Analysis Overview
SHA256
113d4fb8f7503e7b240aca6df1fb3882fd15e43b3f242fc9df72a00dbbfa80d7
Threat Level: Shows suspicious behavior
The file 76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:57
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240903-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_w32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_x64.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_w32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2276 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe |
| PID 2276 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe |
| PID 2276 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe |
| PID 2276 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe"
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_w32.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_w32.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_x64.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_x64.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ping3.teamviewer.com | udp |
| RS | 217.146.8.70:5938 | ping3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | master9.teamviewer.com | udp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
| DE | 185.188.32.9:5938 | master9.teamviewer.com | tcp |
Files
memory/2276-0-0x0000000000400000-0x000000000043F000-memory.dmp
\Users\Admin\AppData\Local\Temp\nseDEAE.tmp\TvGetVersion.dll
| MD5 | bec86f19027cbb13f05881e6712388f2 |
| SHA1 | c5fe5ecffe244869c60d8e3a023b610a08b62ff4 |
| SHA256 | c774a0fb87248b985b8543bd5ce2d5f58d64c091c912de8c0d45d9ff18ca1835 |
| SHA512 | 553a707b7b3d2b74039695e01c0a74c9c9a84696c67a1c087680fac8384998009369cbe78c6f1b23a018d0f4b46665379eb6f22bc0436d15d385bb8625e14837 |
\Users\Admin\AppData\Local\Temp\nseDEAE.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
\Users\Admin\AppData\Local\Temp\nseDEAE.tmp\nsis7z.dll
| MD5 | 06ff2b95b8e123d32487b0cb73409031 |
| SHA1 | 8cb3f584112db4e74cea4ed02d4ce0b3a5373bfa |
| SHA256 | 0dedad042a306da32784c3ce79bfac0475b827e416c17e1a1dfdb461151f4271 |
| SHA512 | 174e7599ba87bc45111ce340d7563771353df71988d6b9094d8bdeab4b45ec730cbd2e6bf3943ad66daa02d7f1f1eac0020b987109fabed96b2e0def8d0602c6 |
memory/2276-22-0x00000000003C0000-0x00000000003F3000-memory.dmp
\Users\Admin\AppData\Local\Temp\nseDEAE.tmp\ReadCustomerData.dll
| MD5 | 703598aa5ff97f512112cd766543a2f1 |
| SHA1 | 0bfb74b03227ee8510e153785edd76625404ab55 |
| SHA256 | 5f76752e83789bb8184070d618d83f43c2f565cc7fad2c4266e44339223ba69b |
| SHA512 | 3eff4670a3c97ec931eb1240d22a943ad6b19ea07ce781dabcc656ae2049d36c42b8f5bf3ce59366057ea3ece8913e83da3ec98c2c1434edf144dd9d4731fe58 |
memory/2276-66-0x00000000003C0000-0x00000000003D5000-memory.dmp
\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe
| MD5 | 93f07bec68e8034a720af5d8192cc7d9 |
| SHA1 | 2712801b4eb30809ce7737a3058e39d23f57cbef |
| SHA256 | 015b1912e194a987b997453d34807c61964695668e96798f1a0f14d8b860b441 |
| SHA512 | df762eae64b4eac28c432e767219fbebdd2cbeafdf42a454458c5a5142de9f65152b4bc917af421e62065656124f64e734863ce22165c617536a3cf2e2067292 |
memory/2276-104-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE4E5.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer_StaticRes.dll
| MD5 | 544bd524f936e803f493ab8ed918c25c |
| SHA1 | a84a04020b5708b14321a9adde34482e2fefbbc3 |
| SHA256 | 192e8b09becfbebac4fe71fe6ed391d0448f3c7056c88f68248be9a8505ddd57 |
| SHA512 | 7f66fd5a4b3e7eb25202e737e5ac841d44f5121571e6fa6f14a90f258435fc07f05ef2fa9e999864ef2f98fdeaf4b7db230fd80e01d2d43b211bcec49be99d05 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TV_w32.dll
| MD5 | cf249d56bb0d4685dd6c4828b97b8307 |
| SHA1 | aed4ccf8f9a280b84796e36d56f3fdf373410526 |
| SHA256 | ea3f4562e20e6b4bd892e11e597ccc02325aca1be579df244ce015b3bc7133c7 |
| SHA512 | f1ac55090ee93ad141e2cec3d9a0a98eddcdf50b26cddc41274cbb74fd87720584bf4aa37ae84683ea7c59d75ef0c26196a9aea1afd81b5836624ffc85ba4cf3 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TV_w32.exe
| MD5 | 684c5d48dd6a0cced97c4fe983bcfe47 |
| SHA1 | cf9c9c3d4d3bd073b83e169df85c074463b68167 |
| SHA256 | 5531101a8387222cac733726f6f58fb02ee4ce7798e5964514837c10ef4f7877 |
| SHA512 | 7e3e88366df92a44ce981bb6d49e64cb642ddffcfe73322239e6050a53631f649706479bb37e260a299319d58d4834ffcb5b6edfa7573d647fea919fe9903c79 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TV_x64.dll
| MD5 | 70014c076003d1d4822366c79ba3e3e6 |
| SHA1 | af350e238354c8cb46b63aec7bdab680554e9641 |
