Hi,
A friend of mine reached out to me recetly - was the target of a scam, where teamviewer was installed and credetials provided. they turned off TV pretty soon after remote control was gained, with a minute or 2 window, and I have walked them through sending the log file to me.
I am looking through the log and have identified the time period that had access. I'd like to figure out the extent of what happened - specifically to identify if a backdoor was uploaded, and/or any files were transfered off the target host.
I can see the session being initialized with events like this:
[logs removed per Community Guidelines]
There's a few other events that happen - "AutoStart recording function called" looks like it tries to set up VoIP: AudioControl to access the mic next.
After that, i see:
[logs removed per Community Guidelines]
and then within 5 seconds of that, the PC was turned off.
Is there a reference article somewhere that defines key events in the log file and what they mean? And from anyone with experience in this, any events i should look for?
Lastly, as a free / non-commercial user, should this be reported to the TV team? not sure if they look at remote IPs or sources / accounts of scammers in any security db....
thanks in advance all.
