hxxp://google[.]com

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

UltraViewer_Service.exeUltraViewer_Service.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	UltraViewer_Service.exe
File opened for modification	\??\PhysicalDrive0	UltraViewer_Service.exe

Drops file in System32 directory 8 IoCs

Processes:

uv_x64.exeUltraViewer_Desktop.exeUltraViewer_Service.exeRegAsm.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\uv_x64.exe.log	uv_x64.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UltraViewer_Desktop.exe.log	UltraViewer_Desktop.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\UltraViewer_Service.exe.log	UltraViewer_Service.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log	RegAsm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17	uv_x64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17	uv_x64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_4D499D0612DFAD69B02CF4A6DF9ECE41	uv_x64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_4D499D0612DFAD69B02CF4A6DF9ECE41	uv_x64.exe

Drops file in Program Files directory 64 IoCs

Processes:

UltraViewer_setup_6.6_en.tmpUltraViewer_Service.execmd.exeregasm.exeUltraViewer_Service.exe

description	ioc	process
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-CGNU0.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-GEA35.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-IGUDN.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-8FEBP.tmp	UltraViewer_setup_6.6_en.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\RemoteControl20.dll	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-IC5D2.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-DTJ4N.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-NOOAB.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-98ONG.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-1CB1R.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-9FP4S.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-0GRO5.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-OO1DA.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-FO419.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-35VOR.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\is-2N51V.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\is-NKPQ4.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-LFAAD.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-U7VQI.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-IF048.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-PQUPA.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-ELR24.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\UltraViewerService_log.txt	UltraViewer_Service.exe
File opened for modification	C:\Program Files\RustDesk\Uninstall RustDesk.lnk	cmd.exe
File opened for modification	C:\Program Files (x86)\UltraViewer\RemoteControl40.dll	UltraViewer_setup_6.6_en.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\NAudio.dll	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-RT2HA.tmp	UltraViewer_setup_6.6_en.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\is-5UO12.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-UALPA.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\is-6K75J.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-GAE0V.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-QIGOV.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\is-KOTI3.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-PGEHI.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\is-QRMCQ.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-O2DU8.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\RemoteControl.tlb	regasm.exe
File created	C:\Program Files (x86)\UltraViewer\js\is-DIN8K.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-663QQ.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\is-JHKG7.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-4F3SU.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-9188O.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\is-7OR9H.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-TLV9M.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-MNEMA.tmp	UltraViewer_setup_6.6_en.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe	UltraViewer_setup_6.6_en.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvh64.dll	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\is-TUUE9.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Update\is-NC6AQ.tmp	UltraViewer_setup_6.6_en.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\UltraViewerService_log.txt	UltraViewer_Service.exe
File created	C:\Program Files\RustDesk\Uninstall RustDesk.lnk	cmd.exe
File opened for modification	C:\Program Files (x86)\UltraViewer\uva64.dll	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-SFFEP.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-88VHT.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-9A1FE.tmp	UltraViewer_setup_6.6_en.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvc.dll	UltraViewer_setup_6.6_en.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uv_clib.dll	UltraViewer_setup_6.6_en.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uv_x64.exe	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-8UF3M.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-UAE3B.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-N713R.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-R3402.tmp	UltraViewer_setup_6.6_en.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-VKQB6.tmp	UltraViewer_setup_6.6_en.tmp

Drops file in Windows directory 13 IoCs

Processes:

RustDesk.exeRustDesk.exeDism.exeRustDesk.exedismhost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\import-config\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.5000_ThreadId(7)_1680353680957361700	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.5000_ThreadId(17)_1680353681963916600	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.5000_ThreadId(8)_1680354681853633000	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.5000_ThreadId(7)_1680353680984957600	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.5000_ThreadId(8)_1680354665566348400	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.5000_ThreadId(8)_1680354672578670300	RustDesk.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\service\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.5000_ThreadId(1)_1680353680690478100	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.5000_ThreadId(7)_1680353680959648900	RustDesk.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 39 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3024	sc.exe
2628	sc.exe
1620	sc.exe
4832	sc.exe
4920	sc.exe
2100	sc.exe
3956	sc.exe
928	sc.exe
3748	sc.exe
3092	sc.exe
2612	sc.exe
4964	sc.exe
720	sc.exe
4968	sc.exe
2240	sc.exe
3136	sc.exe
1684	sc.exe
2624	sc.exe
4400	sc.exe
4112	sc.exe
4260	sc.exe
2472	sc.exe
764	sc.exe
1836	sc.exe
8	sc.exe
1592	sc.exe
3280	sc.exe
4104	sc.exe
5092	sc.exe
4976	sc.exe
1688	sc.exe
2820	sc.exe
3896	sc.exe
4448	sc.exe
4812	sc.exe
1212	sc.exe
4548	sc.exe
4516	sc.exe
4380	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5752 5184 WerFault.exe UltraViewer_Desktop.exe
5600 5184 WerFault.exe UltraViewer_Desktop.exe

pid	pid_target	process	target process
5752	5184	WerFault.exe	UltraViewer_Desktop.exe
5600	5184	WerFault.exe	UltraViewer_Desktop.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Clipup.execlipup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	Clipup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