| SHA256 | 93bfe08aeedc6a995883e83652ec81080503104a69f15549f640e934aa691a82 |
| SHA512 | 7807705657cfced2423ea106a2492e4d494eb59f6b666fd448b54df196fdbf6618f470facbff71593b14b43b32d668f3868a21f6a880d2f84dd7ef491c330e64 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TV_x64.exe
| MD5 | 84c57f59da45494c5a1c124bd294aa1f |
| SHA1 | d41c850246e286309ecc737e8d24ed1b16841640 |
| SHA256 | 05e3ae965608f662378232e4847754e18c09f2b98e5bbb380f784f320a865bd9 |
| SHA512 | 715f981edda272725933cd0f6aab86049cbfc75f9f1b8af62a7be69512b559ae0592346b9b0b3ba763d7546ce60fa85362e657fab34d8a11caa26bc6be629627 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.ini
| MD5 | eb715eeb4d0397b95c534ac483b8ed25 |
| SHA1 | 7d94038f315db089229f35d1000b40dc7723e409 |
| SHA256 | 589ffa03e15f412afff610975906e5a022003f11c588f3fba6f0b090732649b4 |
| SHA512 | 87561ca10df0fcd0c108cface95464de2b3f8f594e4e171bce49d4896dc7e92fd16dbef2e0dae6268a8fb3523ba9081d838da0eaec1ca6e9e64923db91a7a89c |
memory/2552-126-0x0000000000790000-0x0000000000791000-memory.dmp
\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer_Resource_fr.dll
| MD5 | 9af4a79fa623b3ab053db41c0a2f6111 |
| SHA1 | bd390794a64c581086971a370d462a406d949aa3 |
| SHA256 | 684c72614db74d8e35406c5bf766b234e772b0471fd98ef8e62365dd1ca7527c |
| SHA512 | afb1af45cab5360e92d238f393a8811d879dd92a08d7b0ae3404565f704699e08a377f902224c5eeb5119be5d3ee848cf311396fa41d1a2210225c906446d826 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\logo.bmp
| MD5 | 9326c7e0f80cab41b16df1d13bf69fd4 |
| SHA1 | 5d43d26c75cf84c90e2898df574d9ba3de9d51c1 |
| SHA256 | 4df624d011321d1c02b9958dc992ed5306af6df6e9d5378c61515b857532889f |
| SHA512 | 0f8a545a34b2044694f9c9b197bd935be6d0a3f701cfe6434ce99b17d4815f6c6f11002d5e5c7efffe8b2a5927b6b4b9f4607b6b1c4d93f411c08313747d9b1a |
C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
| MD5 | 2480a6a1f733a8a9ef589d4f6683dc55 |
| SHA1 | 6123a1251dc9ac1bc72da4e6d85136a30f484d3c |
| SHA256 | ae9b3aff3b1b3aa7f1370b3d6112492859b38166e53b3b23b9f5c227b755fe1b |
| SHA512 | 53a790be08168b548e4dcce686a485a1a21288e69bcc8f691967a43739bff03eec4e5242ed7d23a8aad64460da5a2dc52756113401e7b678edc693ea4830894e |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tvinfo.ini
| MD5 | 7a2fa64925cadf2c7b09d61bb079f031 |
| SHA1 | 77f0e11bfd93d534373df6544b07a001fa495ab8 |
| SHA256 | 4373b7e651357494a17893f62090767ea24c4f56443a3e2d75d43fea7609c88d |
| SHA512 | ef597fd55aed78716f2004643b4f506d77c64163ce89c847dd511fd8f0e36a870709aba12686595e317695663c4c0c7450466e84f2bac925c6afaf5d99934649 |
memory/2552-146-0x0000000000790000-0x0000000000791000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20241023-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2628 wrote to memory of 2384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2628 wrote to memory of 2384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2628 wrote to memory of 2384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2628 wrote to memory of 2384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2628 wrote to memory of 2384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2628 wrote to memory of 2384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2628 wrote to memory of 2384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tv_w32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tv_w32.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_w32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_x64.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_w32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 516 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe |
| PID 516 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe |
| PID 516 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76231aa5daf7e77b57ce225a2c72c8ec_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe"
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_w32.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_w32.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_x64.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tv_x64.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ping3.teamviewer.com | udp |
| IT | 37.252.253.104:5938 | ping3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | master4.teamviewer.com | udp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.253.252.37.in-addr.arpa | udp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 4.32.188.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
