cyber-triage-logo

DFIR Next Steps: Suspicious TeamViewer Use

Welcome to the next post in our DFIR Next Steps series on remote monitoring and management (RMM) tools. This series is designed to help you quickly understand the impact when you or your tools detect something.

This post focuses on what happens after you detect TeamViewer. Check out the series initial post to get a general idea of what to do next after identifying RMM tools in your environment.

Jump to…
DFIR Basics of TeamViewer
DFIR Next Steps
TeamViewer Overview
TeamViewer Files and Artifacts
References

DFIR Basics of TeamViewer

  • What is it? TeamViewer is a commercial remote access application that allows for interactive access to a host.
  • How do attackers use it? Attackers may either install it or leverage an existing installation. It provides them with access to the host.
  • Is it always bad? No, it is a legitimate tool in some environments, and its mere existence is not bad.
  • What kinds of artifacts does it leave behind? If it exists and was run, you can find the program’s executable files, services, logs, and process execution artifacts.

TeamViewer, like many RMM tools, is often abused by threat actors. It can be brought in as part of the attacker’s tooling but can also be leveraged when it already exists in an environment.

2 key features that make TeamViewer appealing to threat actors are:

  • Ease of use for remote management.
  • Ability to transfer files bidirectionally.

Some common scenarios TeamViewer has been used for are:

  • Distributing ransomware
  • Remote code execution
  • Lateral movement
  • Persistence
  • Data exfil

The following blogs have documented TeamViewer abuse by threat actors:

DFIR Next Steps

We’ll cover how to detect TeamViewer in the next section, but if your detection or DFIR tools (such as Cyber Triage) already notified you that TeamViewer exists, here are some key steps.

Confirm It’s Malicious

TeamViewer is normal in some environments.

Before declaring it’s from the attacker:

  • Confirm with IT or the MSP if it should be there.
  • If so, review the logs to ensure the users and sources are expected.

Backwards: What Must Have Happened Before

Once attacker activity is confirmed, it’s important to think through how it happened.

  • If TeamViewer is part of the normal environment and the attacker used it, you’ll need to identify how they got the credentials or access codes.
  • If TeamViewer is not part of the normal environment, that implies the attacker had access to the system either via some other remote access tool or command and control (C2).
    • Look for traces of other remote access or C2 tools.
    • How TeamViewer was downloaded.
    • Check for web activity of download.teamviewer.com.
    • Check for dates on the TeamViewer application and review other system activity at the same time.
    • Check for the dates on the TeamViewer folder and review other system activity at the same time.
    • Review when TeamViewer was first run (event logs, log files, etc.) and compare to other system activity.

Forwards: What They Did Next

Nearly anything could have happened once an attacker gained remote access to the system.

The basic concepts for you to think about are:

  • When was TeamViewer last run on the system? Was it running when you got access to it or had the attacker stopped launching it?
  • What do the logs show for logins? Note the time ranges for the suspicious connections and file transfers. Use a system timeline to see what else was happening on the system at that time.

TeamViewer Overview

TeamViewer is the name of both the company and its products. It is one of the most popular commercial remote management software available and comes in both free and paid versions.

Versions

There are 4 versions of TeamViewer attackers could use:

  • TeamViewer Full Client: This is installed on an endpoint and is used for both remote access to this system and to other systems. Both sides must interact with the host to start a connection.
  • TeamViewer Host: Client that allows access to the endpoint at any time the endpoint is running. Local user does not need to authorize the connection. This is intended to be used for remote access to servers.
  • TeamViewer Quick Support: This is designed for tech support situations where TeamViewer is not usually running. It’s a one-time session that doesn’t require admin permissions. But, you need to have access to the host before you can leverage TeamViewer, which makes it less ideal for attackers. The user launches the “Quick Support” executable and then enters a unique code. That will connect them with whoever initiated the support session.
  • TeamViewer Web App: Provides an interface to initiate connections to remotely access systems that are running any of the above clients.

TeamViewer Files and Artifacts

We know TeamViewer can be abused by threat actors… but how can you determine if TeamViewer has been used on a system? There are many indicators you can look for to help identify if TeamViewer was present on an endpoint.

Executables

The following are the core executable files for TeamViewer.

