4a4d65a9fbba6b8b36c700f2483039932bb56987a0f047f82ffc4d74bf5a9d8a

Analysis

max time kernel
146s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-05-2023 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume3/Program Files (x86)/UltraViewer/Update/UVUpdater.exe
Size

3.7MB
MD5

5a25dc52d6248b6014d823a816dff477
SHA1

082044061f252e2d90fd0d8689b2eb72cba434ce
SHA256

8b2e4d77f99fe573244597dc8f1733656ee0ffb8ca6365d968af93f7f8943f56
SHA512

5737d372b480f335355056bd245cb8d65b7f77ab4058607aade7f6eeab9c388a2ba7d962acceb6fc65ed67cb7165f13796eb0c0615acfb698acb1e073576fcb7
SSDEEP

98304:I5zZ80gsEX+LjrKnRYgHFW2Ho7k7O5iN0BFCgvRRnf9ViPa:If80gsl3rKnTK5s0qg5Hca

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 3 IoCs

pid	Process
1000	tmp22D7.tmp
1964	tmp22D7.tmp
584	UVUninstallHelper.exe

Loads dropped DLL 5 IoCs

pid	Process
888	UVUpdater.exe
1000	tmp22D7.tmp
1964	tmp22D7.tmp
1964	tmp22D7.tmp
1964	tmp22D7.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraViewer\images\is-C7P2G.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-N4S73.tmp	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-V9L43.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\sounds\is-PJ4NK.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\is-II92B.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-55UEA.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-SIQOK.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-LIM01.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-3MR7M.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-JDQPK.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-43IJ0.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-PO61G.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-HINH6.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-EPGN2.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-L8VJO.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-Q4U72.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-4F4TI.tmp	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uv_x64.exe	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\msvbvm60.dll	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\RemoteControl20.dll	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvc.dll	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-TC7RL.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-GE70O.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-E3FRE.tmp	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\RemoteControl.dll	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\is-AIV7E.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-6C8PV.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-8E28I.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-4I7MA.tmp	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uva.dll	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\is-AASHD.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-D10HJ.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-8VJ34.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-DMHAP.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-4CF1D.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\is-1AAPH.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-82S2J.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-R8LFK.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-IBA5T.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-SVVGT.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-33V58.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-21M82.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-SA3MC.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-8NDPU.tmp	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvh64.dll	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-T9OI9.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-7F0AT.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-41792.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-5PDGA.tmp	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll	tmp22D7.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uva64.dll	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\is-JL9L6.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-5CH6G.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-1JJBB.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-PTMH4.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\is-V4F7F.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-8V1RP.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-ONNHG.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-JAQH2.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\is-5J1E5.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-6QKOM.tmp	tmp22D7.tmp
File created	C:\Program Files (x86)\UltraViewer\Update\is-FTPCH.tmp	tmp22D7.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1780	sc.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
672	net.exe
1604	net.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2032	taskkill.exe
