4a4d65a9fbba6b8b36c700f2483039932bb56987a0f047f82ffc4d74bf5a9d8a

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2023 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume3/Program Files (x86)/UltraViewer/Update/UVUpdater.exe
Size

3.7MB
MD5

5a25dc52d6248b6014d823a816dff477
SHA1

082044061f252e2d90fd0d8689b2eb72cba434ce
SHA256

8b2e4d77f99fe573244597dc8f1733656ee0ffb8ca6365d968af93f7f8943f56
SHA512

5737d372b480f335355056bd245cb8d65b7f77ab4058607aade7f6eeab9c388a2ba7d962acceb6fc65ed67cb7165f13796eb0c0615acfb698acb1e073576fcb7
SSDEEP

98304:I5zZ80gsEX+LjrKnRYgHFW2Ho7k7O5iN0BFCgvRRnf9ViPa:If80gsl3rKnTK5s0qg5Hca

Score

8^/10

discovery evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 7 IoCs

pid	Process
5016	tmp796B.tmp
1892	tmp796B.tmp
2216	UVUninstallHelper.exe
3056	UltraViewer_Desktop.exe
3296	UltraViewer_Desktop.exe
2960	UltraViewer_Service.exe
3024	UltraViewer_Desktop.exe

Loads dropped DLL 23 IoCs

pid	Process
1892	tmp796B.tmp
1892	tmp796B.tmp
1892	tmp796B.tmp
4928	regasm.exe
4928	regasm.exe
4928	regasm.exe
4928	regasm.exe
4928	regasm.exe
4928	regasm.exe
3056	UltraViewer_Desktop.exe
3056	UltraViewer_Desktop.exe
3056	UltraViewer_Desktop.exe
3056	UltraViewer_Desktop.exe
3056	UltraViewer_Desktop.exe
3056	UltraViewer_Desktop.exe
1152	regasm.exe
1152	regasm.exe
1152	regasm.exe
1152	regasm.exe
3296	UltraViewer_Desktop.exe
3296	UltraViewer_Desktop.exe
3296	UltraViewer_Desktop.exe
3024	UltraViewer_Desktop.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231f2-398.dat	upx
behavioral2/files/0x00060000000231f2-421.dat	upx
behavioral2/files/0x00060000000231f2-422.dat	upx
behavioral2/memory/3056-429-0x0000000000400000-0x0000000000816000-memory.dmp	upx
behavioral2/memory/3056-455-0x0000000000400000-0x0000000000816000-memory.dmp	upx
behavioral2/files/0x00060000000231f2-468.dat	upx
behavioral2/memory/3296-494-0x0000000000400000-0x0000000000816000-memory.dmp	upx
behavioral2/files/0x00060000000231f2-495.dat	upx
behavioral2/memory/3024-506-0x0000000000400000-0x0000000000816000-memory.dmp	upx
behavioral2/memory/3024-510-0x0000000000400000-0x0000000000816000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log	RegAsm.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\UltraViewer\uva64.dll	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-OP677.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-M8URQ.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-0IR5L.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-E1R6J.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-JUCBF.tmp	tmp796B.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\UltraViewerService_log.txt	UltraViewer_Service.exe
File created	C:\Program Files (x86)\UltraViewer\is-T14A2.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-6ID7F.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-PVJS0.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-DVEOT.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-K68HC.tmp	tmp796B.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uv_clib.dll	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-8RTN3.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-C607N.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-PGIJ8.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-Q5OOE.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-20MM2.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-4QNOG.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\UltraViewerService_log.txt	UltraViewer_Service.exe
File opened for modification	C:\Program Files (x86)\UltraViewer\NAudio.dll	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-796K5.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-G99EC.tmp	tmp796B.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvc.dll	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-GJMAT.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-NODID.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-63CLJ.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-6HJC6.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-UAQKS.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-0B1PB.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-FM6GQ.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-19KQP.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-DTMRP.tmp	tmp796B.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uva.dll	tmp796B.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvh.dll	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-C1NRA.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-LLB95.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-B8EO2.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-DV0G6.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-8CS2A.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-17HVI.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-I5UQU.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-9R3S1.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-MVOHP.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\sounds\is-L2ECD.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-4CJCL.tmp	tmp796B.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\RemoteControl.dll	tmp796B.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-FQN4D.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\js\is-8OR9M.tmp	tmp796B.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\msvbvm60.dll	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-Q11V1.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-3EGGK.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-R984H.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.tlb	regasm.exe
File created	C:\Program Files (x86)\UltraViewer\Language\is-CB1OI.tmp	tmp796B.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll	tmp796B.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvh64.dll	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-J9UO6.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\is-EHS3N.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-1SQ2I.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-2P07P.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-NRAIM.tmp	tmp796B.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-N8EAD.tmp	tmp796B.tmp