4600 net.exe
512 net.exe

pid	process
4600	net.exe
512	net.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3536	taskkill.exe
3740	taskkill.exe
4804	taskkill.exe
3312	taskkill.exe
1560	taskkill.exe
3940	taskkill.exe
3564	taskkill.exe
4100	taskkill.exe
3500	taskkill.exe
3344	taskkill.exe
1772	taskkill.exe
3324	taskkill.exe
380	taskkill.exe
4708	taskkill.exe
3352	taskkill.exe
1348	taskkill.exe
2548	taskkill.exe
3444	taskkill.exe
5020	taskkill.exe
1524	taskkill.exe
632	taskkill.exe
3244	taskkill.exe
1640	taskkill.exe
1468	taskkill.exe
2912	taskkill.exe
1824	taskkill.exe
2800	taskkill.exe
1732	taskkill.exe
4952	taskkill.exe
3268	taskkill.exe
1524	taskkill.exe
4100	taskkill.exe
3600	taskkill.exe
4588	taskkill.exe
3708	taskkill.exe
1228	taskkill.exe
3248	taskkill.exe
3644	taskkill.exe
1320	taskkill.exe
4604	taskkill.exe
4260	taskkill.exe
3280	taskkill.exe
2632	taskkill.exe
4804	taskkill.exe
2324	taskkill.exe
5060	taskkill.exe
4544	taskkill.exe
3208	taskkill.exe
1680	taskkill.exe
1268	taskkill.exe
2744	taskkill.exe
1040	taskkill.exe
3480	taskkill.exe
4784	taskkill.exe
2620	taskkill.exe
2824	taskkill.exe
3480	taskkill.exe
4748	taskkill.exe
3444	taskkill.exe
3308	taskkill.exe
3632	taskkill.exe
2440	taskkill.exe
3992	taskkill.exe
2420	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

UltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\Background = "Color [Red] Color [Green] Color [Blue]"	UltraViewer_Desktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\Background = "Color [Red] Color [Green] Color [Blue]"	UltraViewer_Desktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\Background = "Color [Red] Color [Green] Color [Blue]"	UltraViewer_Desktop.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

Processes:

UltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	UltraViewer_Desktop.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	UltraViewer_Desktop.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	UltraViewer_Desktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	UltraViewer_Desktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	UltraViewer_Desktop.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	UltraViewer_Desktop.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	UltraViewer_Desktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	UltraViewer_Desktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	UltraViewer_Desktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	UltraViewer_Desktop.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

UltraViewer_Desktop.exeuv_x64.exeuv_x64.exeuv_x64.exeuv_x64.exeuv_x64.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Service.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Visual Basic\6.0	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Visual Basic\6.0	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\UltraViewer_Desktop\Options	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	uv_x64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\UltraViewer_Desktop\Settings\CurrentLanguageBrief = "en"	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	uv_x64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\UltraViewer_Desktop\Settings\CurrentLanguageBrief = "en"	UltraViewer_Desktop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	UltraViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\UltraViewer_Desktop\Options	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	uv_x64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\UltraViewer_Desktop\Settings\CurrentLanguageBrief = "en"	UltraViewer_Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	uv_x64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	UltraViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	uv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	uv_x64.exe

Modifies registry class 64 IoCs

Processes:

regasm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VIndexedStrStrDictionary\CLSID	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B42B36F4-5E0A-3090-8CBA-AE56AAF05C42}\ = "_DragDropSuccessEventHandler"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DEFC03C-F3D4-38D0-81FD-F7A86EC3AE8B}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5C61AF02-ACB0-3588-A612-C9864E9B61FA}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VDrawer+CachedItem\CLSID	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7069BBB1-4131-444E-BC3A-D58546CAB516}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD6FAC76-6CB4-35B6-900D-2C9B4D1CF9AA}\ = "RemoteControl.VistaTreeView"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{131971DF-8C34-4633-95F5-5662B6E0A1CF}\ = "_VIntBooleanDict"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5ECF6645-3FC9-4CCC-A215-695664CAE6BF}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FFEC097-834C-42A6-A994-CE1966121E9B}\TypeLib\Version = "1.0"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10A50165-87DF-304B-B4BD-05560AD104CE}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF953791-62EF-305E-8E45-F130C87093C1}\ = "_ClickEventHandler_________18"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B669374-FA72-3081-BD98-89870D8D7618}\ProxyStubClsid32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5022A0AC-7231-4D70-A6CD-6D06C6E2E52B}\Implemented Categories	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F070E810-9531-4F84-A1BE-6B2FE467947C}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C33C1E7-4CD2-3987-ADB3-66AC3B9B3505}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45FC452A-4154-4DF8-A96C-40262C388531}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8390E592-F6CB-3AEF-B3F7-F01194DF0F9F}\ProxyStubClsid32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E14791F9-5C31-36A9-971E-2326272A69FF}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E14791F9-5C31-36A9-971E-2326272A69FF}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC83B1BB-5431-4613-8BA6-03568BF49111}\InprocServer32\Assembly = "RemoteControl, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F569B21E-C5B0-4AD2-80A0-B208B5D5C97B}\TypeLib\Version = "1.0"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37269AEE-0B02-4B79-BAF2-25E1E7CF5515}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD07158E-6BAF-4CCE-8485-62F5549C7822}\ProxyStubClsid32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEAD75D8-A22D-4988-81CD-801183B81128}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{579BC9B0-2A36-37FC-B36B-FA979521CF49}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30906764-2519-311F-8912-CBDE46ABBC2C}\TypeLib\Version = "1.0"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D62EF4-3CEE-4AF7-83DE-02AF97F94D9A}\InprocServer32\1.0.0.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ADF308F-B824-4FD9-8C0B-93DA7B8A7E34}\InprocServer32\Assembly = "RemoteControl, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D5DA63-F027-36DB-96E8-4801D4CEDE84}\ = "_VistaTreeView"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DBE0E9C-5236-34D8-A10F-08ADC6FAB087}\InprocServer32\ = "mscoree.dll"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F070E810-9531-4F84-A1BE-6B2FE467947C}\InprocServer32\1.0.0.0	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCF83C65-6A25-30E4-A18D-2BB92C1048F6}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B103452-C5B8-3567-A0DF-6689E135D2B7}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B26DD4E-3114-3E36-98D9-40AA5F4BB787}\InprocServer32\Assembly = "RemoteControl, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16B664F6-B146-44A7-97FA-FB0EAD46802A}\InprocServer32\Class = "RemoteControl.VUDPClient"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13B00CF7-9C7F-34EA-B4BB-4C7D105F585E}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DAC63DA-59EF-3707-8D36-EB1EF00FD5C4}\ = "_CaptchaCorrectEventHandler"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F5B044-1384-353A-B3ED-A2A930E4B3C1}\TypeLib\Version = "1.0"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E71D7F-9CF7-36F0-B0A2-14F60AAD78B6}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}\1.0\FLAGS	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72550BB6-0686-42EA-9C8F-F446DA8486CE}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F8910920-60E1-3E6D-B3A2-59E1DF1F10BC}\ = "_PipeResponseEventHandler"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{828DFF9A-653F-3E71-8647-C6425F274655}\InprocServer32\1.0.0.0\Class = "RemoteControl.frmAddGroup"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD6583C2-0B5C-49A5-A13C-E9C530F8A3A8}\InprocServer32\Assembly = "RemoteControl, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D7E50FF-DD5F-41C5-AA89-F176516E4439}\ = "RemoteControl.VPipeSender"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02BB3C25-2825-3250-8B1D-442AD0B9F4F7}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B5A2E8-9BB3-3302-9D9A-0F10198B758C}\TypeLib\Version = "1.0"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA52DBBC-B050-328B-8EB0-81990853A4C3}\ = "_ConnectFailEventHandler"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92D5DA63-F027-36DB-96E8-4801D4CEDE84}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF83752C-2529-4326-AB56-ADD3A8308D7D}\ProgId	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2356D63F-FFA2-49A8-9304-FCBF80064D8F}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C73A943E-85B7-3DD6-A013-EBB02E575C2E}\TypeLib\Version = "1.0"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD235618-5395-384F-8D61-65012033FFCB}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.myPictureBox	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8C67555-E1C2-4B4E-A34A-36C8D3B46936}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F271EFB2-B5CC-4AEF-AADE-16693B26BA0B}\TypeLib\Version = "1.0"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EE08CED-2C53-44E2-A11F-22CD5C1A4DFF}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80D03754-CAF2-30A2-87CE-CF95148B4993}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84463CB1-A747-377A-98EC-236E5215E6D0}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EB0ECA8-1CDA-3050-B0E5-65E29BFA2E5E}\ = "_AfterSelectEventHandler"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97574387-2717-3BCD-A1A5-07D362A6F62F}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA87B47-F3BB-3573-827F-CBA6BE9C42EC}\ = "_DblClickEventHandler___12"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E99E5338-1077-3110-909C-2F178F2B8B96}\ = "_RemoteClientReceivedEventHandler"	regasm.exe

Modifies registry key 1 TTPs 19 IoCs

Modify Registry

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4548	reg.exe
4508	reg.exe
4120	reg.exe
4292	reg.exe
3504	reg.exe
1864	reg.exe
3384	reg.exe
2004	reg.exe
4884	reg.exe
4048	reg.exe
1824	reg.exe
3604	reg.exe
208	reg.exe
2836	reg.exe
3132	reg.exe
3664	reg.exe
3948	reg.exe
3360	reg.exe
2712	reg.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

uv_x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	uv_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	uv_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	uv_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	uv_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c0000000100000004000000001000000400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	uv_x64.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

928 PING.EXE

pid	process
928	PING.EXE

Suspicious behavior: AddClipboardFormatListener 7 IoCs

Processes:

UltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exe

pid	process
1780	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
2248	UltraViewer_Desktop.exe
5184	UltraViewer_Desktop.exe
5932	UltraViewer_Desktop.exe
3864	UltraViewer_Desktop.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeAnyDesk.exechrome.exeAnyDesk.exeAnyDesk.exeRustDesk.exechrome.exeUVUninstallHelper.exeUltraViewer_setup_6.6_en.tmpUltraViewer_Desktop.exeUltraViewer_Service.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Service.exe

pid	process
4660	chrome.exe
4660	chrome.exe
2304	AnyDesk.exe
2304	AnyDesk.exe
1772	chrome.exe
1772	chrome.exe
3360	AnyDesk.exe
3360	AnyDesk.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
3976	RustDesk.exe
3976	RustDesk.exe
4004	chrome.exe
4004	chrome.exe
3656	UVUninstallHelper.exe
2892	UltraViewer_setup_6.6_en.tmp
2892	UltraViewer_setup_6.6_en.tmp
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1732	UltraViewer_Service.exe
1476	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
4292	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
2596	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
1732	UltraViewer_Service.exe
1732	UltraViewer_Service.exe
2248	UltraViewer_Desktop.exe
2248	UltraViewer_Desktop.exe
4324	UltraViewer_Service.exe
4324	UltraViewer_Service.exe