| DE | 185.188.32.4:5938 | master4.teamviewer.com | tcp |
Files
memory/516-0-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp\TvGetVersion.dll
| MD5 | bec86f19027cbb13f05881e6712388f2 |
| SHA1 | c5fe5ecffe244869c60d8e3a023b610a08b62ff4 |
| SHA256 | c774a0fb87248b985b8543bd5ce2d5f58d64c091c912de8c0d45d9ff18ca1835 |
| SHA512 | 553a707b7b3d2b74039695e01c0a74c9c9a84696c67a1c087680fac8384998009369cbe78c6f1b23a018d0f4b46665379eb6f22bc0436d15d385bb8625e14837 |
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
memory/516-23-0x0000000006A00000-0x0000000006A33000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp\nsis7z.dll
| MD5 | 06ff2b95b8e123d32487b0cb73409031 |
| SHA1 | 8cb3f584112db4e74cea4ed02d4ce0b3a5373bfa |
| SHA256 | 0dedad042a306da32784c3ce79bfac0475b827e416c17e1a1dfdb461151f4271 |
| SHA512 | 174e7599ba87bc45111ce340d7563771353df71988d6b9094d8bdeab4b45ec730cbd2e6bf3943ad66daa02d7f1f1eac0020b987109fabed96b2e0def8d0602c6 |
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp\ReadCustomerData.dll
| MD5 | 703598aa5ff97f512112cd766543a2f1 |
| SHA1 | 0bfb74b03227ee8510e153785edd76625404ab55 |
| SHA256 | 5f76752e83789bb8184070d618d83f43c2f565cc7fad2c4266e44339223ba69b |
| SHA512 | 3eff4670a3c97ec931eb1240d22a943ad6b19ea07ce781dabcc656ae2049d36c42b8f5bf3ce59366057ea3ece8913e83da3ec98c2c1434edf144dd9d4731fe58 |
memory/516-71-0x0000000006A00000-0x0000000006A15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.exe
| MD5 | 93f07bec68e8034a720af5d8192cc7d9 |
| SHA1 | 2712801b4eb30809ce7737a3058e39d23f57cbef |
| SHA256 | 015b1912e194a987b997453d34807c61964695668e96798f1a0f14d8b860b441 |
| SHA512 | df762eae64b4eac28c432e767219fbebdd2cbeafdf42a454458c5a5142de9f65152b4bc917af421e62065656124f64e734863ce22165c617536a3cf2e2067292 |
memory/516-115-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TV_x64.dll
| MD5 | 70014c076003d1d4822366c79ba3e3e6 |
| SHA1 | af350e238354c8cb46b63aec7bdab680554e9641 |
| SHA256 | 93bfe08aeedc6a995883e83652ec81080503104a69f15549f640e934aa691a82 |
| SHA512 | 7807705657cfced2423ea106a2492e4d494eb59f6b666fd448b54df196fdbf6618f470facbff71593b14b43b32d668f3868a21f6a880d2f84dd7ef491c330e64 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TV_x64.exe
| MD5 | 84c57f59da45494c5a1c124bd294aa1f |
| SHA1 | d41c850246e286309ecc737e8d24ed1b16841640 |
| SHA256 | 05e3ae965608f662378232e4847754e18c09f2b98e5bbb380f784f320a865bd9 |
| SHA512 | 715f981edda272725933cd0f6aab86049cbfc75f9f1b8af62a7be69512b559ae0592346b9b0b3ba763d7546ce60fa85362e657fab34d8a11caa26bc6be629627 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TV_w32.exe
| MD5 | 684c5d48dd6a0cced97c4fe983bcfe47 |
| SHA1 | cf9c9c3d4d3bd073b83e169df85c074463b68167 |
| SHA256 | 5531101a8387222cac733726f6f58fb02ee4ce7798e5964514837c10ef4f7877 |
| SHA512 | 7e3e88366df92a44ce981bb6d49e64cb642ddffcfe73322239e6050a53631f649706479bb37e260a299319d58d4834ffcb5b6edfa7573d647fea919fe9903c79 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer.ini
| MD5 | eb715eeb4d0397b95c534ac483b8ed25 |
| SHA1 | 7d94038f315db089229f35d1000b40dc7723e409 |
| SHA256 | 589ffa03e15f412afff610975906e5a022003f11c588f3fba6f0b090732649b4 |
| SHA512 | 87561ca10df0fcd0c108cface95464de2b3f8f594e4e171bce49d4896dc7e92fd16dbef2e0dae6268a8fb3523ba9081d838da0eaec1ca6e9e64923db91a7a89c |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer_Resource_fr.dll
| MD5 | 9af4a79fa623b3ab053db41c0a2f6111 |
| SHA1 | bd390794a64c581086971a370d462a406d949aa3 |
| SHA256 | 684c72614db74d8e35406c5bf766b234e772b0471fd98ef8e62365dd1ca7527c |
| SHA512 | afb1af45cab5360e92d238f393a8811d879dd92a08d7b0ae3404565f704699e08a377f902224c5eeb5119be5d3ee848cf311396fa41d1a2210225c906446d826 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TeamViewer_StaticRes.dll
| MD5 | 544bd524f936e803f493ab8ed918c25c |
| SHA1 | a84a04020b5708b14321a9adde34482e2fefbbc3 |
| SHA256 | 192e8b09becfbebac4fe71fe6ed391d0448f3c7056c88f68248be9a8505ddd57 |
| SHA512 | 7f66fd5a4b3e7eb25202e737e5ac841d44f5121571e6fa6f14a90f258435fc07f05ef2fa9e999864ef2f98fdeaf4b7db230fd80e01d2d43b211bcec49be99d05 |
memory/4504-123-0x0000000001590000-0x0000000001591000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\TV_w32.dll
| MD5 | cf249d56bb0d4685dd6c4828b97b8307 |
| SHA1 | aed4ccf8f9a280b84796e36d56f3fdf373410526 |
| SHA256 | ea3f4562e20e6b4bd892e11e597ccc02325aca1be579df244ce015b3bc7133c7 |
| SHA512 | f1ac55090ee93ad141e2cec3d9a0a98eddcdf50b26cddc41274cbb74fd87720584bf4aa37ae84683ea7c59d75ef0c26196a9aea1afd81b5836624ffc85ba4cf3 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\logo.bmp