TeamViewer.exe

Description PE header info

The main TeamViewer executable that provides the GUI as well as makes connections between endpoints. It creates subprocesses of tv_w32.exe and tw_x64.exe when started, and TeamViewer_Desktop.exe on successful connection.
  • ProductName: TeamViewer Full
  • FileDescription: TeamViewer
  • OriginalFilename: TeamViewer.exe
  • CompanyName: TeamViewer Germany GmbH
  • LegalCopyright: TeamViewer Germany GmbH
  • Comments: TeamViewer Remote Control Application

TeamViewer_Desktop.exe

Description PE header info
The main process responsible for providing the remote desktop view to interact with. It is created when a new remote session is initiated.
  • ProductName: TeamViewer Full
  • FileDescription: TeamViewer
  • OriginalFilename: TeamViewer_Desktop.exe
  • CompanyName: TeamViewer Germany GmbH
  • LegalCopyright: TeamViewer Germany GmbH
  • Comments: TeamViewer Remote Control Application

TeamViewer_Service.exe

Description PE header info
Windows service exe that runs TeamViewer when installed as a service. This provides easier management as a user is not needed to accept remote connections.
  • ProductName: TeamViewer Full
  • FileDescription: TeamViewer
  • OriginalFilename: TeamViewer_Service.exe
  • CompanyName: TeamViewer Germany GmbH
  • LegalCopyright: TeamViewer Germany GmbH

Tv_w32.exe

Description PE header info
Although its specific use is unclear, it’s a core exe used as part of the remote management process.
  • ProductName: TeamViewer
  • FileDescription: TeamViewer
  • OriginalFilename: tv_w32.exe
  • CompanyName: TeamViewer Germany GmbH
  • LegalCopyright: TeamViewer Germany GmbH

Tv_x64.exe

Description PE header info
Although its specific use is unclear, it’s a core exe used as part of the remote management process.
  • ProductName: TeamViewer
  • FileDescription: TeamViewer
  • OriginalFilename: tv_x64.exe
  • CompanyName: TeamViewer Germany GmbH
  • LegalCopyright: TeamViewer Germany GmbH

TeamViewerQS_x64.exe / TeamViewerQS.exe

Description PE header info
Setup exe for quick support. It acts as a wrapper to download all the necessary files for TeamViewer to run. Downloaded files are put into %temp%\teamviewer, so admin privileges are not required. It starts TeamViewer.exe when complete.
  • ProductName: TeamViewer QS
  • CompanyName: TeamViewer
  • LegalCopyright: TeamViewer
  • Comments: TeamViewer Remote Control Application

TeamViewer_Setup_x64.exe / TeamViewer_Setup.exe

Description PE header info
Setup exe used to download and install TeamViewer full client. This process will require admin privileges as it installs TeamViewer and puts files into the C:\Program files folder.
  • ProductName: TeamViewer
  • CompanyName: TeamViewer Germany GmbH
  • LegalCopyright: TeamViewer Germany GmbH
  • Comments: TeamViewer Remote Control Application

Log Files

TeamViewer clients will generate log files when run. Finding these files can indicate the client was run and can sometimes show what was done within TeamViewer (Ex: incoming vs outgoing connections vs file transfers).

  • %LocalAppData%\TeamViewer\Logs\TeamViewer*_Logfile*.log (portable)
  • %PROGRAMFILES%\TeamViewer\TeamViewer*_Logfile*.log (installed)
    • Contains debug information for TeamViewer. A lot of information can be obtained from the file but it can also be hard to parse through as the file is meant for debugging. TeamViewer has some documentation on this file here.
    • When the log file becomes larger than its max size (default is 1MB), it is saved as Logfile_old.log, and a new log file is created as noted here.
    • Sample data from initiating device (only showing a few key events; there is a lot more information that can be found in here):
# Connection initiated to partner ID 54*******

2025/08/12 20:19:43.572 10196       9676 G2   tvsessionmanagement::OutgoingConnectionFactory::ConnectAsync: Trying connection to 54*******, mode = 1, easyAccess = 0

 

# Used to identify our ID if needed 55*******

2025/08/12 20:19:43.573 10196      12052 G2   CParticipantManagerBase::SetMyParticipantIdentifier(): pid=[55*******,2006600682]

 

2025/08/12 20:19:44.695  9164       7624 S0   Net: RoutingSessions: New session, SLID=16. Router: ID=915383284, IP-address="162.250.5.70".