Suspicious behavior: GetForegroundWindowSpam 11 IoCs

Processes:

UltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exechrome.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exe

pid	process
1476	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
2248	UltraViewer_Desktop.exe
4556	UltraViewer_Desktop.exe
2268	chrome.exe
5184	UltraViewer_Desktop.exe
1448	UltraViewer_Desktop.exe
5932	UltraViewer_Desktop.exe
3496	UltraViewer_Desktop.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe
2268	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeAnyDesk.exe

pid	process
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeAnyDesk.exeRustDesk.exechrome.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exe

pid	process
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
4616	RustDesk.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
1476	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

rustdesk-1.1.9-putes.exeRustDesk.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeuv_x64.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeuv_x64.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeuv_x64.exeRustDesk.exeRustDesk.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeuv_x64.exeUltraViewer_Desktop.exe

pid	process
3168	rustdesk-1.1.9-putes.exe
4648	RustDesk.exe
4648	RustDesk.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
3836	UltraViewer_Desktop.exe
4952	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
1476	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
1780	UltraViewer_Desktop.exe
3364	uv_x64.exe
3364	uv_x64.exe
1476	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
4292	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
2596	UltraViewer_Desktop.exe
3692	uv_x64.exe
3692	uv_x64.exe
4292	UltraViewer_Desktop.exe
2248	UltraViewer_Desktop.exe
2248	UltraViewer_Desktop.exe
2248	UltraViewer_Desktop.exe
2248	UltraViewer_Desktop.exe
2248	UltraViewer_Desktop.exe
2248	UltraViewer_Desktop.exe
4556	UltraViewer_Desktop.exe
4556	UltraViewer_Desktop.exe
4556	UltraViewer_Desktop.exe
3788	uv_x64.exe
3788	uv_x64.exe
2472	RustDesk.exe
2472	RustDesk.exe
2248	UltraViewer_Desktop.exe
2364	RustDesk.exe
2364	RustDesk.exe
2248	UltraViewer_Desktop.exe
2248	UltraViewer_Desktop.exe
5184	UltraViewer_Desktop.exe
5184	UltraViewer_Desktop.exe
5184	UltraViewer_Desktop.exe
5184	UltraViewer_Desktop.exe
5184	UltraViewer_Desktop.exe
5184	UltraViewer_Desktop.exe
1448	UltraViewer_Desktop.exe
1448	UltraViewer_Desktop.exe
1448	UltraViewer_Desktop.exe
1212	uv_x64.exe
1212	uv_x64.exe
5184	UltraViewer_Desktop.exe
5932	UltraViewer_Desktop.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4660 wrote to memory of 2560	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 2560	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 4568	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 1176	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 1176	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe
PID 4660 wrote to memory of 340	4660	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://google.com
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a8689758,0x7ff9a8689768,0x7ff9a8689778
2⤵
- Loads dropped DLL
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:2
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4440 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:3436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3264 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5040 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4380 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3028 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5320 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5608 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5736 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3740 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5844 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:1680

C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3360

C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5280 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5056 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5540 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5892 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5904 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5032 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5852 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6000 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:3404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3212 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1092 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=4548 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=1576 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=904 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=2740 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6400 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:3916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=5956 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:1
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 --field-trial-handle=1832,i,16192902830944215376,9109807320970937954,131072 /prefetch:8
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x500
1⤵
PID:2828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1656

C:\Windows\System32\winver.exe
"C:\Windows\System32\winver.exe"
1⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\Temp1_rustdesk-1.1.9-windows_x64.zip\rustdesk-1.1.9-putes.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_rustdesk-1.1.9-windows_x64.zip\rustdesk-1.1.9-putes.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\RustDesk_install.bat
2⤵
- Drops file in Program Files directory
PID:3048

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:328

C:\Windows\system32\sc.exe
sc stop RustDesk
3⤵
- Launches sc.exe
PID:1592

C:\Windows\system32\sc.exe
sc delete RustDesk
3⤵
- Launches sc.exe
PID:928

C:\Windows\system32\taskkill.exe
taskkill /F /IM RustDesk.exe
3⤵
- Kills process with taskkill
PID:1040

C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\.rustdesk /f
3⤵
PID:4504

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="RustDesk Service"
3⤵
- Modifies Windows Firewall
PID:2020

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f
3⤵
PID:812

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:516

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f
3⤵
PID:2308

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayIcon /t REG_SZ /d "C:\Program Files\RustDesk\RustDesk.exe"
3⤵
PID:4156

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayName /t REG_SZ /d "RustDesk"
3⤵
PID:3572

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayVersion /t REG_SZ /d "1.1.9"
3⤵
PID:2440

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v Version /t REG_SZ /d "1.1.9"
3⤵
PID:2800

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v InstallLocation /t REG_SZ /d "C:\Program Files\RustDesk"
3⤵
PID:4960

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v Publisher /t REG_SZ /d "RustDesk"
3⤵
PID:3976

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v VersionMajor /t REG_DWORD /d 1
3⤵
PID:1892

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v VersionMinor /t REG_DWORD /d 1
3⤵
PID:1184

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v VersionBuild /t REG_DWORD /d 9
3⤵
PID:4080

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v UninstallString /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\" --uninstall"
3⤵
PID:4364