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3612	sc.exe
1656	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4640	net.exe
1116	net.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1464	taskkill.exe
528	taskkill.exe
372	taskkill.exe
1072	taskkill.exe
4300	taskkill.exe
3724	taskkill.exe
1116	taskkill.exe
5024	taskkill.exe
4260	taskkill.exe
4224	taskkill.exe
1316	taskkill.exe
212	taskkill.exe
1688	taskkill.exe
2160	taskkill.exe
5108	taskkill.exe
3352	taskkill.exe
1460	taskkill.exe
1660	taskkill.exe
4800	taskkill.exe
324	taskkill.exe
2692	taskkill.exe
1780	taskkill.exe
4224	taskkill.exe
1524	taskkill.exe
4756	taskkill.exe
4220	taskkill.exe
3428	taskkill.exe
5056	taskkill.exe
3356	taskkill.exe
1936	taskkill.exe
4760	taskkill.exe
4324	taskkill.exe
1396	taskkill.exe
4436	taskkill.exe
2000	taskkill.exe
2512	taskkill.exe
5052	taskkill.exe
4120	taskkill.exe
2404	taskkill.exe
208	taskkill.exe
3032	taskkill.exe
3968	taskkill.exe
4304	taskkill.exe
1572	taskkill.exe
884	taskkill.exe
2632	taskkill.exe
3296	taskkill.exe
1448	taskkill.exe
2316	taskkill.exe
1572	taskkill.exe
4472	taskkill.exe
4668	taskkill.exe
4160	taskkill.exe
4332	taskkill.exe
3504	taskkill.exe
3952	taskkill.exe
4148	taskkill.exe
672	taskkill.exe
4368	taskkill.exe
2160	taskkill.exe
4148	taskkill.exe
4040	taskkill.exe
2032	taskkill.exe
1416	taskkill.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	UltraViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UltraViewer_Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	UltraViewer_Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	UltraViewer_Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	UltraViewer_Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	UltraViewer_Service.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77D3EC79-5618-3AA1-9C07-FBB008946C7D}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC4BBE22-E76B-3524-AFA7-76BE20349172}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A074C60F-D82F-4695-9E07-826FDAAF223E}\InprocServer32\1.0.0.0	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E129325-EE54-498B-AD67-847BD01AC114}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{536CEB69-5373-4841-A192-CB34F6913CB7}\Implemented Categories	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4E482A0-F8DF-4E68-B101-489B1AFD0BD2}\Implemented Categories	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VistaTreeView	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{315B6B9D-9F15-47F7-B653-8D337ED695C3}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47B6BF0F-9841-4EBE-8923-810D30699BAF}\ = "_VDictionary_R"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD60F137-47AE-4334-937C-8000EC5FE328}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B3C5CC6-C47C-319D-A9D1-2EC671F46903}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689A44FB-677C-41AF-A58D-9E61F33323D5}\ProgId	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{046EE856-9C88-44B5-BF63-D804EFA487B7}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD1E36E1-D824-3B12-A143-B47EA493F2B7}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77D3EC79-5618-3AA1-9C07-FBB008946C7D}\TypeLib\Version = "1.0"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80BAEE4D-7EC4-3C59-A8D4-DC468C2DFC05}\TypeLib\Version = "1.0"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B669374-FA72-3081-BD98-89870D8D7618}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F0896B59-03A4-393C-AC58-DE8D3F4F1CD6}\1.0.0.0\Assembly = "RemoteControl, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D87B5289-A84D-4B4D-B241-3A42C6D05D54}\Implemented Categories	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{02B5D7FB-078A-4D22-89FB-B6B15DB2A924}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B0A46D6-D3A7-42E2-88EF-10267D530F02}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CDB933A0-8A3D-4835-ABEC-D67E1ED3D2E6}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{490965B4-B610-395F-88AB-AF3A3CE0FB44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B14C8EF1-40C8-45B4-9513-807F82448620}\InprocServer32\1.0.0.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EDF6548C-EBE0-41C2-A301-D8761B7F7E02}\InprocServer32\ThreadingModel = "Both"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13B00CF7-9C7F-34EA-B4BB-4C7D105F585E}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{045196B7-CF2F-3DAB-9A3F-E40EC5E61EBA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F5B044-1384-353A-B3ED-A2A930E4B3C1}\ = "_SendErrorEventHandler"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.frmEditContactvb\CLSID\ = "{99E71D7F-9CF7-36F0-B0A2-14F60AAD78B6}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{93ECA15C-2992-42A0-9CD4-5725C7895EDA}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.clsStoredFrame+VCompressor\CLSID\ = "{0ADF308F-B824-4FD9-8C0B-93DA7B8A7E34}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4ADA8BC0-6216-47A7-9114-668C315DEA94}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C03E5362-4CFF-362D-879E-DC41FD04D2CB}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.ExtendTreeView\CLSID	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E0E9F85-8851-43E9-9FE4-8A5AF642A9D3}\InprocServer32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.clsStoredFrame+VTelegram	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA8F7A4D-BD4F-4CA7-91FE-7253A090D5B8}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73E3104E-1F1B-4C42-8DF5-1338F3A65F1E}\ = "_VListObject"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0A67FDF-2555-36C0-98F7-503D5A3D7D22}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75A28301-6615-38C1-AA2E-EB4E89DD92D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00DBE1BA-02B2-32AA-BA68-D54244720B93}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC99602-9551-3713-ACBC-AF77516182E3}\InprocServer32\Class = "RemoteControl.GlobalExceptionHandle"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VChatBrowser\ = "RemoteControl.VChatBrowser"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{55AD9A55-C879-4B8B-99AB-AD5CFC268F10}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B3A19CB-4A4E-4FAE-AA9E-66B99C2B16CD}\TypeLib\Version = "1.0"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37269AEE-0B02-4B79-BAF2-25E1E7CF5515}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0258109-D76B-46E0-A8D2-FBA990010093}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49272F85-DE83-33D1-A91F-292F12876C5B}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{867C3F99-D25B-3722-9807-380D2C204DC5}\ = "_ConnectedEventHandler_2"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.frmAddGroup	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VListRect\ = "RemoteControl.VListRect"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F271EFB2-B5CC-4AEF-AADE-16693B26BA0B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68D94B73-4CFB-42DD-B15B-E4E5F679BD08}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66D294A1-137A-36A8-B70D-1F457E0F7E9D}\ = "_DocumentMouseUpRightEventHandler"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{116A4A06-B77B-3C08-ADC9-C39E7BFAF773}\TypeLib\Version = "1.0"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80BAEE4D-7EC4-3C59-A8D4-DC468C2DFC05}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE272A8A-DD78-3059-BE82-4A145DF84B62}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F1D3947-534E-3992-BD40-3507AFF9C091}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB73B12-F602-3BDF-ADC0-D694A769EA8B}\TypeLib\Version = "1.0"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F8615B4-DDBA-31CE-8928-7CEE5E1D969A}\ = "_NewOffsetEventHandler"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3F27AAE4-C0F4-3CC6-8A29-BB11CA9B91C5}\1.0.0.0	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2845DDC4-3AB7-425E-BCB7-7AB279C35F35}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{131971DF-8C34-4633-95F5-5662B6E0A1CF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15ECF2A6-2F4C-3ACD-A0FC-F034C6351C0E}	regasm.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	UVUpdater.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	UVUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3056	UltraViewer_Desktop.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4584	UVUpdater.exe
4584	UVUpdater.exe
2216	UVUninstallHelper.exe
1892	tmp796B.tmp
1892	tmp796B.tmp
3056	UltraViewer_Desktop.exe
3056	UltraViewer_Desktop.exe
2960	UltraViewer_Service.exe
4584	UVUpdater.exe
4584	UVUpdater.exe
4584	UVUpdater.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4584	UVUpdater.exe
Token: SeDebugPrivilege	2216	UVUninstallHelper.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	4668	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	5072	taskkill.exe
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1892	tmp796B.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3056	UltraViewer_Desktop.exe
3056	UltraViewer_Desktop.exe
3056	UltraViewer_Desktop.exe
3056	UltraViewer_Desktop.exe
3296	UltraViewer_Desktop.exe
3024	UltraViewer_Desktop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 5016	4584	UVUpdater.exe	83
PID 4584 wrote to memory of 5016	4584	UVUpdater.exe	83
PID 4584 wrote to memory of 5016	4584	UVUpdater.exe	83
PID 5016 wrote to memory of 1892	5016	tmp796B.tmp	84
PID 5016 wrote to memory of 1892	5016	tmp796B.tmp	84
PID 5016 wrote to memory of 1892	5016	tmp796B.tmp	84
PID 1892 wrote to memory of 2216	1892	tmp796B.tmp	85
PID 1892 wrote to memory of 2216	1892	tmp796B.tmp	85
PID 1892 wrote to memory of 2216	1892	tmp796B.tmp	85
PID 1892 wrote to memory of 4640	1892	tmp796B.tmp	86
PID 1892 wrote to memory of 4640	1892	tmp796B.tmp	86
PID 1892 wrote to memory of 4640	1892	tmp796B.tmp	86
PID 4640 wrote to memory of 912	4640	net.exe	88
PID 4640 wrote to memory of 912	4640	net.exe	88
PID 4640 wrote to memory of 912	4640	net.exe	88
PID 1892 wrote to memory of 1116	1892	tmp796B.tmp	89
PID 1892 wrote to memory of 1116	1892	tmp796B.tmp	89
PID 1892 wrote to memory of 1116	1892	tmp796B.tmp	89
PID 1116 wrote to memory of 1508	1116	net.exe	91
PID 1116 wrote to memory of 1508	1116	net.exe	91
PID 1116 wrote to memory of 1508	1116	net.exe	91
PID 1892 wrote to memory of 3612	1892	tmp796B.tmp	92
PID 1892 wrote to memory of 3612	1892	tmp796B.tmp	92
PID 1892 wrote to memory of 3612	1892	tmp796B.tmp	92
PID 1892 wrote to memory of 3440	1892	tmp796B.tmp	94
PID 1892 wrote to memory of 3440	1892	tmp796B.tmp	94
PID 1892 wrote to memory of 3440	1892	tmp796B.tmp	94
PID 1892 wrote to memory of 2160	1892	tmp796B.tmp	96
PID 1892 wrote to memory of 2160	1892	tmp796B.tmp	96
PID 1892 wrote to memory of 2160	1892	tmp796B.tmp	96
PID 1892 wrote to memory of 1936	1892	tmp796B.tmp	98
PID 1892 wrote to memory of 1936	1892	tmp796B.tmp	98
PID 1892 wrote to memory of 1936	1892	tmp796B.tmp	98
PID 1892 wrote to memory of 5052	1892	tmp796B.tmp	102
PID 1892 wrote to memory of 5052	1892	tmp796B.tmp	102
PID 1892 wrote to memory of 5052	1892	tmp796B.tmp	102
PID 1892 wrote to memory of 1572	1892	tmp796B.tmp	104
PID 1892 wrote to memory of 1572	1892	tmp796B.tmp	104
PID 1892 wrote to memory of 1572	1892	tmp796B.tmp	104
PID 1892 wrote to memory of 884	1892	tmp796B.tmp	106
PID 1892 wrote to memory of 884	1892	tmp796B.tmp	106
PID 1892 wrote to memory of 884	1892	tmp796B.tmp	106
PID 1892 wrote to memory of 1416	1892	tmp796B.tmp	109
PID 1892 wrote to memory of 1416	1892	tmp796B.tmp	109
PID 1892 wrote to memory of 1416	1892	tmp796B.tmp	109
PID 1892 wrote to memory of 1688	1892	tmp796B.tmp	111
PID 1892 wrote to memory of 1688	1892	tmp796B.tmp	111
PID 1892 wrote to memory of 1688	1892	tmp796B.tmp	111
PID 1892 wrote to memory of 324	1892	tmp796B.tmp	113
PID 1892 wrote to memory of 324	1892	tmp796B.tmp	113
PID 1892 wrote to memory of 324	1892	tmp796B.tmp	113
PID 1892 wrote to memory of 1768	1892	tmp796B.tmp	115
PID 1892 wrote to memory of 1768	1892	tmp796B.tmp	115
PID 1892 wrote to memory of 1768	1892	tmp796B.tmp	115
PID 1892 wrote to memory of 2632	1892	tmp796B.tmp	117
PID 1892 wrote to memory of 2632	1892	tmp796B.tmp	117
PID 1892 wrote to memory of 2632	1892	tmp796B.tmp	117
PID 1892 wrote to memory of 4148	1892	tmp796B.tmp	120
PID 1892 wrote to memory of 4148	1892	tmp796B.tmp	120
PID 1892 wrote to memory of 4148	1892	tmp796B.tmp	120
PID 1892 wrote to memory of 4260	1892	tmp796B.tmp	121
PID 1892 wrote to memory of 4260	1892	tmp796B.tmp	121
PID 1892 wrote to memory of 4260	1892	tmp796B.tmp	121
PID 1892 wrote to memory of 4472	1892	tmp796B.tmp	124