988	taskkill.exe
340	taskkill.exe
1360	taskkill.exe
956	taskkill.exe
1760	taskkill.exe
1624	taskkill.exe
1364	taskkill.exe
1736	taskkill.exe
1792	taskkill.exe
1632	taskkill.exe
700	taskkill.exe
1760	taskkill.exe
1716	taskkill.exe
2024	taskkill.exe
840	taskkill.exe
1540	taskkill.exe
768	taskkill.exe
964	taskkill.exe
1060	taskkill.exe
2024	taskkill.exe
1540	taskkill.exe
1600	taskkill.exe
1556	taskkill.exe
1004	taskkill.exe
1588	taskkill.exe
284	taskkill.exe
1748	taskkill.exe
1584	taskkill.exe
1308	taskkill.exe
2036	taskkill.exe
1564	taskkill.exe
1492	taskkill.exe
1596	taskkill.exe
284	taskkill.exe
1588	taskkill.exe
564	taskkill.exe
1968	taskkill.exe
1008	taskkill.exe
708	taskkill.exe
1296	taskkill.exe
436	taskkill.exe
2036	taskkill.exe
1272	taskkill.exe
960	taskkill.exe
1632	taskkill.exe
672	taskkill.exe
1624	taskkill.exe
756	taskkill.exe
1604	taskkill.exe
1032	taskkill.exe
1616	taskkill.exe
1284	taskkill.exe
896	taskkill.exe
1972	taskkill.exe
676	taskkill.exe
960	taskkill.exe
1060	taskkill.exe
1016	taskkill.exe
1972	taskkill.exe
288	taskkill.exe
340	taskkill.exe
2004	taskkill.exe
1484	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	UVUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	UVUpdater.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
888	UVUpdater.exe
888	UVUpdater.exe
584	UVUninstallHelper.exe
1964	tmp22D7.tmp
1964	tmp22D7.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	UVUpdater.exe
Token: SeDebugPrivilege	584	UVUninstallHelper.exe
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	708	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1964	tmp22D7.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 1000	888	UVUpdater.exe	28
PID 888 wrote to memory of 1000	888	UVUpdater.exe	28
PID 888 wrote to memory of 1000	888	UVUpdater.exe	28
PID 888 wrote to memory of 1000	888	UVUpdater.exe	28
PID 888 wrote to memory of 1000	888	UVUpdater.exe	28
PID 888 wrote to memory of 1000	888	UVUpdater.exe	28
PID 888 wrote to memory of 1000	888	UVUpdater.exe	28
PID 1000 wrote to memory of 1964	1000	tmp22D7.tmp	29
PID 1000 wrote to memory of 1964	1000	tmp22D7.tmp	29
PID 1000 wrote to memory of 1964	1000	tmp22D7.tmp	29
PID 1000 wrote to memory of 1964	1000	tmp22D7.tmp	29
PID 1000 wrote to memory of 1964	1000	tmp22D7.tmp	29
PID 1000 wrote to memory of 1964	1000	tmp22D7.tmp	29
PID 1000 wrote to memory of 1964	1000	tmp22D7.tmp	29
PID 1964 wrote to memory of 584	1964	tmp22D7.tmp	30
PID 1964 wrote to memory of 584	1964	tmp22D7.tmp	30
PID 1964 wrote to memory of 584	1964	tmp22D7.tmp	30
PID 1964 wrote to memory of 584	1964	tmp22D7.tmp	30
PID 1964 wrote to memory of 584	1964	tmp22D7.tmp	30
PID 1964 wrote to memory of 584	1964	tmp22D7.tmp	30
PID 1964 wrote to memory of 584	1964	tmp22D7.tmp	30
PID 1964 wrote to memory of 672	1964	tmp22D7.tmp	31
PID 1964 wrote to memory of 672	1964	tmp22D7.tmp	31
PID 1964 wrote to memory of 672	1964	tmp22D7.tmp	31
PID 1964 wrote to memory of 672	1964	tmp22D7.tmp	31
PID 672 wrote to memory of 1632	672	net.exe	33
PID 672 wrote to memory of 1632	672	net.exe	33
PID 672 wrote to memory of 1632	672	net.exe	33
PID 672 wrote to memory of 1632	672	net.exe	33
PID 1964 wrote to memory of 1604	1964	tmp22D7.tmp	34
PID 1964 wrote to memory of 1604	1964	tmp22D7.tmp	34
PID 1964 wrote to memory of 1604	1964	tmp22D7.tmp	34
PID 1964 wrote to memory of 1604	1964	tmp22D7.tmp	34
PID 1604 wrote to memory of 1596	1604	net.exe	36
PID 1604 wrote to memory of 1596	1604	net.exe	36
PID 1604 wrote to memory of 1596	1604	net.exe	36
PID 1604 wrote to memory of 1596	1604	net.exe	36
PID 1964 wrote to memory of 1780	1964	tmp22D7.tmp	37
PID 1964 wrote to memory of 1780	1964	tmp22D7.tmp	37
PID 1964 wrote to memory of 1780	1964	tmp22D7.tmp	37
PID 1964 wrote to memory of 1780	1964	tmp22D7.tmp	37
PID 1964 wrote to memory of 436	1964	tmp22D7.tmp	39
PID 1964 wrote to memory of 436	1964	tmp22D7.tmp	39
PID 1964 wrote to memory of 436	1964	tmp22D7.tmp	39
PID 1964 wrote to memory of 436	1964	tmp22D7.tmp	39
PID 1964 wrote to memory of 1608	1964	tmp22D7.tmp	42
PID 1964 wrote to memory of 1608	1964	tmp22D7.tmp	42
PID 1964 wrote to memory of 1608	1964	tmp22D7.tmp	42
PID 1964 wrote to memory of 1608	1964	tmp22D7.tmp	42
PID 1964 wrote to memory of 772	1964	tmp22D7.tmp	44
PID 1964 wrote to memory of 772	1964	tmp22D7.tmp	44
PID 1964 wrote to memory of 772	1964	tmp22D7.tmp	44
PID 1964 wrote to memory of 772	1964	tmp22D7.tmp	44
PID 1964 wrote to memory of 288	1964	tmp22D7.tmp	46
PID 1964 wrote to memory of 288	1964	tmp22D7.tmp	46
PID 1964 wrote to memory of 288	1964	tmp22D7.tmp	46
PID 1964 wrote to memory of 288	1964	tmp22D7.tmp	46
PID 1964 wrote to memory of 2036	1964	tmp22D7.tmp	48
PID 1964 wrote to memory of 2036	1964	tmp22D7.tmp	48
PID 1964 wrote to memory of 2036	1964	tmp22D7.tmp	48
PID 1964 wrote to memory of 2036	1964	tmp22D7.tmp	48
PID 1964 wrote to memory of 2024	1964	tmp22D7.tmp	50
PID 1964 wrote to memory of 2024	1964	tmp22D7.tmp	50
PID 1964 wrote to memory of 2024	1964	tmp22D7.tmp	50