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v EstimatedSize /t REG_DWORD /d 14893
3⤵
PID:2652

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v WindowsInstaller /t REG_DWORD /d 0
3⤵
PID:4216

C:\Windows\system32\cscript.exe
cscript "C:\Users\Admin\AppData\Local\Temp\RustDesk_mk_shortcut.vbs"
3⤵
PID:2248

C:\Windows\system32\cscript.exe
cscript "C:\Users\Admin\AppData\Local\Temp\RustDesk_uninstall_shortcut.vbs"
3⤵
PID:1476

C:\Windows\system32\cscript.exe
cscript "C:\Users\Admin\AppData\Local\Temp\RustDesk_tray_shortcut.vbs"
3⤵
PID:548

C:\Windows\system32\sc.exe
sc create RustDesk binpath= "\"C:\Program Files\RustDesk\RustDesk.exe\" --import-config \"C:\Users\Admin\AppData\Roaming\RustDesk\config\RustDesk.toml\"" start= auto DisplayName= "RustDesk Service"
3⤵
- Launches sc.exe
PID:3748

C:\Windows\system32\sc.exe
sc start RustDesk
3⤵
- Launches sc.exe
PID:3092

C:\Windows\system32\sc.exe
sc stop RustDesk
3⤵
- Launches sc.exe
PID:2820

C:\Windows\system32\sc.exe
sc delete RustDesk
3⤵
- Launches sc.exe
PID:764

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:4676

C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\.rustdesk /f
3⤵
PID:1348

C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\.rustdesk\DefaultIcon /f
3⤵
PID:3608

C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\.rustdesk\DefaultIcon /f /ve /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\",0"
3⤵
PID:1156

C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\.rustdesk\shell /f
3⤵
PID:2840

C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\.rustdesk\shell\open /f
3⤵
PID:516

C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\.rustdesk\shell\open\command /f
3⤵
PID:4156

C:\Windows\system32\reg.exe
reg add HKEY_CLASSES_ROOT\.rustdesk\shell\open\command /f /ve /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\" --play \"%1\""
3⤵
PID:4956

C:\Windows\system32\sc.exe
sc create RustDesk binpath= "\"C:\Program Files\RustDesk\RustDesk.exe\" --service" start= auto DisplayName= "RustDesk Service"
3⤵
- Launches sc.exe
PID:3280

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="RustDesk Service" dir=in action=allow program="C:\Program Files\RustDesk\RustDesk.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3572

C:\Windows\system32\sc.exe
sc start RustDesk
3⤵
- Launches sc.exe
PID:3896

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v SoftwareSASGeneration /t REG_DWORD /d 1
3⤵
PID:2248

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:3768

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:2588

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:2004

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:3916

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:4812

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:4976

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:416

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:4504

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:932

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:4500

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:5076

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:3272

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:4800

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:3092

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:4676

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:1348

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:3340

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:632

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:516

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:1836

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:3280

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:1688

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:5004

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:1468

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:3388

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:3088

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:964

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:2364

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
3⤵
- Executes dropped EXE
PID:2172

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --tray
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SendNotifyMessage
PID:4616

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --import-config "C:\Users\Admin\AppData\Roaming\RustDesk\config\RustDesk.toml"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5016

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --service
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --server
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0x108,0x128,0x7ff9a8689758,0x7ff9a8689768,0x7ff9a8689778
2⤵
- Loads dropped DLL
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:1
2⤵
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:1
2⤵
PID:548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:2
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4140 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:1
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4704 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5108 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:1
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5156 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1640 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:1
2⤵
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3880 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:1
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3400 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:1
2⤵
PID:312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5444 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=880 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:1
2⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5780 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5940 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5572 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:1
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5856 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6048 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5860 --field-trial-handle=2380,i,15733942543182675949,2846824399913593163,131072 /prefetch:8
2⤵
PID:1984

C:\Users\Admin\Downloads\UltraViewer_setup_6.6_en.exe
"C:\Users\Admin\Downloads\UltraViewer_setup_6.6_en.exe"
2⤵
- Executes dropped EXE
PID:2216

C:\Users\Admin\AppData\Local\Temp\is-RCQDC.tmp\UltraViewer_setup_6.6_en.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RCQDC.tmp\UltraViewer_setup_6.6_en.tmp" /SL5="$80332,3436097,121344,C:\Users\Admin\Downloads\UltraViewer_setup_6.6_en.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Users\Admin\AppData\Local\Temp\is-AVR23.tmp\UVUninstallHelper.exe
"C:\Users\Admin\AppData\Local\Temp\is-AVR23.tmp\UVUninstallHelper.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3656

C:\Windows\SysWOW64\net.exe
"net" stop UltraViewService
4⤵
- Discovers systems in the same network
PID:4600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UltraViewService
5⤵
PID:1712

C:\Windows\SysWOW64\net.exe
"net" stop UltraViewService
4⤵
- Discovers systems in the same network
PID:512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop UltraViewService
5⤵
PID:1228

C:\Windows\SysWOW64\sc.exe
"sc" delete UltraViewService
4⤵
- Launches sc.exe
PID:4400

