

SHA256
9dbda66e6097cdf07eeec5285ed7fcc98728be304d74dbefb0cf36b5a93caf28

SHA512
117dbafa2247c576248b15f427b094e06a149773768076eef965d38ae93ea9dc2fb2ef3fbc057c841e4413955d23f839196d868e69f30d85630dc303c268a484

Download Submit
C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe

Filesize
52.6MB

MD5
74deb667a23dea38242cbb34c2c1a84b

SHA1
cfdf52af5449c2c9f58ecb1dd7f8995ccf05c1f9

SHA256
9dbda66e6097cdf07eeec5285ed7fcc98728be304d74dbefb0cf36b5a93caf28

SHA512
117dbafa2247c576248b15f427b094e06a149773768076eef965d38ae93ea9dc2fb2ef3fbc057c841e4413955d23f839196d868e69f30d85630dc303c268a484

Download Submit
C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe

Filesize
52.6MB

MD5
74deb667a23dea38242cbb34c2c1a84b

SHA1
cfdf52af5449c2c9f58ecb1dd7f8995ccf05c1f9

SHA256
9dbda66e6097cdf07eeec5285ed7fcc98728be304d74dbefb0cf36b5a93caf28

SHA512
117dbafa2247c576248b15f427b094e06a149773768076eef965d38ae93ea9dc2fb2ef3fbc057c841e4413955d23f839196d868e69f30d85630dc303c268a484

Download Submit
\Users\Admin\AppData\Local\Temp\nsk3B25.tmp\System.dll

Filesize
22KB

MD5
e0d81e16e8ffd2ead568b6b5c33ee454

SHA1
65dc21f4dc316cd763bc95cef2d50ae511ab641f

SHA256
3de187772bcab22af801384e2828d1bb3f0400c5d16ae5857098def02d4e9ed5

SHA512
1900c967d3477da0f0f4dae98ec8cba1a67a5ae3c58eaecda215dbc300d924335a8561957f7781036e48314eec39c6290da93f92d76119557082376ad33bd62c

Download Submit
\Users\Admin\AppData\Local\Temp\nsk3B25.tmp\TvGetVersion.dll

Filesize
207KB

MD5
148766d1c26ed1c2afee7e86522bbbc2

SHA1
76481fe88f914e759c5facd6a90af4161234f32f

SHA256
fd75cdad91f86b09cfcfac46364f268145c26ed9ef17a97b26f71cfc87869b00

SHA512
b0614bca61df1b0545a949adb694b0b644b1e091584b18a5d12570bf0bb37ec7dae6e467cd20363268e31083bb03333463866be6485d21db5b460f913d40bd27

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\System.dll

Filesize
23KB

MD5
938c37b523d7fc08166e7a5810dd0f8e

SHA1
47b9663e5873669211655e0010e322f71b5a94be

SHA256
a91aa7c0ead677fc01b1c864e43e0cace110afb072b76ad47f4b3d1563f4dc20

SHA512
77afe83fb4e80a775dae0a54a2f0ff9710c135f9f1cf77396bc08a7fe46b016a8c079b4fa612e764eea5d258703f860688e38b443e33b1f980e04831739517c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\linker.dll

Filesize
56KB

MD5
b05a97bb3f532b7cf57b8eedf198d7af

SHA1
83c13a90f4a3c1c62e132f5f3bc70c97c2ecfc80

SHA256
7817f79bcdf54ef8617f15b5c0b9b92053549d5a51fa280722ee7179311b69a1

SHA512
40706c5fc72198148962d24046722fc5e488c0cc4b3374a9f4b652175919e97a8712e882940db8c26479619a26ec4e2d41744627a9ca52ec7cb1ce4f91d7ee8c

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\linker.dll

Filesize
56KB

MD5
b05a97bb3f532b7cf57b8eedf198d7af

SHA1
83c13a90f4a3c1c62e132f5f3bc70c97c2ecfc80

SHA256
7817f79bcdf54ef8617f15b5c0b9b92053549d5a51fa280722ee7179311b69a1

SHA512
40706c5fc72198148962d24046722fc5e488c0cc4b3374a9f4b652175919e97a8712e882940db8c26479619a26ec4e2d41744627a9ca52ec7cb1ce4f91d7ee8c

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\nsExec.dll

Filesize
18KB

MD5
9ea6ec7934495cc757639b5095362ca7

SHA1
ef2c14142b70689483576cc09083db4a2a363e02

SHA256
4d8c8353641bbb26bf9ea2ab2dbf126be6ef164b1ce80e3ef5030b873be166cd

SHA512
414b08f75bd7febb56784d8534cee028f6420776f07ce5797f66a78748c34b52f443aa35f72c8d7c81dd5366b34998b56d99a9d0d2b4b2b6bfc9775e4ff66531

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\nsExec.dll

Filesize
18KB

MD5
9ea6ec7934495cc757639b5095362ca7

SHA1
ef2c14142b70689483576cc09083db4a2a363e02

SHA256
4d8c8353641bbb26bf9ea2ab2dbf126be6ef164b1ce80e3ef5030b873be166cd

SHA512
414b08f75bd7febb56784d8534cee028f6420776f07ce5797f66a78748c34b52f443aa35f72c8d7c81dd5366b34998b56d99a9d0d2b4b2b6bfc9775e4ff66531

Download Submit
memory/4484-1202-0x0000000072EA0000-0x0000000072EAA000-memory.dmp

Filesize
40KB

Download
memory/4484-874-0x0000000008800000-0x0000000008832000-memory.dmp

Filesize
200KB

Download
memory/4484-854-0x0000000072EA0000-0x0000000072EAA000-memory.dmp

Filesize
40KB

Download
memory/4484-694-0x00000000022E0000-0x00000000022EE000-memory.dmp

Filesize
56KB

Download