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Program Files (x86)\UltraViewer\Update\UVUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Program Files (x86)\UltraViewer\Update\UVUpdater.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\tmp22D7.tmp
  "C:\Users\Admin\AppData\Local\Temp\tmp22D7.tmp" /SP- /donotlangovr=1 /verysilent /noicons /NORESTART /CloseApplications=no /netframework=""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\is-NA3H9.tmp\tmp22D7.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-NA3H9.tmp\tmp22D7.tmp" /SL5="$1015C,3448690,121344,C:\Users\Admin\AppData\Local\Temp\tmp22D7.tmp" /SP- /donotlangovr=1 /verysilent /noicons /NORESTART /CloseApplications=no /netframework=""
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\is-P2C2Q.tmp\UVUninstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\is-P2C2Q.tmp\UVUninstallHelper.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:584
  - - C:\Windows\SysWOW64\net.exe
      "net" stop UltraViewService
      4⤵
      Discovers systems in the same network
      Suspicious use of WriteProcessMemory
      PID:672
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UltraViewService
        5⤵
        
        PID:1632
  - - C:\Windows\SysWOW64\net.exe
      "net" stop UltraViewService
      4⤵
      Discovers systems in the same network
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UltraViewService
        5⤵
        
        PID:1596
  - - C:\Windows\SysWOW64\sc.exe
      "sc" delete UltraViewService
      4⤵
      Launches sc.exe
      PID:1780
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:436
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1608
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:772
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:288
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2024
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1364
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1588
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1760
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1484
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:804
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:284
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1884
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1736
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:564
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:580
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:676
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:772
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2024
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1404
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1616
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1580
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1060
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:800
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:840
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1272
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1540
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1564
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1624
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1360
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:800
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:868
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1564
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:672
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1484
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:988
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:768
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:340
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1008
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:964
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:636
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1060
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:708
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1620
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1284
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1588
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2020
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1624
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1360
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1016
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:956
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1272
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1596
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:896
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:284
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1760
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1748
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:960
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:756
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:288
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:340
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1540
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:700
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1032
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1624
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1308
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1296
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraViewer\is-0HRN9.tmp

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar154D.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NA3H9.tmp\tmp22D7.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NA3H9.tmp\tmp22D7.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P2C2Q.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P2C2Q.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P2C2Q.tmp\UVUninstallHelper.exe.config

Filesize
225B

MD5
679aca3e8125584e8704b2dfdfa20a0b

SHA1
bab48dc1c46f6d8b2c38cf47d9435ae9f8bf295e

SHA256
470ce4147bff777ebefc7ccc9e2d1bc5df203b727134fc90b0134bf3cdc7add4

SHA512
8441e36e9091dae33350083b1824bc154f969c4fa86c5984c45e0bd59536933e48773ff4bfb4297e543cb270149025dca82c6bdfad2ca1639f4df58f8abcae6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp22D7.tmp

Filesize
3.7MB

MD5
138f52ffae8eb9bce23715a1a60e1efa

SHA1
fe72e7744547952fb2415df01ab85e1f310690e2

SHA256
656f7e6b2dd166034e8dd3c81379054b57c01d73fb035dbbbfa3fe1d510a75fb

SHA512
5db896207c7c54630508647f5cfd764e4f23939450acc9e9c0b3a6d5e1251e7b2166d7c0f66de028153769755c64029d917b9fe306d732ea9fdaa94946b04b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp22D7.tmp

Filesize
3.7MB

MD5
138f52ffae8eb9bce23715a1a60e1efa

SHA1
fe72e7744547952fb2415df01ab85e1f310690e2

SHA256
656f7e6b2dd166034e8dd3c81379054b57c01d73fb035dbbbfa3fe1d510a75fb

SHA512
5db896207c7c54630508647f5cfd764e4f23939450acc9e9c0b3a6d5e1251e7b2166d7c0f66de028153769755c64029d917b9fe306d732ea9fdaa94946b04b1c

Download Submit
\Users\Admin\AppData\Local\Temp\is-NA3H9.tmp\tmp22D7.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
\Users\Admin\AppData\Local\Temp\is-P2C2Q.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
\Users\Admin\AppData\Local\Temp\is-P2C2Q.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-P2C2Q.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp22D7.tmp

Filesize
3.7MB

MD5
138f52ffae8eb9bce23715a1a60e1efa

SHA1
fe72e7744547952fb2415df01ab85e1f310690e2

SHA256
656f7e6b2dd166034e8dd3c81379054b57c01d73fb035dbbbfa3fe1d510a75fb

SHA512
5db896207c7c54630508647f5cfd764e4f23939450acc9e9c0b3a6d5e1251e7b2166d7c0f66de028153769755c64029d917b9fe306d732ea9fdaa94946b04b1c

Download Submit
memory/888-82-0x0000000002930000-0x0000000002970000-memory.dmp

Filesize
256KB

Download
memory/888-231-0x0000000002930000-0x0000000002970000-memory.dmp

Filesize
256KB

Download
memory/1000-217-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1000-119-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1964-135-0x0000000001F90000-0x0000000001FB2000-memory.dmp

Filesize
136KB

Download
memory/1964-218-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1964-129-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1964-276-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1964-314-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1964-351-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download