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4748

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4100

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1468

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3444

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:1916

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:1012

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:3248

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:2912

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:4624

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:4924

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:5060

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1824

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3536

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:380

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3308

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4544

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4708

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3352

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1228

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:3956

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:4560

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3632

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:4664

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1524

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3480

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:4980

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3208

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1680

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:3392

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:2440

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1348

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:1500

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:2548

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:2800

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3600

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:5076

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1268

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4260

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4588

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:3436

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3564

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4100

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1732

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3444

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3740

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:4380

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3248

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4952

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4784

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3280

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:1128

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:2620

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3500

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3708

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3244

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1640

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:4312

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:1712

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:2632

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3268

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:2420

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:2824

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4804

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1524

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:3480

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3312

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3344

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1560

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3644

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:632

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1320

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:2744

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:1772

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3940

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:1120

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:3796

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:1836

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3992

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3324

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:4756

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:3268

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:2472

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:4100

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4804

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:5020

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:3480

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:2024

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:4604

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:4976

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:3644

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:632

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:3144

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:2744

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
- Kills process with taskkill
PID:2324

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "UltraViewer_Desktop.exe"
4⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl.dll" /tlb
4⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:3016

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe" validate
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" "C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll" /tlb
4⤵
- Loads dropped DLL
PID:3448

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe" install
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\SysWOW64\sc.exe
sc failure "UltraViewService" reset= 0 actions= restart/60000
5⤵
- Launches sc.exe
PID:2612

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe" regasm40
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:720

C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl40.dll" /tlb /codebase
2⤵
- Drops file in System32 directory
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl40.dll" /tlb /codebase
2⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl40.dll" /tlb /codebase
2⤵
PID:932

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
UltraViewer_Desktop.exe -pid:1476 -debughwnd:-1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Program Files (x86)\UltraViewer\uv_x64.exe
uv_x64.exe hook 1476 524566
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3364

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
UltraViewer_Desktop.exe -pid:4292 -debughwnd:-1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Program Files (x86)\UltraViewer\uv_x64.exe
uv_x64.exe hook 4292 197548
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x500
1⤵
PID:1324

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4324

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
UltraViewer_Desktop.exe -pid:2248 -debughwnd:-1
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Program Files (x86)\UltraViewer\uv_x64.exe
uv_x64.exe hook 2248 197582
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3788

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
UltraViewer_Desktop.exe -pid:5184 -debughwnd:-1
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Program Files (x86)\UltraViewer\uv_x64.exe
uv_x64.exe hook 5184 132566
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
UltraViewer_Desktop.exe -pid:5932 -debughwnd:-1
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
PID:3496

C:\Program Files (x86)\UltraViewer\uv_x64.exe
uv_x64.exe hook 5932 525134
2⤵
- Modifies data under HKEY_USERS
PID:2040

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
- Executes dropped EXE
PID:3416

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
- Executes dropped EXE
PID:2864

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
- Executes dropped EXE
PID:2440

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
- Executes dropped EXE
PID:4336

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
- Executes dropped EXE
PID:3504

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
- Executes dropped EXE
PID:2200

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
- Executes dropped EXE
PID:2184

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
PID:1124

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
PID:4756

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
PID:3452

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
PID:4920

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --version
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9a8689758,0x7ff9a8689768,0x7ff9a8689778
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:8
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:8
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:1
2⤵
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --instant-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:1
2⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:2
2⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:8
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:8
2⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:8
2⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4720 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:1
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:8
2⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4672 --field-trial-handle=1944,i,13238067609680645750,1825122130510295026,131072 /prefetch:1
2⤵
PID:1564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_254.cmd" "
2⤵
PID:116

C:\Windows\System32\findstr.exe
findstr /rxc:".*" "MAS_254.cmd"
3⤵
PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
3⤵
PID:5092

C:\Windows\System32\find.exe
find /i "0x0"
3⤵
PID:4204

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
3⤵
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
3⤵
PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
4⤵
PID:3508

C:\Windows\System32\cmd.exe
cmd
4⤵
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_254.cmd" "
3⤵
PID:4644

C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
3⤵
PID:2712

C:\Windows\System32\fltMC.exe
fltmc
3⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
3⤵
PID:3172

C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
4⤵
PID:2620

C:\Windows\System32\mode.com
mode 76, 30
3⤵
PID:5072

C:\Windows\System32\choice.exe
choice /C:12345670 /N
3⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
3⤵
PID:2976

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
3⤵
PID:4936

C:\Windows\System32\find.exe
find /i "0x0"
3⤵
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
3⤵
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
4⤵
PID:700

C:\Windows\System32\cmd.exe
cmd
4⤵
PID:3600

C:\Windows\System32\mode.com
mode 102, 34
3⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
3⤵
PID:3752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
4⤵
PID:2216

C:\Windows\System32\find.exe
find /i "Windows"
3⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
3⤵
PID:1184

C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
3⤵
PID:4780

C:\Windows\System32\find.exe
find /i "computersystem"
3⤵
PID:2140

C:\Windows\System32\sc.exe
sc start sppsvc
3⤵
- Launches sc.exe
PID:4112

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
3⤵
PID:2420

C:\Windows\System32\findstr.exe
findstr /i "Windows"
3⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
3⤵
PID:2556

C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
4⤵
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
3⤵
PID:1684

C:\Windows\System32\wbem\WMIC.exe
wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
4⤵
PID:476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
3⤵
PID:1496

C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
4⤵
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
3⤵
PID:2624

C:\Windows\System32\PING.EXE
ping -n 1 l.root-servers.net
4⤵
- Runs ping.exe
PID:928

C:\Windows\System32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
3⤵
PID:3340