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Program Files (x86)\UltraViewer\Update\UVUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Program Files (x86)\UltraViewer\Update\UVUpdater.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\tmp796B.tmp
  "C:\Users\Admin\AppData\Local\Temp\tmp796B.tmp" /SP- /donotlangovr=1 /verysilent /noicons /NORESTART /CloseApplications=no /netframework=""
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\is-S07ME.tmp\tmp796B.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-S07ME.tmp\tmp796B.tmp" /SL5="$50056,3448690,121344,C:\Users\Admin\AppData\Local\Temp\tmp796B.tmp" /SP- /donotlangovr=1 /verysilent /noicons /NORESTART /CloseApplications=no /netframework=""
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\is-F1QR4.tmp\UVUninstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\is-F1QR4.tmp\UVUninstallHelper.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Windows\SysWOW64\net.exe
      "net" stop UltraViewService
      4⤵
      Discovers systems in the same network
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UltraViewService
        5⤵
        
        PID:912
  - - C:\Windows\SysWOW64\net.exe
      "net" stop UltraViewService
      4⤵
      Discovers systems in the same network
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UltraViewService
        5⤵
        
        PID:1508
  - - C:\Windows\SysWOW64\sc.exe
      "sc" delete UltraViewService
      4⤵
      Launches sc.exe
      PID:3612
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3440
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5052
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1572
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:884
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1416
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:324
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4148
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4260
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4472
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3296
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4668
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4040
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4968
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3204
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:528
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4160
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1448
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:372
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1780
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4224
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4760
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4332
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5108
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3352
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1148
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4812
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1396
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4144
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4756
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2316
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1448
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2932
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4220
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1072
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4224
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5072
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3504
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3528
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4428
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3428
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3848
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2404
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5056
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3940
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4204
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2068
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:208
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3952
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3356
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4324
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4148
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:3032
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:672
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1316
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4120
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4368
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1148
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:3184
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1396
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1572
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:264
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4300
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:3724
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4436
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1116
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4800
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:3240
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:3500
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:3968
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4304
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:2000
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:4128
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:2512
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:212
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:5024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl.dll" /tlb
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4928
  - - C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
      "C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe" validate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" "C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll" /tlb
      4⤵
      Loads dropped DLL
      Drops file in Program Files directory
      PID:1152
  - - C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
      "C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe" install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3296
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure "UltraViewService" reset= 0 actions= restart/60000
        5⤵
        Launches sc.exe
        
        PID:1656
  - - C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
      "C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe" regasm40
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3024

C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe
"C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl40.dll" /tlb /codebase
  2⤵
  - Drops file in System32 directory
  PID:4756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl40.dll" /tlb /codebase
  2⤵
  PID:3652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl40.dll" /tlb /codebase
  2⤵
  PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll

Filesize
132KB

MD5
33bb06b97f8f188735f4aae5b413eef8

SHA1
e5c236f39d5b9d25b650cba7707df9149d3f4d16

SHA256
931f124016a15c30b3cf698534249b727eeed2b2de89236dd4c806e515668bc2

SHA512
abb484dcc03edbd7a1994affee0a11d38e13bb9ea171c3254982df5485272b3128a3594c05f8a9c1f9a8149578829dfee1decd0fdcb7f896de9b71e324f0ed4c

Download Submit
C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll

Filesize
132KB

MD5
33bb06b97f8f188735f4aae5b413eef8

SHA1
e5c236f39d5b9d25b650cba7707df9149d3f4d16

SHA256
931f124016a15c30b3cf698534249b727eeed2b2de89236dd4c806e515668bc2

SHA512
abb484dcc03edbd7a1994affee0a11d38e13bb9ea171c3254982df5485272b3128a3594c05f8a9c1f9a8149578829dfee1decd0fdcb7f896de9b71e324f0ed4c

Download Submit
C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll

Filesize
132KB

MD5
33bb06b97f8f188735f4aae5b413eef8

SHA1
e5c236f39d5b9d25b650cba7707df9149d3f4d16

SHA256
931f124016a15c30b3cf698534249b727eeed2b2de89236dd4c806e515668bc2

SHA512
abb484dcc03edbd7a1994affee0a11d38e13bb9ea171c3254982df5485272b3128a3594c05f8a9c1f9a8149578829dfee1decd0fdcb7f896de9b71e324f0ed4c

Download Submit
C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll

Filesize
132KB

MD5
33bb06b97f8f188735f4aae5b413eef8

SHA1
e5c236f39d5b9d25b650cba7707df9149d3f4d16

SHA256
931f124016a15c30b3cf698534249b727eeed2b2de89236dd4c806e515668bc2

SHA512
abb484dcc03edbd7a1994affee0a11d38e13bb9ea171c3254982df5485272b3128a3594c05f8a9c1f9a8149578829dfee1decd0fdcb7f896de9b71e324f0ed4c

