File name:

teamviewer_z-th3A1.exe

Full analysis: https://app.any.run/tasks/1e749ce4-b79b-4d6c-b984-12522b951625
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 02, 2024, 13:46:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

260F4EE8A9FA1699A32089EF1CEB479F

SHA1:

7D5822864AB87B2034FDA7A01D1CA40C2E343D5D

SHA256:

F12CC7A5D8E4A03237184C2FED318C7B3103895E2DF523BF5A77CE77011D4E16

SSDEEP:

49152:h7HecD4dnbibBl3zhuJvFfjQbMWR9PYf9fodh8vT90mkO5Tc1T1PkRuOGeT/Wxqo:J+cD4dnQuJBs9C9gdh8vhk2eT7s1kfIS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • teamviewer_z-th3A1.exe (PID: 1632)
      • teamviewer_z-th3A1.exe (PID: 3416)
      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.exe (PID: 1028)
      • file_z-th3A1.tmp (PID: 3156)
      • saBSI.exe (PID: 3316)
      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)
      • installer.exe (PID: 1832)

    • Antivirus name has been found in the command line (generic signature)

      • installer.exe (PID: 2992)

    • Uses Task Scheduler to autorun other applications

      • ns5C3C.tmp (PID: 2300)

    • Registers / Runs the DLL via REGSVR32.EXE

      • ns9F14.tmp (PID: 3152)

    • Actions looks like stealing of personal data

      • TeamViewer.exe (PID: 2420)

    • Steals credentials from Web Browsers

      • TeamViewer.exe (PID: 2420)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • teamviewer_z-th3A1.exe (PID: 1632)
      • teamviewer_z-th3A1.exe (PID: 3416)
      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • file_z-th3A1.exe (PID: 1028)
      • saBSI.exe (PID: 3316)
      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)
      • installer.exe (PID: 1832)

    • Reads the Windows owner or organization settings

      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)

    • Reads settings of System Certificates

      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • saBSI.exe (PID: 3316)
      • TeamViewer.exe (PID: 3172)
      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer.exe (PID: 2420)

    • Reads the Internet Settings

      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • saBSI.exe (PID: 3316)
      • TeamViewer.exe (PID: 2420)

    • Checks Windows Trust Settings

      • saBSI.exe (PID: 3316)
      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer.exe (PID: 3172)
      • TeamViewer.exe (PID: 2420)
      • TeamViewer_Service.exe (PID: 4016)
      • tv_w32.exe (PID: 2152)

    • Process requests binary or script from the Internet

      • file_z-th3A1.tmp (PID: 3156)

    • Reads security settings of Internet Explorer

      • saBSI.exe (PID: 3316)
      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer.exe (PID: 3172)
      • TeamViewer.exe (PID: 2420)

    • Adds/modifies Windows certificates

      • saBSI.exe (PID: 3316)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 3316)
      • installer.exe (PID: 2992)
      • installer.exe (PID: 1832)
      • TeamViewer_Service.exe (PID: 4016)

    • The process creates files with name similar to system file names

      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)

    • Drops 7-zip archiver for unpacking

      • TeamViewer_.exe (PID: 3536)

    • Starts application with an unusual extension

      • TeamViewer_.exe (PID: 3536)

    • Drops a system driver (possible attempt to evade defenses)

      • TeamViewer_.exe (PID: 3536)

    • Executes as Windows Service

      • TeamViewer_Service.exe (PID: 4016)

    • Reads Microsoft Outlook installation path

      • TeamViewer.exe (PID: 2420)

    • Connects to unusual port

      • TeamViewer_Service.exe (PID: 4016)

    • Reads Internet Explorer settings

      • TeamViewer.exe (PID: 2420)

