File name:

teamviewer_z-th3A1.exe

Full analysis: https://app.any.run/tasks/1e749ce4-b79b-4d6c-b984-12522b951625
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 02, 2024, 13:46:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

260F4EE8A9FA1699A32089EF1CEB479F

SHA1:

7D5822864AB87B2034FDA7A01D1CA40C2E343D5D

SHA256:

F12CC7A5D8E4A03237184C2FED318C7B3103895E2DF523BF5A77CE77011D4E16

SSDEEP:

49152:h7HecD4dnbibBl3zhuJvFfjQbMWR9PYf9fodh8vT90mkO5Tc1T1PkRuOGeT/Wxqo:J+cD4dnQuJBs9C9gdh8vhk2eT7s1kfIS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • teamviewer_z-th3A1.exe (PID: 1632)
      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • teamviewer_z-th3A1.exe (PID: 3416)
      • file_z-th3A1.exe (PID: 1028)
      • teamviewer.exe (PID: 3600)
      • saBSI.exe (PID: 3316)
      • installer.exe (PID: 1832)
      • TeamViewer_.exe (PID: 3536)

    • Antivirus name has been found in the command line (generic signature)

      • installer.exe (PID: 2992)

    • Uses Task Scheduler to autorun other applications

      • ns5C3C.tmp (PID: 2300)

    • Registers / Runs the DLL via REGSVR32.EXE

      • ns9F14.tmp (PID: 3152)

    • Actions looks like stealing of personal data

      • TeamViewer.exe (PID: 2420)

    • Steals credentials from Web Browsers

      • TeamViewer.exe (PID: 2420)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • teamviewer_z-th3A1.exe (PID: 3416)
      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.exe (PID: 1028)
      • teamviewer_z-th3A1.exe (PID: 1632)
      • file_z-th3A1.tmp (PID: 3156)
      • TeamViewer_.exe (PID: 3536)
      • saBSI.exe (PID: 3316)
      • installer.exe (PID: 1832)
      • teamviewer.exe (PID: 3600)

    • Reads the Internet Settings

      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • saBSI.exe (PID: 3316)
      • TeamViewer.exe (PID: 2420)

    • Reads settings of System Certificates

      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • saBSI.exe (PID: 3316)
      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer.exe (PID: 3172)
      • TeamViewer.exe (PID: 2420)

    • Reads the Windows owner or organization settings

      • file_z-th3A1.tmp (PID: 3156)
      • teamviewer_z-th3A1.tmp (PID: 1376)

    • Process requests binary or script from the Internet

      • file_z-th3A1.tmp (PID: 3156)

    • Adds/modifies Windows certificates

      • saBSI.exe (PID: 3316)

    • Reads security settings of Internet Explorer

      • saBSI.exe (PID: 3316)
      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer.exe (PID: 3172)
      • TeamViewer.exe (PID: 2420)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 3316)
      • installer.exe (PID: 1832)
      • installer.exe (PID: 2992)
      • TeamViewer_Service.exe (PID: 4016)

    • The process creates files with name similar to system file names

      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)

    • Starts application with an unusual extension

      • TeamViewer_.exe (PID: 3536)

    • Drops a system driver (possible attempt to evade defenses)

      • TeamViewer_.exe (PID: 3536)

    • Drops 7-zip archiver for unpacking

      • TeamViewer_.exe (PID: 3536)

    • Checks Windows Trust Settings

      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer.exe (PID: 3172)
      • saBSI.exe (PID: 3316)
      • TeamViewer.exe (PID: 2420)
      • tv_w32.exe (PID: 2152)
      • TeamViewer_Service.exe (PID: 4016)

    • Executes as Windows Service

      • TeamViewer_Service.exe (PID: 4016)

    • Reads Microsoft Outlook installation path

      • TeamViewer.exe (PID: 2420)

    • Connects to unusual port

      • TeamViewer_Service.exe (PID: 4016)