Download Submit
C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll

Filesize
132KB

MD5
33bb06b97f8f188735f4aae5b413eef8

SHA1
e5c236f39d5b9d25b650cba7707df9149d3f4d16

SHA256
931f124016a15c30b3cf698534249b727eeed2b2de89236dd4c806e515668bc2

SHA512
abb484dcc03edbd7a1994affee0a11d38e13bb9ea171c3254982df5485272b3128a3594c05f8a9c1f9a8149578829dfee1decd0fdcb7f896de9b71e324f0ed4c

Download Submit
C:\Program Files (x86)\UltraViewer\Language\English.txt

Filesize
14KB

MD5
b6a8ccdc51964e1551bef57b4a42a899

SHA1
52de4c2fc039af9a2f1295e8419123ba89ee5858

SHA256
c615da39ed0990bbad49686307872b18084b51bc8e401bd47a36509c66d2cc0a

SHA512
8d1e92a56373f79d850789152c9758a1f36a71bb9ee68982d50ea92537c3ce2f30ff9cfb707040f4c7dd3eb459082cfc849e511823bc4c210a88aa6db011dda6

Download Submit
C:\Program Files (x86)\UltraViewer\Language\LanguageList.ini

Filesize
1KB

MD5
473b3896eae7ea66f61e9d0ffbe5b9b1

SHA1
d7ef69586317f7472ce400bc7bef75bfa4095592

SHA256
d3ee6fc3b7418afa19292eb7f6b872cae8ec04290b9ee1bd4cea8d8e88aec52f

SHA512
981ae52e4206bf04b345642ae87c88889e83d0c47e7251755d179d00fd35117e670205dab9d15042e26bc53dc18112206a5a650120928a52916bfadbc3a1fb66

Download Submit
C:\Program Files (x86)\UltraViewer\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Program Files (x86)\UltraViewer\NAudio.dll

Filesize
496KB

MD5
5da17fa97fce539c78e3018ee1c29cd0

SHA1
cff12edd4361fa5c310250ebaacbfc54274f00c8

SHA256
92254cb54bbdd875f6950c2afbfe17c001bbf7dccd43d43eafdb7d9bfec35afe

SHA512
1f402ebe99cf95c55e9b524b91c9002a68f04f7f7d7a29e189c2226ad88e76bf18047b201c75de805b4dcde9830d765d705946b045937aa40d3e2e5465e5dcc5

Download Submit
C:\Program Files (x86)\UltraViewer\NAudio.dll

Filesize
496KB

MD5
5da17fa97fce539c78e3018ee1c29cd0

SHA1
cff12edd4361fa5c310250ebaacbfc54274f00c8

SHA256
92254cb54bbdd875f6950c2afbfe17c001bbf7dccd43d43eafdb7d9bfec35afe

SHA512
1f402ebe99cf95c55e9b524b91c9002a68f04f7f7d7a29e189c2226ad88e76bf18047b201c75de805b4dcde9830d765d705946b045937aa40d3e2e5465e5dcc5

Download Submit
C:\Program Files (x86)\UltraViewer\NAudio.dll

Filesize
496KB

MD5
5da17fa97fce539c78e3018ee1c29cd0

SHA1
cff12edd4361fa5c310250ebaacbfc54274f00c8

SHA256
92254cb54bbdd875f6950c2afbfe17c001bbf7dccd43d43eafdb7d9bfec35afe

SHA512
1f402ebe99cf95c55e9b524b91c9002a68f04f7f7d7a29e189c2226ad88e76bf18047b201c75de805b4dcde9830d765d705946b045937aa40d3e2e5465e5dcc5

Download Submit
C:\Program Files (x86)\UltraViewer\NAudio.dll

Filesize
496KB

MD5
5da17fa97fce539c78e3018ee1c29cd0

SHA1
cff12edd4361fa5c310250ebaacbfc54274f00c8

SHA256
92254cb54bbdd875f6950c2afbfe17c001bbf7dccd43d43eafdb7d9bfec35afe

SHA512
1f402ebe99cf95c55e9b524b91c9002a68f04f7f7d7a29e189c2226ad88e76bf18047b201c75de805b4dcde9830d765d705946b045937aa40d3e2e5465e5dcc5

Download Submit
C:\Program Files (x86)\UltraViewer\NAudio.dll

Filesize
496KB

MD5
5da17fa97fce539c78e3018ee1c29cd0

SHA1
cff12edd4361fa5c310250ebaacbfc54274f00c8

SHA256
92254cb54bbdd875f6950c2afbfe17c001bbf7dccd43d43eafdb7d9bfec35afe

SHA512
1f402ebe99cf95c55e9b524b91c9002a68f04f7f7d7a29e189c2226ad88e76bf18047b201c75de805b4dcde9830d765d705946b045937aa40d3e2e5465e5dcc5

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
ea0aea9ab8e38a0d848754c120e8c3f6

SHA1
63091e0db17c98a26168bc391a455f308c9a17c8

SHA256
b0e214988e3c3ced0bca3773db884a83ed3262e3ecc0bb20df5b0b2ef9394116

SHA512
3c10d2181465e6ff188f9b60913030ef7b98ce58147a725d9b59211afc559b2aff5aa4c7c8f8781a4b99f5c3b020f6c810974f77c03c7e2a05b9bc548cd83fee

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
ea0aea9ab8e38a0d848754c120e8c3f6