| MD5 | 9326c7e0f80cab41b16df1d13bf69fd4 |
| SHA1 | 5d43d26c75cf84c90e2898df574d9ba3de9d51c1 |
| SHA256 | 4df624d011321d1c02b9958dc992ed5306af6df6e9d5378c61515b857532889f |
| SHA512 | 0f8a545a34b2044694f9c9b197bd935be6d0a3f701cfe6434ce99b17d4815f6c6f11002d5e5c7efffe8b2a5927b6b4b9f4607b6b1c4d93f411c08313747d9b1a |
C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
| MD5 | c117d3542f3d7cd35c08e60c20343bdb |
| SHA1 | 50aca1f0744c4c91f0dbd815f093b505f5a96059 |
| SHA256 | f01680996c2eca51681a2c24e1b55294db2feb63b285a6474433822d3dd89896 |
| SHA512 | 670e24d9786bd17626535b34858b6f504d606a0ab005d1ede6d798b1eeba3b1bbf72cd558066eb3db9d80724c0476b4afcf69420b2f122a5cfec3f338e79ed82 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version7\tvinfo.ini
| MD5 | 7a2fa64925cadf2c7b09d61bb079f031 |
| SHA1 | 77f0e11bfd93d534373df6544b07a001fa495ab8 |
| SHA256 | 4373b7e651357494a17893f62090767ea24c4f56443a3e2d75d43fea7609c88d |
| SHA512 | ef597fd55aed78716f2004643b4f506d77c64163ce89c847dd511fd8f0e36a870709aba12686595e317695663c4c0c7450466e84f2bac925c6afaf5d99934649 |
memory/4504-138-0x0000000001590000-0x0000000001591000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20241010-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 248
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tv_w32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe"
C:\Users\Admin\AppData\Local\Temp\tv_w32.exe
"C:\Users\Admin\AppData\Local\Temp\tv_w32.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
C:\Users\Admin\AppData\Local\Temp\tv_x64.exe
"C:\Users\Admin\AppData\Local\Temp\tv_x64.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ping3.teamviewer.com | udp |
| IT | 34.154.114.178:5938 | ping3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | master15.teamviewer.com | udp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.114.154.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.32.188.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| DE | 185.188.32.25:5938 | master15.teamviewer.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/1676-0-0x0000000001210000-0x0000000001211000-memory.dmp
C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
| MD5 | 61c0aa163583bdd78a39f61df9451469 |
| SHA1 | 91da8cc906b28f64a95e26d61ba679acc141793b |
| SHA256 | 8434f6511f2a474bd4d914cab3a14402a941254f161b4c67fe9ea0046acb2ee0 |
| SHA512 | 5c438cc498550ba705e9b6d3c444008f602c3f1e391beb4a518855d78cd75debaafc437d93edd91431d3920e47b89d52311a59dda9bc50f1bf30acec7b13c784 |
memory/1676-3-0x0000000001210000-0x0000000001211000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
137s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:54967 | tcp | |
| N/A | 127.0.0.1:5939 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tv_x64.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
141s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tv_x64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 224
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4988 wrote to memory of 4040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4988 wrote to memory of 4040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4988 wrote to memory of 4040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4040 -ip 4040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\tv_x64.exe
"C:\Users\Admin\AppData\Local\Temp\tv_x64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3584 wrote to memory of 3984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3584 wrote to memory of 3984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3584 wrote to memory of 3984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3984 -ip 3984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
138s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4800 wrote to memory of 4756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4800 wrote to memory of 4756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4800 wrote to memory of 4756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4756 -ip 4756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Service.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TeamViewer_Service.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Service.exe"
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