    • Reads Internet Explorer settings

      • TeamViewer.exe (PID: 2420)

  • INFO

    • Reads the computer name

      • teamviewer_z-th3A1.tmp (PID: 1316)
      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • saBSI.exe (PID: 3316)
      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)
      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer.exe (PID: 3172)
      • TeamViewer_Service.exe (PID: 4016)
      • TeamViewer.exe (PID: 2420)
      • tv_w32.exe (PID: 2152)

    • Create files in a temporary directory

      • teamviewer_z-th3A1.exe (PID: 1632)
      • teamviewer_z-th3A1.exe (PID: 3416)
      • file_z-th3A1.tmp (PID: 3156)
      • file_z-th3A1.exe (PID: 1028)
      • teamviewer_z-th3A1.tmp (PID: 1376)
      • saBSI.exe (PID: 3316)
      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)
      • TeamViewer.exe (PID: 2420)

    • Checks supported languages

      • teamviewer_z-th3A1.exe (PID: 3416)
      • teamviewer_z-th3A1.tmp (PID: 1316)
      • file_z-th3A1.exe (PID: 1028)
      • file_z-th3A1.tmp (PID: 3156)
      • teamviewer_z-th3A1.exe (PID: 1632)
      • teamviewer_z-th3A1.tmp (PID: 1376)
      • saBSI.exe (PID: 3316)
      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)
      • installer.exe (PID: 1832)
      • ns95FA.tmp (PID: 3136)
      • TeamViewer_Service.exe (PID: 2736)
      • ns9976.tmp (PID: 2768)
      • TeamViewer.exe (PID: 3172)
      • ns9F14.tmp (PID: 3152)
      • nsA782.tmp (PID: 3928)
      • TeamViewer_Service.exe (PID: 4016)
      • TeamViewer.exe (PID: 2420)
      • tv_w32.exe (PID: 2152)
      • ns5C3C.tmp (PID: 2300)

    • Reads the machine GUID from the registry

      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • saBSI.exe (PID: 3316)
      • TeamViewer_.exe (PID: 3536)
      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer.exe (PID: 3172)
      • TeamViewer_Service.exe (PID: 4016)
      • TeamViewer.exe (PID: 2420)
      • tv_w32.exe (PID: 2152)

    • Creates files in the program directory

      • saBSI.exe (PID: 3316)
      • TeamViewer_Service.exe (PID: 4016)
      • TeamViewer_.exe (PID: 3536)
      • installer.exe (PID: 1832)

    • Application launched itself

      • msedge.exe (PID: 3372)
      • msedge.exe (PID: 2136)

    • Manual execution by a user

      • msedge.exe (PID: 2136)

    • Reads Microsoft Office registry keys

      • TeamViewer_.exe (PID: 3536)

    • Creates files or folders in the user directory

      • saBSI.exe (PID: 3316)
      • TeamViewer_.exe (PID: 3536)
      • TeamViewer.exe (PID: 2420)

    • Process checks computer location settings

      • TeamViewer_Service.exe (PID: 4016)
      • TeamViewer.exe (PID: 2420)

    • Reads the time zone

      • TeamViewer_Service.exe (PID: 4016)

    • Reads CPU info

      • TeamViewer.exe (PID: 2420)

    • Checks proxy server information

      • TeamViewer.exe (PID: 2420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 18:10:23+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 4.12.2185.0
ProductVersionNumber: 4.12.2185.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Wizard
FileVersion: 4.12.2185
LegalCopyright:
OriginalFileName:
ProductName: Wizard
ProductVersion: 4.12.2185
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
47
Malicious processes
13
Suspicious processes
4

