5c609b570ee6163fd7d63eaff862db53c71ec6fc4c568cf71c8500ad3f2defdf

Analysis

max time kernel
148s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume2/Program Files (x86)/UltraViewer/Update/UVUpdater.exe
Size

3.4MB
MD5

9f6011cda9bd22412484a0fc33e7ca8a
SHA1

136b33e3e335d0c2901fb7b85fe26fc5e88445d5
SHA256

8f4f9a43bbfbe3b842a5cdd7cbc621f0171bafda89e3b88310ec473e9a56eae0
SHA512

3ade22ddd54506b510ec04300bc9fb4a8618a224806b3779e3e007fbfe33b5ce12ff741029d7ad17b0574ef980a39e519d48da964122bfffab1939dfe77b34f7
SSDEEP

98304:E5zZ80gsEX+Ljsp0d8DgI4vacQx+wOWj9ViPm:Ef80gsl3s1gFvQ+oRcm

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 3 IoCs

pid	Process
1364	tmp3E53.tmp
1640	tmp3E53.tmp
2024	UVUninstallHelper.exe

Loads dropped DLL 5 IoCs

pid	Process
920	UVUpdater.exe
1364	tmp3E53.tmp
1640	tmp3E53.tmp
1640	tmp3E53.tmp
1640	tmp3E53.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraViewer\images\is-RJ9V4.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-VAOOI.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-HMF2B.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-2EEUM.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-ERTP1.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-DQ047.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-RTL7M.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-PN7MA.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-UCDI6.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-UQIE7.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-IL8SM.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-C3STM.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-7OFFN.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-FKBC9.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-LSSUA.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-03PFP.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-JOO67.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-FOIPD.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-1UIDL.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-VF41D.tmp	tmp3E53.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\msvbvm60.dll	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-JACTO.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-IHOHN.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-SCKM6.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-S5DBI.tmp	tmp3E53.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\js\is-RMQU6.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-GPORT.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-TDHPA.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-VR0UE.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Update\is-LVTP3.tmp	tmp3E53.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-DCAT7.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-9EGRC.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-NG0F9.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-NOL6K.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\sounds\is-0KOE1.tmp	tmp3E53.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uv_clib.dll	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-G82ED.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-ESSAR.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-L4U3N.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-T1E37.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-2VSE7.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-MB5RI.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-1HF5L.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-AMMQF.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-INF3N.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-BP9AU.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-S89Q0.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-0LST9.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-8VS3H.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-5V913.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-8LN4A.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-QSB4E.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-9EGN1.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-C8U1N.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-1EJ68.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-21FBB.tmp	tmp3E53.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\RemoteControl20.dll	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-FUEAU.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\is-08V39.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-8M0UO.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-H1644.tmp	tmp3E53.tmp
File created	C:\Program Files (x86)\UltraViewer\unins000.dat	tmp3E53.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1628	sc.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
936	net.exe
1336	net.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1696	taskkill.exe
