IOCReport

loading gif

Files

File Path
Type
Category
Malicious
wogZe27GBB.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\nsrC1CA.tmp
data
dropped
clean
C:\Users\user\AppData\Roaming\ViberPC\Icons\TeamViewer.ini
data
modified
clean
C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
clean
C:\Users\user\AppData\Roaming\ViberPC\Icons\vpn.cab
Microsoft Cabinet archive data, 71196 bytes, 8 files
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0xbcd629f4, page size 16384, DirtyShutdown, Windows version 10.0
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
data
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
data
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
data
dropped
clean
C:\Users\user\AppData\Local\Temp\nsaF7DF.tmp
data
dropped
clean
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001.. (copy)
data
dropped
clean
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
data
dropped
clean
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001cd (copy)
data
dropped
clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
dropped
clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
data
modified
clean
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\wogZe27GBB.exe
'C:\Users\user\Desktop\wogZe27GBB.exe'
malicious
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
malicious
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
malicious
C:\Windows\SysWOW64\svchost.exe
c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'uniprint.exe' -s USBManager
malicious
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
malicious
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
malicious
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
malicious
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
clean
C:\Windows\System32\SgrmBroker.exe
C:\Windows\system32\SgrmBroker.exe
clean
C:\Program Files\Windows Defender\MpCmdRun.exe
'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
There are 12 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://www.teamviewer.com/download/version_4x/TeamViewerQS.exe
unknown
clean
http://www.teamviewer.com/CConnectionHistoryManager::createMessageString():
unknown
clean