C:\Windows\System32\find.exe
find /i "0x0"
3⤵
PID:4796

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
3⤵
PID:2184

C:\Windows\System32\find.exe
find /i "0x0"
3⤵
PID:4112

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
3⤵
- Modifies registry key
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start 2>nul
3⤵
PID:4920

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
4⤵
- Modifies registry key
PID:3664

C:\Windows\System32\sc.exe
sc start ClipSVC
3⤵
- Launches sc.exe
PID:1836

C:\Windows\System32\sc.exe
sc query ClipSVC
3⤵
- Launches sc.exe
PID:3136

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
3⤵
- Modifies registry key
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start 2>nul
3⤵
PID:3956

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
4⤵
- Modifies registry key
PID:208

C:\Windows\System32\sc.exe
sc start wlidsvc
3⤵
- Launches sc.exe
PID:4964

C:\Windows\System32\sc.exe
sc query wlidsvc
3⤵
- Launches sc.exe
PID:4448

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
3⤵
- Modifies registry key
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start 2>nul
3⤵
PID:5080

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
4⤵
- Modifies registry key
PID:2836

C:\Windows\System32\sc.exe
sc start sppsvc
3⤵
- Launches sc.exe
PID:3024

C:\Windows\System32\sc.exe
sc query sppsvc
3⤵
- Launches sc.exe
PID:720

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
3⤵
- Modifies registry key
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start 2>nul
3⤵
PID:4632

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
4⤵
- Modifies registry key
PID:3948

C:\Windows\System32\sc.exe
sc start KeyIso
3⤵
- Launches sc.exe
PID:4812

C:\Windows\System32\sc.exe
sc query KeyIso
3⤵
- Launches sc.exe
PID:4104

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
3⤵
- Modifies registry key
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start 2>nul
3⤵
PID:2632

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
4⤵
- Modifies registry key
PID:1824

C:\Windows\System32\sc.exe
sc start LicenseManager
3⤵
- Launches sc.exe
PID:1212

C:\Windows\System32\sc.exe
sc query LicenseManager
3⤵
- Launches sc.exe
PID:8

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
3⤵
- Modifies registry key
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start 2>nul
3⤵
PID:1680

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
4⤵
- Modifies registry key
PID:3360

C:\Windows\System32\sc.exe
sc start Winmgmt
3⤵
- Launches sc.exe
PID:4548

C:\Windows\System32\sc.exe
sc query Winmgmt
3⤵
- Launches sc.exe
PID:4260

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
3⤵
- Modifies registry key
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start 2>nul
3⤵
PID:4116

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
4⤵
- Modifies registry key
PID:2712

C:\Windows\System32\sc.exe
sc start wuauserv
3⤵
- Launches sc.exe
PID:2628

C:\Windows\System32\sc.exe
sc query wuauserv
3⤵
- Launches sc.exe
PID:1620

C:\Windows\System32\net.exe
net start ClipSVC /y
3⤵
PID:4652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start ClipSVC /y
4⤵
PID:4736

C:\Windows\System32\find.exe
find /i "4 RUNNING"
3⤵
PID:5012

C:\Windows\System32\sc.exe
sc query ClipSVC
3⤵
- Launches sc.exe
PID:5092

C:\Windows\System32\sc.exe
sc start ClipSVC
3⤵
- Launches sc.exe
PID:4516

C:\Windows\System32\net.exe
net start wlidsvc /y
3⤵
PID:3016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start wlidsvc /y
4⤵
PID:4572

C:\Windows\System32\sc.exe
sc query wlidsvc
3⤵
- Launches sc.exe
PID:4968

C:\Windows\System32\find.exe
find /i "4 RUNNING"
3⤵
PID:3872

C:\Windows\System32\sc.exe
sc start wlidsvc
3⤵
- Launches sc.exe
PID:1684

C:\Windows\System32\net.exe
net start sppsvc /y
3⤵
PID:1232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start sppsvc /y
4⤵
PID:632

C:\Windows\System32\sc.exe
sc query sppsvc
3⤵
- Launches sc.exe
PID:2240

C:\Windows\System32\find.exe
find /i "4 RUNNING"
3⤵
PID:3752

C:\Windows\System32\sc.exe
sc start sppsvc
3⤵
- Launches sc.exe
PID:4976

C:\Windows\System32\net.exe
net start KeyIso /y
3⤵
PID:5096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start KeyIso /y
4⤵
PID:2064

C:\Windows\System32\sc.exe
sc query KeyIso
3⤵
- Launches sc.exe
PID:2472

C:\Windows\System32\find.exe
find /i "4 RUNNING"
3⤵
PID:4576

C:\Windows\System32\sc.exe
sc start KeyIso
3⤵
- Launches sc.exe
PID:2624

C:\Windows\System32\net.exe
net start LicenseManager /y
3⤵
PID:3416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start LicenseManager /y
4⤵
PID:2864

C:\Windows\System32\sc.exe
sc query LicenseManager
3⤵
- Launches sc.exe
PID:4832

C:\Windows\System32\find.exe
find /i "4 RUNNING"
3⤵
PID:2184

C:\Windows\System32\sc.exe
sc start LicenseManager
3⤵
- Launches sc.exe
PID:4380

C:\Windows\System32\net.exe
net start Winmgmt /y
3⤵
PID:4884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start Winmgmt /y
4⤵
PID:3452