924	taskkill.exe
924	taskkill.exe
1632	taskkill.exe
1140	taskkill.exe
1644	taskkill.exe
912	taskkill.exe
2004	taskkill.exe
1704	taskkill.exe
1756	taskkill.exe
1628	taskkill.exe
320	taskkill.exe
1636	taskkill.exe
800	taskkill.exe
896	taskkill.exe
912	taskkill.exe
1612	taskkill.exe
876	taskkill.exe
948	taskkill.exe
1864	taskkill.exe
1008	taskkill.exe
1228	taskkill.exe
1740	taskkill.exe
2004	taskkill.exe
344	taskkill.exe
2004	taskkill.exe
1756	taskkill.exe
316	taskkill.exe
1872	taskkill.exe
1336	taskkill.exe
560	taskkill.exe
560	taskkill.exe
1740	taskkill.exe
580	taskkill.exe
1556	taskkill.exe
1632	taskkill.exe
684	taskkill.exe
1496	taskkill.exe
396	taskkill.exe
812	taskkill.exe
1556	taskkill.exe
1696	taskkill.exe
1660	taskkill.exe
1644	taskkill.exe
1768	taskkill.exe
1488	taskkill.exe
684	taskkill.exe
1700	taskkill.exe
560	taskkill.exe
2016	taskkill.exe
1104	taskkill.exe
912	taskkill.exe
900	taskkill.exe
1672	taskkill.exe
1228	taskkill.exe
700	taskkill.exe
1772	taskkill.exe
1340	taskkill.exe
1104	taskkill.exe
1540	taskkill.exe
576	taskkill.exe
1864	taskkill.exe
472	taskkill.exe
1756	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	UVUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	UVUpdater.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
920	UVUpdater.exe
920	UVUpdater.exe
2024	UVUninstallHelper.exe
1640	tmp3E53.tmp
1640	tmp3E53.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	UVUpdater.exe
Token: SeDebugPrivilege	2024	UVUninstallHelper.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1640	tmp3E53.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1364	920	UVUpdater.exe	27
PID 920 wrote to memory of 1364	920	UVUpdater.exe	27
PID 920 wrote to memory of 1364	920	UVUpdater.exe	27
PID 920 wrote to memory of 1364	920	UVUpdater.exe	27
PID 920 wrote to memory of 1364	920	UVUpdater.exe	27
PID 920 wrote to memory of 1364	920	UVUpdater.exe	27
PID 920 wrote to memory of 1364	920	UVUpdater.exe	27
PID 1364 wrote to memory of 1640	1364	tmp3E53.tmp	28
PID 1364 wrote to memory of 1640	1364	tmp3E53.tmp	28
PID 1364 wrote to memory of 1640	1364	tmp3E53.tmp	28
PID 1364 wrote to memory of 1640	1364	tmp3E53.tmp	28
PID 1364 wrote to memory of 1640	1364	tmp3E53.tmp	28
PID 1364 wrote to memory of 1640	1364	tmp3E53.tmp	28
PID 1364 wrote to memory of 1640	1364	tmp3E53.tmp	28
PID 1640 wrote to memory of 2024	1640	tmp3E53.tmp	29
PID 1640 wrote to memory of 2024	1640	tmp3E53.tmp	29
PID 1640 wrote to memory of 2024	1640	tmp3E53.tmp	29
PID 1640 wrote to memory of 2024	1640	tmp3E53.tmp	29
PID 1640 wrote to memory of 2024	1640	tmp3E53.tmp	29
PID 1640 wrote to memory of 2024	1640	tmp3E53.tmp	29
PID 1640 wrote to memory of 2024	1640	tmp3E53.tmp	29
PID 1640 wrote to memory of 936	1640	tmp3E53.tmp	30
PID 1640 wrote to memory of 936	1640	tmp3E53.tmp	30
PID 1640 wrote to memory of 936	1640	tmp3E53.tmp	30
PID 1640 wrote to memory of 936	1640	tmp3E53.tmp	30
PID 936 wrote to memory of 1728	936	net.exe	32
PID 936 wrote to memory of 1728	936	net.exe	32
PID 936 wrote to memory of 1728	936	net.exe	32
PID 936 wrote to memory of 1728	936	net.exe	32
PID 1640 wrote to memory of 1336	1640	tmp3E53.tmp	33
PID 1640 wrote to memory of 1336	1640	tmp3E53.tmp	33
PID 1640 wrote to memory of 1336	1640	tmp3E53.tmp	33
PID 1640 wrote to memory of 1336	1640	tmp3E53.tmp	33
PID 1336 wrote to memory of 1644	1336	net.exe	35
PID 1336 wrote to memory of 1644	1336	net.exe	35
PID 1336 wrote to memory of 1644	1336	net.exe	35
PID 1336 wrote to memory of 1644	1336	net.exe	35
PID 1640 wrote to memory of 1628	1640	tmp3E53.tmp	36
PID 1640 wrote to memory of 1628	1640	tmp3E53.tmp	36
PID 1640 wrote to memory of 1628	1640	tmp3E53.tmp	36
PID 1640 wrote to memory of 1628	1640	tmp3E53.tmp	36
PID 1640 wrote to memory of 1696	1640	tmp3E53.tmp	38
PID 1640 wrote to memory of 1696	1640	tmp3E53.tmp	38
PID 1640 wrote to memory of 1696	1640	tmp3E53.tmp	38
PID 1640 wrote to memory of 1696	1640	tmp3E53.tmp	38
PID 1640 wrote to memory of 1756	1640	tmp3E53.tmp	41
PID 1640 wrote to memory of 1756	1640	tmp3E53.tmp	41
PID 1640 wrote to memory of 1756	1640	tmp3E53.tmp	41
PID 1640 wrote to memory of 1756	1640	tmp3E53.tmp	41
PID 1640 wrote to memory of 1704	1640	tmp3E53.tmp	43
PID 1640 wrote to memory of 1704	1640	tmp3E53.tmp	43
PID 1640 wrote to memory of 1704	1640	tmp3E53.tmp	43
PID 1640 wrote to memory of 1704	1640	tmp3E53.tmp	43
PID 1640 wrote to memory of 1672	1640	tmp3E53.tmp	45
PID 1640 wrote to memory of 1672	1640	tmp3E53.tmp	45
PID 1640 wrote to memory of 1672	1640	tmp3E53.tmp	45
PID 1640 wrote to memory of 1672	1640	tmp3E53.tmp	45
PID 1640 wrote to memory of 1632	1640	tmp3E53.tmp	47
PID 1640 wrote to memory of 1632	1640	tmp3E53.tmp	47
PID 1640 wrote to memory of 1632	1640	tmp3E53.tmp	47
PID 1640 wrote to memory of 1632	1640	tmp3E53.tmp	47
PID 1640 wrote to memory of 1104	1640	tmp3E53.tmp	49
PID 1640 wrote to memory of 1104	1640	tmp3E53.tmp	49
PID 1640 wrote to memory of 1104	1640	tmp3E53.tmp	49