143s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Service.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TeamViewer_Service.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Service.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3988 wrote to memory of 5088 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3988 wrote to memory of 5088 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3988 wrote to memory of 5088 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tv_w32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tv_w32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20241010-en
Max time kernel
12s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 228
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_StaticRes.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ReadCustomerData.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ReadCustomerData.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 224
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240708-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_fr.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tv_w32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tv_w32.exe
"C:\Users\Admin\AppData\Local\Temp\tv_w32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3260 wrote to memory of 4276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3260 wrote to memory of 4276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3260 wrote to memory of 4276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ReadCustomerData.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ReadCustomerData.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4276 -ip 4276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4852 wrote to memory of 1952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4852 wrote to memory of 1952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4852 wrote to memory of 1952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tv_w32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe"
C:\Users\Admin\AppData\Local\Temp\tv_w32.exe
"C:\Users\Admin\AppData\Local\Temp\tv_w32.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
C:\Users\Admin\AppData\Local\Temp\tv_x64.exe
"C:\Users\Admin\AppData\Local\Temp\tv_x64.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ping3.teamviewer.com | udp |
| CZ | 178.255.154.140:5938 | ping3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | master10.teamviewer.com | udp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| CZ | 178.255.154.140:5938 | ping3.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
| DE | 185.188.32.10:5938 | master10.teamviewer.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabDA5A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2100-14-0x0000000000140000-0x0000000000141000-memory.dmp
C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
| MD5 | f11717bdf5ff233ed2bffe89215f5113 |
| SHA1 | 04419e7dafaf04ad36e26b307b09b9cf27d5fac6 |
| SHA256 | b18277106fe71bc5f0eaf8a94ff4bf96e5945f341c64c4b00c2ce4bfea4d96e6 |
| SHA512 | e8f0eb0cff4d3e91fdb6d5ee12c577a7ba7d46f0a17492f1bca257a9d474e48aa2b09dcd2c16bbe5d2990d718ef263c9a552733135f33e19b00c5f0870180148 |
C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
| MD5 | afdb9b711e9d0394a3b0a5b266726bed |
| SHA1 | d9b02390f58d07bc224f70bbf722129f99070379 |
| SHA256 | 0f20e4fa96755c13a8b35abc80974afdea4b8ce85b9c7e590e8c021cd70a4f89 |
| SHA512 | 15871f6b457d91f9e55a3824e77152c30a920b6f869a2b31336a8fa5d2771dbefb3beb278c187a57d65b967eda03dd94c0e3250b88cd43335686c43981ef6073 |
memory/2100-17-0x0000000000140000-0x0000000000141000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Desktop.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49203 | tcp | |
| N/A | 127.0.0.1:5939 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab825B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240903-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_fr.dll,#1
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win10v2004-20241007-en
Max time kernel
136s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_StaticRes.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20241010-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tv_w32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tv_w32.exe
"C:\Users\Admin\AppData\Local\Temp\tv_w32.exe"
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-10-27 21:57
Reported
2024-10-27 22:00
Platform
win7-20240708-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\tv_x64.exe
"C:\Users\Admin\AppData\Local\Temp\tv_x64.exe"