2025/08/12 20:19:44.695  9164       7624 S0   CTcpConnectionBase[42]::HandleResolveSuccess(): Connecting to us-njc-anx-r003.router.teamviewer.com

2025/08/12 20:19:44.695  9164       7624 S0   TcpConnectorv4[42]::ConnectEndpoint(): Connecting to endpoint 162.250.5.70:5938

2025/08/12 20:19:44.709  9164       8372 S0   Net: RoutingSessions: We joined session as active side, SLID=16, SessionUUID={9de67124-20e5-46a0-9bb3-9aafe680f66f}, ActionID=296496228. We: ParticipantID=[55*******,2006600682]. Router: ID=915383284, IP-address="162.250.5.70".

 

# Used to identify IP of remote system (if the device is within the network it will be a private IP otherwise it will only show the devices public IP)

2025/08/12 20:21:56.463  9164       5084 S0   UDPv4: punch received a=10.1.2.150:59228: (*)

 

# Used to identify when client has left the session

2025/08/12 20:22:08.732  9164       5084 S0   Net: RoutingSessions: We left session, SLID=16, SessionUUID={9de67124-20e5-46a0-9bb3-9aafe680f66f}.
  • %appdata%\TeamViewer\Connections.txt (both portable and installed)
    • Contains information on successful outbound connections made from TeamViewer.
    • Sample data:
54******                       08-08-2025 17:07:23             08-08-2025 17:07:39             User1                              RemoteControl                   {b93db858-9085-402e-a47f-742bed9b24b3}
  • Column 1 = Partner ID of target system.
  • Column 2 = UTC timestamp of when TeamViewer session started.
  • Column 3 = UTC timestamp of when TeamViewer session completed.
  • Column 4 = Windows User account TeamViewer is running as.
  • Column 5 = Type of support (RemoteControl, Filetransfer, or RemoteTerminal).
  • Column 6 = GUID to identify the session.
  • %temp%\TeamViewer\Connections_incoming.txt (portable)
  • %PROGRAMFILES%\TeamViewer\Connections_incoming.txt (installed)
    • Contains information on successful inbound connections made from TeamViewer.
    • Sample data:
55******* blah 08-08-2025 17:07:00 08-08-2025 17:07:16 User1 RemoteControl {b93db858-9085-402e-a47f-742bed9b24b3}

56******* blah 13-08-2025 02:10:03 13-08-2025 02:10:32 User1 RemoteControl {a9974cb8-7594-4038-8aba-8a3a99eca92c}

55******* blah 13-08-2025 03:00:37 13-08-2025 03:00:58 User1 Filetransfer {a495faed-3f07-4016-832d-1bdaadee9ffe}
  • Column 1 = Partner ID of remote system.
  • Column 2 = Display name associated with a TeamViewer account.*
  • Column 3 = UTC timestamp of when TeamViewer session started.
  • Column 4 = UTC timestamp of when TeamViewer session completed.
  • Column 5 = Windows User account TeamViewer is running as.
  • Column 6 = Type of support (RemoteControl, Filetransfer, or RemoteTerminal).
  • Column 7 = GUID to identify the session.

*Note: Newer versions of TeamViewer require an account to be associated with them before allowing outbound connections. As a result, this represents the display name associated with that account. It can change in between each session, so it’s not entirely reliable. Furthermore, older versions that do not have an account associated with them will show the TeamViewer display name, which by default is the hostname of the system, but again can be changed.

Folders

Folders can be used as a corroborating source to identify when TeamViewer was first run and provide solid evidence it existed on the system.

Path Details
%temp%\TeamViewer Used for some logging in the non-installed version of TeamViewer.
%localappdata%\TeamViewer Used as the “installation” folder when TeamViewer is not installed but is ran as a portable or quick support version. This folder will be created the first time the quick support version of TeamViewer is run.
%appdata%\TeamViewer Contains some log files, such as Connections.txt.
%programfiles%\TeamViewer Default installation directory where TeamViewer binaries and logs are stored.
%ProgramFiles(x86)%\TeamViewer Default installation directory for 32-bit version on 64-bit host.

Domains

Domains can be used to provide additional evidence the system has had TeamViewer running on the endpoint or was downloaded onto the system.

Domain Details
router.teamviewer.com Used by TeamViewer clients and indicates TeamViewer has been used on the endpoint.
web.teamviewer.com Used to get access to the TeamViewer web app.
download.teamviewer.com Used to download TeamViewer.

References

 

Blog