  • INFO

    • Checks supported languages

      • teamviewer_z-th3A1.tmp (PID: 1316)
      • teamviewer_z-th3A1.exe (PID: 1632)
      • teamviewer_z-th3A1.tmp (PID: 1376)
      • teamviewer_z-th3A1.exe (PID: 3416)
      • file_z-th3A1.exe (PID: 1028)
      • file_z-th3A1.tmp (PID: 3156)
      • saBSI.exe (PID: 3316)
      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)
      • ns95FA.tmp (PID: 3136)
      • ns5C3C.tmp (PID: 2300)
      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer.exe (PID: 3172)
      • ns9976.tmp (PID: 2768)
      • ns9F14.tmp (PID: 3152)
      • nsA782.tmp (PID: 3928)
      • TeamViewer_Service.exe (PID: 4016)
      • tv_w32.exe (PID: 2152)
      • TeamViewer.exe (PID: 2420)
      • installer.exe (PID: 1832)

    • Create files in a temporary directory

      • teamviewer_z-th3A1.exe (PID: 1632)
      • teamviewer_z-th3A1.exe (PID: 3416)
      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • file_z-th3A1.exe (PID: 1028)
      • saBSI.exe (PID: 3316)
      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)
      • TeamViewer.exe (PID: 2420)

    • Reads the computer name

      • teamviewer_z-th3A1.tmp (PID: 1316)
      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • saBSI.exe (PID: 3316)
      • teamviewer.exe (PID: 3600)
      • TeamViewer_.exe (PID: 3536)
      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer_Service.exe (PID: 4016)
      • TeamViewer.exe (PID: 3172)
      • TeamViewer.exe (PID: 2420)
      • tv_w32.exe (PID: 2152)

    • Reads the machine GUID from the registry

      • teamviewer_z-th3A1.tmp (PID: 1376)
      • file_z-th3A1.tmp (PID: 3156)
      • saBSI.exe (PID: 3316)
      • TeamViewer_.exe (PID: 3536)
      • TeamViewer.exe (PID: 3172)
      • TeamViewer_Service.exe (PID: 2736)
      • TeamViewer.exe (PID: 2420)
      • TeamViewer_Service.exe (PID: 4016)
      • tv_w32.exe (PID: 2152)

    • Creates files in the program directory

      • saBSI.exe (PID: 3316)
      • installer.exe (PID: 1832)
      • TeamViewer_.exe (PID: 3536)
      • TeamViewer_Service.exe (PID: 4016)

    • Application launched itself

      • msedge.exe (PID: 3372)
      • msedge.exe (PID: 2136)

    • Reads Microsoft Office registry keys

      • TeamViewer_.exe (PID: 3536)

    • Creates files or folders in the user directory

      • saBSI.exe (PID: 3316)
      • TeamViewer_.exe (PID: 3536)
      • TeamViewer.exe (PID: 2420)

    • Manual execution by a user

      • msedge.exe (PID: 2136)

    • Process checks computer location settings

      • TeamViewer_Service.exe (PID: 4016)
      • TeamViewer.exe (PID: 2420)

    • Reads the time zone

      • TeamViewer_Service.exe (PID: 4016)

    • Checks proxy server information

      • TeamViewer.exe (PID: 2420)

    • Reads CPU info

      • TeamViewer.exe (PID: 2420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 18:10:23+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 4.12.2185.0
ProductVersionNumber: 4.12.2185.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Wizard
FileVersion: 4.12.2185
LegalCopyright:
OriginalFileName:
ProductName: Wizard
ProductVersion: 4.12.2185
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
47
Malicious processes
13
Suspicious processes
4