C:\Windows\System32\sc.exe
sc query Winmgmt
3⤵
- Launches sc.exe
PID:4920

C:\Windows\System32\find.exe
find /i "4 RUNNING"
3⤵
PID:3704

C:\Windows\System32\sc.exe
sc start Winmgmt
3⤵
- Launches sc.exe
PID:2100

C:\Windows\System32\net.exe
net start wuauserv /y
3⤵
PID:3352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start wuauserv /y
4⤵
PID:1476

C:\Windows\System32\sc.exe
sc query wuauserv
3⤵
- Launches sc.exe
PID:3956

C:\Windows\System32\find.exe
find /i "4 RUNNING"
3⤵
PID:3096

C:\Windows\System32\sc.exe
sc start wuauserv
3⤵
- Launches sc.exe
PID:1688

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State"
3⤵
PID:1608

C:\Windows\System32\find.exe
find /i "IMAGE_STATE_COMPLETE"
3⤵
PID:4048

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
3⤵
PID:2836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $ExecutionContext.SessionState.LanguageMode
3⤵
PID:5084

C:\Windows\System32\find.exe
find /i "Full"
3⤵
PID:3384

C:\Windows\System32\find.exe
find /i "computersystem"
3⤵
PID:3320

C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
3⤵
PID:2632

C:\Windows\System32\Dism.exe
DISM /English /Online /Get-CurrentEdition
3⤵
- Drops file in Windows directory
PID:5088

C:\Users\Admin\AppData\Local\Temp\86A57F9E-0DBE-46FD-8BC6-6BBA7436EE9D\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\86A57F9E-0DBE-46FD-8BC6-6BBA7436EE9D\dismhost.exe {23ED7BE6-11A2-4A69-B9F3-567BF5EF327F}
4⤵
- Drops file in Windows directory
PID:1688

C:\Windows\System32\cmd.exe
cmd /c exit /b 0
3⤵
PID:996

C:\Windows\System32\cscript.exe
cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
3⤵
PID:4128

C:\Windows\System32\cmd.exe
cmd /c exit /b 0
3⤵
PID:3400

C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
3⤵
PID:1468

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
3⤵
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
3⤵
PID:3812

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
4⤵
PID:1124

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
3⤵
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
3⤵
PID:3308

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
4⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
3⤵
PID:4740

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
4⤵
PID:720

C:\Windows\System32\findstr.exe
findstr /i "wuauserv"
3⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo: "
3⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start 2>nul
3⤵
PID:3860

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
4⤵
- Modifies registry key
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start 2>nul
3⤵
PID:1644

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start
4⤵
- Modifies registry key
PID:3384

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
3⤵
- Modifies registry key
PID:2004

C:\Windows\System32\find.exe
find /i "windowsupdate"
3⤵
PID:1832

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
3⤵
- Modifies registry key
PID:3504

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
3⤵
- Modifies registry key
PID:4548

C:\Windows\System32\findstr.exe
findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
3⤵
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo: "
3⤵
PID:1864

C:\Windows\System32\find.exe
find /i "wuauserv"
3⤵
PID:3212

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
3⤵
PID:4116

C:\Windows\System32\find.exe
find /i "0x1"
3⤵
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildBranch 2>nul
3⤵
PID:1676

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildBranch
4⤵
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285" "
3⤵
PID:4344

C:\Windows\System32\find.exe
find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
3⤵
PID:4972

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
3⤵
PID:700

C:\Windows\System32\cmd.exe
cmd /c exit /b 0
3⤵
PID:2336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
4⤵
PID:3872

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
3⤵
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
3⤵
PID:5004

C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Name
4⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
3⤵
PID:1528

C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Nation
4⤵
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;DownlevelGenuineState=1;$([char]0)"""))
3⤵
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;DownlevelGenuineState=1;$([char]0)"""))
4⤵
PID:2624

C:\Windows\System32\find.exe
find "AAAA"
3⤵
PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBEAG8AdwBuAGwAZQB2AGUAbABHAGUAbgB1AGkAbgBlAFMAdABhAHQAZQA9ADEAOwAAAA==" "
3⤵
PID:1468

C:\Windows\System32\net.exe
net stop ClipSVC /y
3⤵
PID:2148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ClipSVC /y
4⤵
PID:4448

C:\Windows\System32\net.exe
net start ClipSVC /y
3⤵
PID:4488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start ClipSVC /y
4⤵
PID:3020

C:\Windows\System32\ClipUp.exe
clipup -v -o
3⤵
PID:1676

C:\Windows\System32\clipup.exe
clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem416D.tmp
4⤵
- Checks SCSI registry key(s)
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
3⤵
PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
3⤵
PID:2140

C:\Windows\System32\find.exe
find /i "Windows"
3⤵
PID:4952

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
3⤵
PID:2536

C:\Windows\System32\cmd.exe
cmd /c exit /b 0
3⤵
PID:4024

C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
3⤵
PID:4816

C:\Windows\System32\findstr.exe
findstr /i "Windows"
3⤵
PID:4264

C:\Windows\System32\mode.com
mode 76, 30
3⤵
PID:5036

C:\Windows\System32\choice.exe
choice /C:12345670 /N
3⤵
PID:1936

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:5084

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem39DB.tmp
2⤵
- Checks SCSI registry key(s)
PID:4100

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 2532
2⤵
- Program crash
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 888
2⤵
- Program crash
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5184 -ip 5184
1⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5184 -ip 5184
1⤵
PID:5520

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"
1⤵
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1892

C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:3864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

System Information Discovery