Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'svcc' = '%APPDATA%\AppNt\svcc.exe'
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- %TEMP%\ns-elfj7.tmp\ns-aejap.tmp
- %APPDATA%\appnt\nt48e0luix.bmp
- %APPDATA%\appnt\svcc.exe
- %APPDATA%\appnt\teamviewer.ini
- %APPDATA%\appnt\teamviewer_desktop.exe
- %APPDATA%\appnt\teamviewer_resource_en.dll
- %APPDATA%\appnt\teamviewer_staticres.dll
- %APPDATA%\appnt\tv_w32.dll
- %APPDATA%\appnt\tv_w32.exe
- %TEMP%\dgn0g6k1o\ns-cqltr.tmp
- %APPDATA%\appnt\tv_x64.dll
- %APPDATA%\appnt\vfgclcpu3.bat
- %APPDATA%\appnt\x64\install.exe
- %APPDATA%\appnt\x64\teamviewervpn.cat
- %APPDATA%\appnt\x64\teamviewervpn.inf
- %APPDATA%\appnt\x64\teamviewervpn.sys
- %APPDATA%\appnt\x86\install.exe
- %APPDATA%\appnt\x86\teamviewervpn.cat
- %APPDATA%\appnt\x86\teamviewervpn.inf
- %APPDATA%\appnt\blbr3zkc06fu.cfg
- %APPDATA%\appnt\msi.dll
- %TEMP%\dgn0g6k1o\x86\ns-a4ke4.tmp
- %TEMP%\dgn0g6k1o\x86\ns-jbbub.tmp
- %TEMP%\dgn0g6k1o\x86\ns-i3otr.tmp
- %TEMP%\ns-n9gde.tmp\_iscrypt.dll
- %TEMP%\dgn0g6k1o\ns-n8jem.tmp
- %TEMP%\dgn0g6k1o\ns-83sb3.tmp
- %TEMP%\dgn0g6k1o\ns-59h8d.tmp
- %TEMP%\dgn0g6k1o\ns-ffc78.tmp
- %TEMP%\dgn0g6k1o\ns-ugmul.tmp
- %TEMP%\dgn0g6k1o\ns-bh860.tmp
- %TEMP%\dgn0g6k1o\ns-7fg5t.tmp
- %APPDATA%\appnt\x86\teamviewervpn.sys
- %APPDATA%\appnt\tv_x64.exe
- %TEMP%\dgn0g6k1o\ns-qjpdm.tmp
- %TEMP%\dgn0g6k1o\ns-bsuvf.tmp
- %TEMP%\dgn0g6k1o\ns-u48gg.tmp
- %TEMP%\dgn0g6k1o\ns-phqqv.tmp
- %TEMP%\dgn0g6k1o\x64\ns-g0bpj.tmp
- %TEMP%\dgn0g6k1o\x64\ns-6gj5r.tmp
- %TEMP%\dgn0g6k1o\x64\ns-g2t3f.tmp
- %TEMP%\dgn0g6k1o\x64\ns-6cfoq.tmp
- %TEMP%\dgn0g6k1o\x86\ns-cbq9p.tmp
- %TEMP%\ns-n9gde.tmp\_shfoldr.dll
- %TEMP%\dgn0g6k1o\ns-g5jst.tmp
- %TEMP%\pas.exe
- %APPDATA%\appnt\msi.dll
- %APPDATA%\appnt\svcc.exe
- %APPDATA%\appnt\teamviewer.ini
- %APPDATA%\appnt\teamviewer_desktop.exe
- %APPDATA%\appnt\teamviewer_resource_en.dll
- %APPDATA%\appnt\teamviewer_staticres.dll
- %APPDATA%\appnt\tv_w32.dll
- %APPDATA%\appnt\tv_w32.exe
- %APPDATA%\appnt\tv_x64.dll
- %APPDATA%\appnt\tv_x64.exe
- %TEMP%\ns-n9gde.tmp\_iscrypt.dll
- %TEMP%\ns-n9gde.tmp\_shfoldr.dll
- %TEMP%\ns-elfj7.tmp\ns-aejap.tmp
- %TEMP%\dgn0g6k1o\msi.dll
- %TEMP%\dgn0g6k1o\svcc.exe
- %TEMP%\dgn0g6k1o\tv_w32.dll
- %TEMP%\dgn0g6k1o\tv_w32.exe
- %TEMP%\dgn0g6k1o\tv_x64.dll
- %TEMP%\dgn0g6k1o\tv_x64.exe
- %TEMP%\dgn0g6k1o\x64\install.exe
- %TEMP%\dgn0g6k1o\x86\install.exe
- %APPDATA%\appnt\nt48e0luix.bmp
- from %TEMP%\dgn0g6k1o\ns-n8jem.tmp to %TEMP%\dgn0g6k1o\blbr3zkc06fu.cfg
- from %TEMP%\dgn0g6k1o\x86\ns-i3otr.tmp to %TEMP%\dgn0g6k1o\x86\teamviewervpn.cat