Behavior graph

Click at the process to see the details
start teamviewer_z-th3a1.exe teamviewer_z-th3a1.tmp no specs teamviewer_z-th3a1.exe teamviewer_z-th3a1.tmp file_z-th3a1.exe file_z-th3a1.tmp sabsi.exe teamviewer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs teamviewer_.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs installer.exe installer.exe no specs ns5c3c.tmp schtasks.exe no specs msedge.exe no specs msedge.exe no specs ns95fa.tmp no specs teamviewer_service.exe no specs ns9976.tmp no specs teamviewer.exe no specs ns9f14.tmp no specs regsvr32.exe no specs nsa782.tmp no specs schtasks.exe no specs teamviewer_service.exe teamviewer.exe tv_w32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
568"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4364 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
848"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1524 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
876C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /FC:\Windows\System32\schtasks.exens5C3C.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
952"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
984"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4344 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1028"C:\Users\admin\AppData\Local\Temp\is-ON1EP.tmp\file_z-th3A1.exe" /LANG=en /NA=Rh85hR64C:\Users\admin\AppData\Local\Temp\is-ON1EP.tmp\file_z-th3A1.exe
teamviewer_z-th3A1.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
2.15.1362
Modules
Images
c:\users\admin\appdata\local\temp\is-on1ep.tmp\file_z-th3a1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1316"C:\Users\admin\AppData\Local\Temp\is-D0C73.tmp\teamviewer_z-th3A1.tmp" /SL5="$F0184,832512,832512,C:\Users\admin\AppData\Local\Temp\teamviewer_z-th3A1.exe" C:\Users\admin\AppData\Local\Temp\is-D0C73.tmp\teamviewer_z-th3A1.tmpteamviewer_z-th3A1.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-d0c73.tmp\teamviewer_z-th3a1.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1376"C:\Users\admin\AppData\Local\Temp\is-LQG98.tmp\teamviewer_z-th3A1.tmp" /SL5="$F0182,832512,832512,C:\Users\admin\AppData\Local\Temp\teamviewer_z-th3A1.exe" /SPAWNWND=$1001B4 /NOTIFYWND=$F0184 C:\Users\admin\AppData\Local\Temp\is-LQG98.tmp\teamviewer_z-th3A1.tmp
teamviewer_z-th3A1.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-lqg98.tmp\teamviewer_z-th3a1.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1384"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1236 --field-trial-handle=1340,i,2148612719276697090,15697926473200416852,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
42 723
Read events
42 200
Write events
513
Delete events
10

Modification events

(PID) Process:(1376) teamviewer_z-th3A1.tmpKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1376) teamviewer_z-th3A1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(1376) teamviewer_z-th3A1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(1376) teamviewer_z-th3A1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3156) file_z-th3A1.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E8070200050002000D002F0027006F01010000001E768127E028094199FEB9D127C57AFE
Executable files
141
Suspicious files
197
Text files
191
Unknown types
1