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Program Files (x86)\UltraViewer\Update\UVUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Program Files (x86)\UltraViewer\Update\UVUpdater.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\tmp3E53.tmp
  "C:\Users\Admin\AppData\Local\Temp\tmp3E53.tmp" /SP- /donotlangovr=1 /verysilent /noicons /NORESTART /CloseApplications=no /netframework=""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\is-J4OQN.tmp\tmp3E53.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-J4OQN.tmp\tmp3E53.tmp" /SL5="$10160,3135717,121344,C:\Users\Admin\AppData\Local\Temp\tmp3E53.tmp" /SP- /donotlangovr=1 /verysilent /noicons /NORESTART /CloseApplications=no /netframework=""
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\is-EMMQJ.tmp\UVUninstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\is-EMMQJ.tmp\UVUninstallHelper.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2024
  - - C:\Windows\SysWOW64\net.exe
      "net" stop UltraViewService
      4⤵
      Discovers systems in the same network
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UltraViewService
        5⤵
        
        PID:1728
  - - C:\Windows\SysWOW64\net.exe
      "net" stop UltraViewService
      4⤵
      Discovers systems in the same network
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UltraViewService
        5⤵
        
        PID:1644
  - - C:\Windows\SysWOW64\sc.exe
      "sc" delete UltraViewService
      4⤵
      Launches sc.exe
      PID:1628
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1672
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1104
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1864
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:772
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:560
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1104
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1228
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1864
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:700
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1724
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:912
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1744
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1772
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1636
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1340
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:800
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:896
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1104
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:900
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:684
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:832
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:912
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1740
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:580
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1628
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:684
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1540
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:396
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:580
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1628
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:684
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:812
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1700
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1872
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1336
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:900
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1008
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:812
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:912
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1612
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1228
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:876
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:560
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:948
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:2016
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1740
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1140
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:560
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1008
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:576
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:2004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:472
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraViewer\is-JBB4N.tmp

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2E59.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EMMQJ.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EMMQJ.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EMMQJ.tmp\UVUninstallHelper.exe.config

Filesize
225B

MD5
679aca3e8125584e8704b2dfdfa20a0b

SHA1
bab48dc1c46f6d8b2c38cf47d9435ae9f8bf295e

SHA256
470ce4147bff777ebefc7ccc9e2d1bc5df203b727134fc90b0134bf3cdc7add4

SHA512
8441e36e9091dae33350083b1824bc154f969c4fa86c5984c45e0bd59536933e48773ff4bfb4297e543cb270149025dca82c6bdfad2ca1639f4df58f8abcae6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J4OQN.tmp\tmp3E53.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J4OQN.tmp\tmp3E53.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E53.tmp

Filesize
3.4MB

MD5
d57b027724dd6245caa59445629eac66

SHA1
e3c30a6ae00e194add89640dfd660273cda305b9

SHA256
34207eec931e949b65424ac12c68340c3124e7a826b449fae610438457506800

SHA512
83f133831126e7e63f3cb33331ac16cd5b833fee1ae886cfd7a410306f83b7b850d4d1090cb37530243181a81a13fe9699864ffe32635bbc438cdb4a4ce77fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E53.tmp

Filesize
3.4MB

MD5
d57b027724dd6245caa59445629eac66

SHA1
e3c30a6ae00e194add89640dfd660273cda305b9

SHA256
34207eec931e949b65424ac12c68340c3124e7a826b449fae610438457506800

SHA512
83f133831126e7e63f3cb33331ac16cd5b833fee1ae886cfd7a410306f83b7b850d4d1090cb37530243181a81a13fe9699864ffe32635bbc438cdb4a4ce77fe3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EMMQJ.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
\Users\Admin\AppData\Local\Temp\is-EMMQJ.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-EMMQJ.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
\Users\Admin\AppData\Local\Temp\is-J4OQN.tmp\tmp3E53.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3E53.tmp

Filesize
3.4MB

MD5
d57b027724dd6245caa59445629eac66

SHA1
e3c30a6ae00e194add89640dfd660273cda305b9

SHA256
34207eec931e949b65424ac12c68340c3124e7a826b449fae610438457506800

SHA512
83f133831126e7e63f3cb33331ac16cd5b833fee1ae886cfd7a410306f83b7b850d4d1090cb37530243181a81a13fe9699864ffe32635bbc438cdb4a4ce77fe3

Download Submit
memory/920-82-0x0000000000A00000-0x0000000000A40000-memory.dmp

Filesize
256KB

Download
memory/1364-119-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1364-205-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1640-134-0x00000000020D0000-0x00000000020F2000-memory.dmp

Filesize
136KB

Download
memory/1640-145-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1640-218-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1640-296-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1640-347-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download