- from %TEMP%\dgn0g6k1o\x86\ns-cbq9p.tmp to %TEMP%\dgn0g6k1o\x86\install.exe
- from %TEMP%\dgn0g6k1o\x64\ns-6cfoq.tmp to %TEMP%\dgn0g6k1o\x64\teamviewervpn.sys
- from %TEMP%\dgn0g6k1o\x64\ns-g2t3f.tmp to %TEMP%\dgn0g6k1o\x64\teamviewervpn.inf
- from %TEMP%\dgn0g6k1o\x64\ns-6gj5r.tmp to %TEMP%\dgn0g6k1o\x64\teamviewervpn.cat
- from %TEMP%\dgn0g6k1o\x64\ns-g0bpj.tmp to %TEMP%\dgn0g6k1o\x64\install.exe
- from %TEMP%\dgn0g6k1o\ns-phqqv.tmp to %TEMP%\dgn0g6k1o\vfgclcpu3.bat
- from %TEMP%\dgn0g6k1o\ns-u48gg.tmp to %TEMP%\dgn0g6k1o\tv_x64.exe
- from %TEMP%\dgn0g6k1o\x86\ns-jbbub.tmp to %TEMP%\dgn0g6k1o\x86\teamviewervpn.inf
- from %TEMP%\dgn0g6k1o\ns-bsuvf.tmp to %TEMP%\dgn0g6k1o\tv_x64.dll
- from %TEMP%\dgn0g6k1o\ns-cqltr.tmp to %TEMP%\dgn0g6k1o\tv_w32.dll
- from %TEMP%\dgn0g6k1o\ns-qjpdm.tmp to %TEMP%\dgn0g6k1o\teamviewer_staticres.dll
- from %TEMP%\dgn0g6k1o\ns-7fg5t.tmp to %TEMP%\dgn0g6k1o\teamviewer_resource_en.dll
- from %TEMP%\dgn0g6k1o\ns-bh860.tmp to %TEMP%\dgn0g6k1o\teamviewer_desktop.exe
- from %TEMP%\dgn0g6k1o\ns-ugmul.tmp to %TEMP%\dgn0g6k1o\teamviewer.ini
- from %TEMP%\dgn0g6k1o\ns-ffc78.tmp to %TEMP%\dgn0g6k1o\svcc.exe
- from %TEMP%\dgn0g6k1o\ns-59h8d.tmp to %TEMP%\dgn0g6k1o\nt48e0luix.bmp
- from %TEMP%\dgn0g6k1o\ns-83sb3.tmp to %TEMP%\dgn0g6k1o\msi.dll
- from %TEMP%\dgn0g6k1o\ns-g5jst.tmp to %TEMP%\dgn0g6k1o\tv_w32.exe
- from %TEMP%\dgn0g6k1o\x86\ns-a4ke4.tmp to %TEMP%\dgn0g6k1o\x86\teamviewervpn.sys
- 'public-trust.com':80
- http://tb.###estimer.name/update.php?id#################################################
- http://mu###doge.info/jora.exe
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://tb.###estimer.name/update.php?id#######################################################
- http://cp##ap.site/pas.exe
- http://17#.#6.238.209/IRemotePanel
- DNS ASK pi###.#eamviewer.com
- DNS ASK ma#####.teamviewer.com
- DNS ASK cl####.teamviewer.com
- DNS ASK tb.###estimer.name
- DNS ASK mu###doge.info
- DNS ASK microsoft.com
- DNS ASK cp##ap.site
- DNS ASK ap#.ip.sb
- DNS ASK public-trust.com
- ClassName: '' WindowName: 'TeamViewer Manager'
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- '%TEMP%\ns-elfj7.tmp\ns-aejap.tmp' /SL5 $A021A <Full path to file> 4356510 71168 /password=02k4s4s /verysilent
- '%APPDATA%\appnt\svcc.exe'
- '%TEMP%\pas.exe'
- '%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\dgn0g6k1o\vfgclcpu3.bat""' (with hidden window)
- '%TEMP%\pas.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\dgn0g6k1o\vfgclcpu3.bat""
- '%WINDIR%\syswow64\xcopy.exe' /Y /I /S "%TEMP%\dgn0g6k1o\*" "%APPDATA%\AppNt\"