SHA1
63091e0db17c98a26168bc391a455f308c9a17c8

SHA256
b0e214988e3c3ced0bca3773db884a83ed3262e3ecc0bb20df5b0b2ef9394116

SHA512
3c10d2181465e6ff188f9b60913030ef7b98ce58147a725d9b59211afc559b2aff5aa4c7c8f8781a4b99f5c3b020f6c810974f77c03c7e2a05b9bc548cd83fee

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
ea0aea9ab8e38a0d848754c120e8c3f6

SHA1
63091e0db17c98a26168bc391a455f308c9a17c8

SHA256
b0e214988e3c3ced0bca3773db884a83ed3262e3ecc0bb20df5b0b2ef9394116

SHA512
3c10d2181465e6ff188f9b60913030ef7b98ce58147a725d9b59211afc559b2aff5aa4c7c8f8781a4b99f5c3b020f6c810974f77c03c7e2a05b9bc548cd83fee

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
ea0aea9ab8e38a0d848754c120e8c3f6

SHA1
63091e0db17c98a26168bc391a455f308c9a17c8

SHA256
b0e214988e3c3ced0bca3773db884a83ed3262e3ecc0bb20df5b0b2ef9394116

SHA512
3c10d2181465e6ff188f9b60913030ef7b98ce58147a725d9b59211afc559b2aff5aa4c7c8f8781a4b99f5c3b020f6c810974f77c03c7e2a05b9bc548cd83fee

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
ea0aea9ab8e38a0d848754c120e8c3f6

SHA1
63091e0db17c98a26168bc391a455f308c9a17c8

SHA256
b0e214988e3c3ced0bca3773db884a83ed3262e3ecc0bb20df5b0b2ef9394116

SHA512
3c10d2181465e6ff188f9b60913030ef7b98ce58147a725d9b59211afc559b2aff5aa4c7c8f8781a4b99f5c3b020f6c810974f77c03c7e2a05b9bc548cd83fee

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
ea0aea9ab8e38a0d848754c120e8c3f6

SHA1
63091e0db17c98a26168bc391a455f308c9a17c8

SHA256
b0e214988e3c3ced0bca3773db884a83ed3262e3ecc0bb20df5b0b2ef9394116

SHA512
3c10d2181465e6ff188f9b60913030ef7b98ce58147a725d9b59211afc559b2aff5aa4c7c8f8781a4b99f5c3b020f6c810974f77c03c7e2a05b9bc548cd83fee

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
ea0aea9ab8e38a0d848754c120e8c3f6

SHA1
63091e0db17c98a26168bc391a455f308c9a17c8

SHA256
b0e214988e3c3ced0bca3773db884a83ed3262e3ecc0bb20df5b0b2ef9394116

SHA512
3c10d2181465e6ff188f9b60913030ef7b98ce58147a725d9b59211afc559b2aff5aa4c7c8f8781a4b99f5c3b020f6c810974f77c03c7e2a05b9bc548cd83fee

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
ea0aea9ab8e38a0d848754c120e8c3f6

SHA1
63091e0db17c98a26168bc391a455f308c9a17c8

SHA256
b0e214988e3c3ced0bca3773db884a83ed3262e3ecc0bb20df5b0b2ef9394116

SHA512
3c10d2181465e6ff188f9b60913030ef7b98ce58147a725d9b59211afc559b2aff5aa4c7c8f8781a4b99f5c3b020f6c810974f77c03c7e2a05b9bc548cd83fee

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
ea0aea9ab8e38a0d848754c120e8c3f6

SHA1
63091e0db17c98a26168bc391a455f308c9a17c8

SHA256
b0e214988e3c3ced0bca3773db884a83ed3262e3ecc0bb20df5b0b2ef9394116

SHA512
3c10d2181465e6ff188f9b60913030ef7b98ce58147a725d9b59211afc559b2aff5aa4c7c8f8781a4b99f5c3b020f6c810974f77c03c7e2a05b9bc548cd83fee

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.tlb

Filesize
236KB

MD5
6905ce31fccabd2c0b51bf910698ad83

SHA1
940ea6dbd498cb89423e58186222da2cc09fb45f

SHA256
670896b87a02b8cf9d715ad0c62ed04160ddc5fc075adc52cb2eb038f9ecd282

SHA512
6a31920226a5b774134ad7ff686b42f1965496efc6516e1dae4634b7c172243a35ba005dcb50e3c2d570a1e9228cc2fd11cc67679a0b79998ff67dbd71b0cbc4

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe

Filesize
979KB

MD5
907f91ee555e942ce3d8707c8a4b27cf

SHA1
2ee2cc5fe00ad83ff0f75cfb8c3f2f7a52998960

SHA256
0975e20fe4f79031a9c01099bb81387a18068e2ccfa1e428030a17ce19169690

SHA512
600d79e580927cc0c762b44a029141c904dd9264845f56e13f6e43acd6b5c397efb2b5882666143d294872c6ee0b506bd6a943591af12febada5b3c414b00481

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe

Filesize
979KB

MD5
907f91ee555e942ce3d8707c8a4b27cf

SHA1
2ee2cc5fe00ad83ff0f75cfb8c3f2f7a52998960

SHA256
0975e20fe4f79031a9c01099bb81387a18068e2ccfa1e428030a17ce19169690

SHA512
600d79e580927cc0c762b44a029141c904dd9264845f56e13f6e43acd6b5c397efb2b5882666143d294872c6ee0b506bd6a943591af12febada5b3c414b00481

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe

Filesize
979KB

MD5
907f91ee555e942ce3d8707c8a4b27cf

SHA1
2ee2cc5fe00ad83ff0f75cfb8c3f2f7a52998960

SHA256
0975e20fe4f79031a9c01099bb81387a18068e2ccfa1e428030a17ce19169690

SHA512
600d79e580927cc0c762b44a029141c904dd9264845f56e13f6e43acd6b5c397efb2b5882666143d294872c6ee0b506bd6a943591af12febada5b3c414b00481