Behavior graph

Click at the process to see the details
start teamviewer_z-th3a1.exe teamviewer_z-th3a1.tmp no specs teamviewer_z-th3a1.exe teamviewer_z-th3a1.tmp file_z-th3a1.exe file_z-th3a1.tmp sabsi.exe teamviewer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs teamviewer_.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs installer.exe installer.exe no specs ns5c3c.tmp schtasks.exe no specs msedge.exe no specs msedge.exe no specs ns95fa.tmp no specs teamviewer_service.exe no specs ns9976.tmp no specs teamviewer.exe no specs ns9f14.tmp no specs regsvr32.exe no specs nsa782.tmp no specs schtasks.exe no specs teamviewer_service.exe teamviewer.exe tv_w32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
568"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4364 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
848"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1524 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
876C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /FC:\Windows\System32\schtasks.exens5C3C.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
952"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
984"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4344 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1028"C:\Users\admin\AppData\Local\Temp\is-ON1EP.tmp\file_z-th3A1.exe" /LANG=en /NA=Rh85hR64C:\Users\admin\AppData\Local\Temp\is-ON1EP.tmp\file_z-th3A1.exe
teamviewer_z-th3A1.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
2.15.1362
Modules
Images
c:\users\admin\appdata\local\temp\is-on1ep.tmp\file_z-th3a1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1316"C:\Users\admin\AppData\Local\Temp\is-D0C73.tmp\teamviewer_z-th3A1.tmp" /SL5="$F0184,832512,832512,C:\Users\admin\AppData\Local\Temp\teamviewer_z-th3A1.exe" C:\Users\admin\AppData\Local\Temp\is-D0C73.tmp\teamviewer_z-th3A1.tmpteamviewer_z-th3A1.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-d0c73.tmp\teamviewer_z-th3a1.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1376"C:\Users\admin\AppData\Local\Temp\is-LQG98.tmp\teamviewer_z-th3A1.tmp" /SL5="$F0182,832512,832512,C:\Users\admin\AppData\Local\Temp\teamviewer_z-th3A1.exe" /SPAWNWND=$1001B4 /NOTIFYWND=$F0184 C:\Users\admin\AppData\Local\Temp\is-LQG98.tmp\teamviewer_z-th3A1.tmp
teamviewer_z-th3A1.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-lqg98.tmp\teamviewer_z-th3a1.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1384"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1236 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
42 723
Read events
42 200
Write events
513
Delete events
10

Modification events

(PID) Process:(1376) teamviewer_z-th3A1.tmpKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1376) teamviewer_z-th3A1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(1376) teamviewer_z-th3A1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(1376) teamviewer_z-th3A1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E8070200050002000D002F0027006F01010000001E768127E028094199FEB9D127C57AFE
Executable files
141
Suspicious files
197
Text files
191
Unknown types
1