Dropped files

PID
Process
Filename
Type
3156file_z-th3A1.tmpC:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\is-7K77B.tmp
MD5:
SHA256:
3156file_z-th3A1.tmpC:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\teamviewer.exe
MD5:
SHA256:
3156file_z-th3A1.tmpC:\Users\admin\Downloads\teamviewer.exe
MD5:
SHA256:
3548msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pmabinary
MD5:886E82F2CA62ECCCE64601B30592078A
SHA256:E5E13D53601100FF3D6BB71514CBCCC4C73FE9B7EF5E930100E644187B42948E
1376teamviewer_z-th3A1.tmpC:\Users\admin\AppData\Local\Temp\is-ON1EP.tmp\file_z-th3A1.exeexecutable
MD5:65206A84CA7B96C0EDCD302D5E438E16
SHA256:DCD3128D6997AC8EAACB8EA19CE9C33D6E2C4A9D007A1CC5267ECCEC84A2C328
3316saBSI.exeC:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00000057003F001D0006.txttext
MD5:0D6FDAB197D7F0BA75D09A7029E7E651
SHA256:E823D50E87B63E8EF3892C1C984DBFAAC9B28C578494C24906A6E28365CCFF0E
3600teamviewer.exeC:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
MD5:
SHA256:
1632teamviewer_z-th3A1.exeC:\Users\admin\AppData\Local\Temp\is-D0C73.tmp\teamviewer_z-th3A1.tmpexecutable
MD5:E4F2FCC8F97799415387C12DF5B3333D
SHA256:66A86B46D569AD09EC24E1901D7A57A8E36E48C2DF77CD3947356A698003F450
3156file_z-th3A1.tmpC:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\is-5HA0M.tmpimage
MD5:30100EA3F4315E291F2F639655E85AC1
SHA256:6A44BF6BA64D5414D56A7CE9BB97864C97030872A7C0A56B2AE47F73D15F79F6
3416teamviewer_z-th3A1.exeC:\Users\admin\AppData\Local\Temp\is-LQG98.tmp\teamviewer_z-th3A1.tmpexecutable
MD5:E4F2FCC8F97799415387C12DF5B3333D
SHA256:66A86B46D569AD09EC24E1901D7A57A8E36E48C2DF77CD3947356A698003F450
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
77
DNS requests
84
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3156
file_z-th3A1.tmp
GET
200
95.168.168.24:80
http://dl.jalecdn.com/IT/teamviewer.exe
unknown
executable
41.3 Mb
unknown
2420
TeamViewer.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a63faaf0d3a4de37
unknown
unknown
3316
saBSI.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?38d3edba30a05688
unknown
compressed
65.2 Kb
unknown
2420
TeamViewer.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
binary
1.42 Kb
unknown
3316
saBSI.exe
GET
200
104.18.20.226:80
http://secure.globalsign.com/cacert/codesigningrootr45.crt
unknown
binary
1.37 Kb
unknown
2420
TeamViewer.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
binary
2.18 Kb
unknown
2420
TeamViewer.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEBQhuWUyZF1LyUFQW83cEvI%3D
unknown
binary
471 b
unknown
1080
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c14a917a25499794
unknown
unknown
2420
TeamViewer.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
2420
TeamViewer.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEE80yiW5Mf2wCipGbb3nZn0%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1376
teamviewer_z-th3A1.tmp
18.244.115.203:443
d247nud8rgibi4.cloudfront.net
US
unknown
3156
file_z-th3A1.tmp
18.239.82.10:443
d2lg1i07oulbwr.cloudfront.net
US
unknown
3156
file_z-th3A1.tmp
104.26.14.127:443
cdn.download.it
CLOUDFLARENET
US
unknown
3156
file_z-th3A1.tmp
95.168.168.24:80
dl.jalecdn.com
LeaseWeb Netherlands B.V.
NL
unknown
3316
saBSI.exe
35.85.131.211:443
analytics.apis.mcafee.com
AMAZON-02
US
unknown
3316
saBSI.exe
23.50.131.75:443
sadownload.mcafee.com
Akamai International B.V.
DE
unknown
2472
msedge.exe
104.26.14.127:443
cdn.download.it
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
d247nud8rgibi4.cloudfront.net
  • 18.244.115.203
  • 18.244.115.108
  • 18.244.115.38
  • 18.244.115.9
unknown
d2lg1i07oulbwr.cloudfront.net
  • 18.239.82.10
  • 18.239.82.3
  • 18.239.82.131
  • 18.239.82.61
unknown
cdn.download.it
  • 104.26.14.127
  • 172.67.75.124
  • 104.26.15.127
whitelisted
dl.jalecdn.com
  • 95.168.168.24
unknown
analytics.apis.mcafee.com
  • 35.85.131.211
  • 44.239.238.35
  • 54.149.12.26
  • 35.163.212.146
  • 34.218.39.180
  • 54.69.155.157
  • 52.88.235.102
  • 34.210.155.11
unknown
sadownload.mcafee.com
  • 23.50.131.75
  • 23.50.131.76
whitelisted
download.it
  • 104.26.14.127
  • 104.26.15.127
  • 172.67.75.124
unknown
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
config.edge.skype.com
  • 13.107.43.16
whitelisted
fonts.gstatic.com
  • 142.250.185.67
whitelisted

Threats

PID
Process
Class
Message
3156
file_z-th3A1.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
3156
file_z-th3A1.tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\prod0_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-6VTVD.tmp\prod0_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
teamviewer_z-th3A1.exe