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe

Filesize
979KB

MD5
907f91ee555e942ce3d8707c8a4b27cf

SHA1
2ee2cc5fe00ad83ff0f75cfb8c3f2f7a52998960

SHA256
0975e20fe4f79031a9c01099bb81387a18068e2ccfa1e428030a17ce19169690

SHA512
600d79e580927cc0c762b44a029141c904dd9264845f56e13f6e43acd6b5c397efb2b5882666143d294872c6ee0b506bd6a943591af12febada5b3c414b00481

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe

Filesize
979KB

MD5
907f91ee555e942ce3d8707c8a4b27cf

SHA1
2ee2cc5fe00ad83ff0f75cfb8c3f2f7a52998960

SHA256
0975e20fe4f79031a9c01099bb81387a18068e2ccfa1e428030a17ce19169690

SHA512
600d79e580927cc0c762b44a029141c904dd9264845f56e13f6e43acd6b5c397efb2b5882666143d294872c6ee0b506bd6a943591af12febada5b3c414b00481

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe.config

Filesize
310B

MD5
42b8d26600dcb85572ee43616f929d6a

SHA1
31a4c46641129ef59eb925621c1aa4f8401d776c

SHA256
99f95d44f1e42cf485132e722679f9d0c6f6cd5f560ce76dfd98abf8558377bc

SHA512
d485b45f06de66ff31b8db6706868ac3d3f89b3980bffaa05b539f0ad2b2373e72fd1aab4cfb8cf0dca7d52b43df195336f53cc9cfe99a9d87143c02a5470eae

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe

Filesize
225KB

MD5
dc92fa144927ee1cbe5d9be16f2000cc

SHA1
e8990de7e95263729bda2d853002e27ede9db6db

SHA256
d70b5c967207c67828197c285a0b89ed0ceb2b67103b1b7a10d95dc6b4c238c3

SHA512
359283fbcd06897c064a4dd945656520ab20ce5b82eac435d1b80f491cf3589054637bfd428a94f64ef45059bbb8d52254ffac6aaabd29372d6465282b6f6203

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe

Filesize
225KB

MD5
dc92fa144927ee1cbe5d9be16f2000cc

SHA1
e8990de7e95263729bda2d853002e27ede9db6db

SHA256
d70b5c967207c67828197c285a0b89ed0ceb2b67103b1b7a10d95dc6b4c238c3

SHA512
359283fbcd06897c064a4dd945656520ab20ce5b82eac435d1b80f491cf3589054637bfd428a94f64ef45059bbb8d52254ffac6aaabd29372d6465282b6f6203

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe.config

Filesize
225B

MD5
679aca3e8125584e8704b2dfdfa20a0b

SHA1
bab48dc1c46f6d8b2c38cf47d9435ae9f8bf295e

SHA256
470ce4147bff777ebefc7ccc9e2d1bc5df203b727134fc90b0134bf3cdc7add4

SHA512
8441e36e9091dae33350083b1824bc154f969c4fa86c5984c45e0bd59536933e48773ff4bfb4297e543cb270149025dca82c6bdfad2ca1639f4df58f8abcae6e

Download Submit
C:\Program Files (x86)\UltraViewer\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Program Files (x86)\UltraViewer\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Program Files (x86)\UltraViewer\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Program Files (x86)\UltraViewer\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Program Files (x86)\UltraViewer\uvh.dll

Filesize
124KB

MD5
8b3f15a335710c799eae2395fa6b322d

SHA1
81b9f58fe2c61e26e758690f59fa4de4bc8b462b

SHA256
09ab11cb97673838faf91b8d06ed9ff7ad460d7791715ee983b83004984a452c

SHA512
c0dd2302d5d00d8c1f7b21972a12d0ce8bfda07603e8cb3006e6df696458d15e3b8e7eeefa712195e3337ddda6de0f683d66963dde5484172517c6338e48dda9

Download Submit
C:\Program Files (x86)\UltraViewer\uvh.dll

Filesize
124KB

MD5
8b3f15a335710c799eae2395fa6b322d

SHA1
81b9f58fe2c61e26e758690f59fa4de4bc8b462b

SHA256
09ab11cb97673838faf91b8d06ed9ff7ad460d7791715ee983b83004984a452c

SHA512
c0dd2302d5d00d8c1f7b21972a12d0ce8bfda07603e8cb3006e6df696458d15e3b8e7eeefa712195e3337ddda6de0f683d66963dde5484172517c6338e48dda9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UltraViewer_Desktop.exe.log

Filesize
1KB

MD5
bf9fccd82a74ae0fe94fe7f265ac9bca

SHA1
701036824a82ddaba67b37f545eb42e8ddf996fd

SHA256
10fb5250e5422aba27206a81c71b72b98a1d2e250a2c112c0ffb8a9f28230144

SHA512
fdc4a7a0e839056f1d00a3242c25791fad96679e3d5f33da57d5b4acb84bf8d143bdc592714eeb35be1d231c9bea3cf00412b082d2a9c81f1340717a0852394e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regasm.exe.log

Filesize
507B

MD5
76ffb2f33cb32ade8fc862a67599e9d8

SHA1
920cc4ab75b36d2f9f6e979b74db568973c49130

SHA256
f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

SHA512
f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1QR4.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1QR4.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1QR4.tmp\UVUninstallHelper.exe.config