Dropped files

PID
Process
Filename
Type
3156file_z-th3A1.tmpC:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\is-7K77B.tmp
MD5:
SHA256:
3156file_z-th3A1.tmpC:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\teamviewer.exe
MD5:
SHA256:
3156file_z-th3A1.tmpC:\Users\admin\Downloads\teamviewer.exe
MD5:
SHA256:
1376teamviewer_z-th3A1.tmpC:\Users\admin\AppData\Local\Temp\is-ON1EP.tmp\is-UV5BI.tmpexecutable
MD5:65206A84CA7B96C0EDCD302D5E438E16
SHA256:DCD3128D6997AC8EAACB8EA19CE9C33D6E2C4A9D007A1CC5267ECCEC84A2C328
3156file_z-th3A1.tmpC:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\is-TAIUE.tmpimage
MD5:4CFFF8DC30D353CD3D215FD3A5DBAC24
SHA256:0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
3156file_z-th3A1.tmpC:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\botva2.dllexecutable
MD5:67965A5957A61867D661F05AE1F4773E
SHA256:450B9B0BA25BF068AFBC2B23D252585A19E282939BF38326384EA9112DFD0105
3600teamviewer.exeC:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
MD5:
SHA256:
3156file_z-th3A1.tmpC:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\is-ROQP3.tmpcompressed
MD5:CD9C77BC5840AF008799985F397FE1C3
SHA256:26D7704B540DF18E2BCCD224DF677061FFB9F03CAB5B3C191055A84BF43A9085
3372msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:DF0BCCD68449F07F531D76F53C718178
SHA256:12025F4DA9E53A8B91892D4F6E6A9B89513F3488BFE9F1EEEC3C05F7EF96BDD8
3416teamviewer_z-th3A1.exeC:\Users\admin\AppData\Local\Temp\is-LQG98.tmp\teamviewer_z-th3A1.tmpexecutable
MD5:E4F2FCC8F97799415387C12DF5B3333D
SHA256:66A86B46D569AD09EC24E1901D7A57A8E36E48C2DF77CD3947356A698003F450
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
77
DNS requests
84
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3156
file_z-th3A1.tmp
GET
200
95.168.168.24:80
http://dl.jalecdn.com/IT/teamviewer.exe
unknown
executable
41.3 Mb
unknown
2420
TeamViewer.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEBQhuWUyZF1LyUFQW83cEvI%3D
unknown
binary
471 b
unknown
3316
saBSI.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?38d3edba30a05688
unknown
compressed
65.2 Kb
unknown
2420
TeamViewer.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
binary
1.42 Kb
unknown
3316
saBSI.exe
GET
200
104.18.20.226:80
http://secure.globalsign.com/cacert/codesigningrootr45.crt
unknown
binary
1.37 Kb
unknown
1080
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c14a917a25499794
unknown
unknown
2420
TeamViewer.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
binary
2.18 Kb
unknown
2420
TeamViewer.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a63faaf0d3a4de37
unknown
unknown
2420
TeamViewer.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
2420
TeamViewer.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1376
teamviewer_z-th3A1.tmp
18.244.115.203:443
d247nud8rgibi4.cloudfront.net
US
unknown
3156
file_z-th3A1.tmp
18.239.82.10:443
d2lg1i07oulbwr.cloudfront.net
US
unknown
3156
file_z-th3A1.tmp
104.26.14.127:443
cdn.download.it
CLOUDFLARENET
US
unknown
3156
file_z-th3A1.tmp
95.168.168.24:80
dl.jalecdn.com
LeaseWeb Netherlands B.V.
NL
unknown
3316
saBSI.exe
35.85.131.211:443
analytics.apis.mcafee.com
AMAZON-02
US
unknown
3316
saBSI.exe
23.50.131.75:443
sadownload.mcafee.com
Akamai International B.V.
DE
unknown
2472
msedge.exe
104.26.14.127:443
cdn.download.it
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
d247nud8rgibi4.cloudfront.net
  • 18.244.115.203
  • 18.244.115.108
  • 18.244.115.38
  • 18.244.115.9
unknown
d2lg1i07oulbwr.cloudfront.net
  • 18.239.82.10
  • 18.239.82.3
  • 18.239.82.131
  • 18.239.82.61
unknown
cdn.download.it
  • 104.26.14.127
  • 172.67.75.124
  • 104.26.15.127
whitelisted
dl.jalecdn.com
  • 95.168.168.24
unknown
analytics.apis.mcafee.com
  • 35.85.131.211
  • 44.239.238.35
  • 54.149.12.26
  • 35.163.212.146
  • 34.218.39.180
  • 54.69.155.157
  • 52.88.235.102
  • 34.210.155.11
unknown
sadownload.mcafee.com
  • 23.50.131.75
  • 23.50.131.76
whitelisted
download.it
  • 104.26.14.127
  • 104.26.15.127
  • 172.67.75.124
unknown
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
config.edge.skype.com
  • 13.107.43.16
whitelisted
fonts.gstatic.com
  • 142.250.185.67
whitelisted

Threats

PID
Process
Class
Message
3156
file_z-th3A1.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
3156
file_z-th3A1.tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\prod0_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\prod0_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
teamviewer_z-th3A1.exe