So far it appears to have only triggered on Team viewer traffic
| Dest port | src port | Count |
|---|---|---|
| 56582 | 5938 | 4 |
| 50435 | 443 | 2 |
| 62858 | 5938 | 2 |
| 12578 | 443 | 1 |
| 49192 | 443 | 1 |
| 49680 | 443 | 1 |
| 49733 | 443 | 1 |
| 50073 | 443 | 1 |
| 50135 | 443 | 1 |
| 50620 | 443 | 1 |
| 50638 | 443 | 1 |
| 50817 | 443 | 1 |
| 50990 | 443 | 1 |
| 51101 | 443 | 1 |
| 51334 | 443 | 1 |
| 51715 | 5938 | 1 |
| 52366 | 5938 | 1 |
| 52607 | 443 | 1 |
| 52778 | 443 | 1 |
| 53102 | 443 | 1 |
| 53373 | 443 | 1 |
| 53796 | 5938 | 1 |
| 54197 | 443 | 1 |
| 54588 | 443 | 1 |
| 54817 | 443 | 1 |
I performed lookups on the source IPs and all of the hostnames are *.router.teamviewer.com