Filesize
225B

MD5
679aca3e8125584e8704b2dfdfa20a0b

SHA1
bab48dc1c46f6d8b2c38cf47d9435ae9f8bf295e

SHA256
470ce4147bff777ebefc7ccc9e2d1bc5df203b727134fc90b0134bf3cdc7add4

SHA512
8441e36e9091dae33350083b1824bc154f969c4fa86c5984c45e0bd59536933e48773ff4bfb4297e543cb270149025dca82c6bdfad2ca1639f4df58f8abcae6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1QR4.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1QR4.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1QR4.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S07ME.tmp\tmp796B.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S07ME.tmp\tmp796B.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp796B.tmp

Filesize
3.7MB

MD5
138f52ffae8eb9bce23715a1a60e1efa

SHA1
fe72e7744547952fb2415df01ab85e1f310690e2

SHA256
656f7e6b2dd166034e8dd3c81379054b57c01d73fb035dbbbfa3fe1d510a75fb

SHA512
5db896207c7c54630508647f5cfd764e4f23939450acc9e9c0b3a6d5e1251e7b2166d7c0f66de028153769755c64029d917b9fe306d732ea9fdaa94946b04b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp796B.tmp

Filesize
3.7MB

MD5
138f52ffae8eb9bce23715a1a60e1efa

SHA1
fe72e7744547952fb2415df01ab85e1f310690e2

SHA256
656f7e6b2dd166034e8dd3c81379054b57c01d73fb035dbbbfa3fe1d510a75fb

SHA512
5db896207c7c54630508647f5cfd764e4f23939450acc9e9c0b3a6d5e1251e7b2166d7c0f66de028153769755c64029d917b9fe306d732ea9fdaa94946b04b1c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
memory/1152-461-0x0000000005270000-0x0000000005298000-memory.dmp

Filesize
160KB

Download
memory/1892-299-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1892-167-0x0000000003B20000-0x0000000003B42000-memory.dmp

Filesize
136KB

Download
memory/1892-425-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1892-236-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1892-514-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1892-176-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1892-470-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1892-361-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2216-177-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2960-487-0x0000000001500000-0x0000000001510000-memory.dmp

Filesize
64KB

Download
memory/2960-493-0x0000000001500000-0x0000000001510000-memory.dmp

Filesize
64KB

Download
memory/2960-518-0x0000000001500000-0x0000000001510000-memory.dmp

Filesize
64KB

Download
memory/2960-519-0x0000000001500000-0x0000000001510000-memory.dmp

Filesize
64KB

Download
memory/3024-506-0x0000000000400000-0x0000000000816000-memory.dmp

Filesize
4.1MB

Download
memory/3024-510-0x0000000000400000-0x0000000000816000-memory.dmp

Filesize
4.1MB

Download
memory/3056-453-0x0000000008E50000-0x0000000008F50000-memory.dmp

Filesize
1024KB

Download
memory/3056-437-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3056-448-0x0000000008E50000-0x0000000008F50000-memory.dmp

Filesize
1024KB

Download
memory/3056-447-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3056-452-0x0000000008E50000-0x0000000008F50000-memory.dmp

Filesize
1024KB

Download
memory/3056-429-0x0000000000400000-0x0000000000816000-memory.dmp

Filesize
4.1MB

Download
memory/3056-455-0x0000000000400000-0x0000000000816000-memory.dmp

Filesize
4.1MB

Download
memory/3056-446-0x0000000008E50000-0x0000000008F50000-memory.dmp

Filesize
1024KB

Download
memory/3056-433-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3056-445-0x0000000008E50000-0x0000000008F50000-memory.dmp

Filesize
1024KB

Download
memory/3056-444-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3056-436-0x0000000005B00000-0x000000000602C000-memory.dmp

Filesize
5.2MB

Download
memory/3056-442-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3056-449-0x0000000008E50000-0x0000000008F50000-memory.dmp

Filesize
1024KB

Download
memory/3056-441-0x0000000006910000-0x000000000691A000-memory.dmp

Filesize
40KB

Download
memory/3056-438-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3296-494-0x0000000000400000-0x0000000000816000-memory.dmp

Filesize
4.1MB

Download
memory/3296-485-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3296-486-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3296-476-0x0000000005C90000-0x0000000005CB2000-memory.dmp

Filesize
136KB

Download
memory/4436-364-0x000000007578C000-0x000000007578D000-memory.dmp

Filesize
4KB

Download
memory/4584-133-0x0000000001B90000-0x0000000001BA0000-memory.dmp

Filesize
64KB

Download
memory/4584-237-0x0000000001B90000-0x0000000001BA0000-memory.dmp

Filesize
64KB

Download
memory/4584-228-0x0000000001B90000-0x0000000001BA0000-memory.dmp

Filesize
64KB

Download
memory/4584-154-0x0000000001B90000-0x0000000001BA0000-memory.dmp

Filesize
64KB

Download
memory/4584-147-0x0000000001B90000-0x0000000001BA0000-memory.dmp

Filesize
64KB

Download
memory/4584-209-0x0000000001B90000-0x0000000001BA0000-memory.dmp

Filesize
64KB

Download
memory/4928-408-0x0000000006080000-0x0000000006624000-memory.dmp

Filesize
5.6MB

Download
memory/4928-405-0x00000000059B0000-0x0000000005AC2000-memory.dmp

Filesize
1.1MB

Download
memory/4928-401-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4928-409-0x000000007EFE0000-0x000000007EFF0000-memory.dmp

Filesize
64KB

Download
memory/4928-410-0x0000000005AD0000-0x0000000005B62000-memory.dmp

Filesize
584KB

Download
memory/4928-416-0x00000000069A0000-0x0000000006A22000-memory.dmp

Filesize
520KB

Download
memory/4928-411-0x0000000005C10000-0x0000000005CAC000-memory.dmp

Filesize
624KB

Download
memory/4928-412-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/5016-151-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5016-235-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5016-515-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download