836a413470ba9b63a273f44cbf56009985a252e969cdc61148d930b909b8780d

Analysis

max time kernel
50s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2023, 15:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume5/Program Files (x86)/UltraViewer/Update/UVUpdater.exe
Size

3.4MB
MD5

9f6011cda9bd22412484a0fc33e7ca8a
SHA1

136b33e3e335d0c2901fb7b85fe26fc5e88445d5
SHA256

8f4f9a43bbfbe3b842a5cdd7cbc621f0171bafda89e3b88310ec473e9a56eae0
SHA512

3ade22ddd54506b510ec04300bc9fb4a8618a224806b3779e3e007fbfe33b5ce12ff741029d7ad17b0574ef980a39e519d48da964122bfffab1939dfe77b34f7
SSDEEP

98304:E5zZ80gsEX+Ljsp0d8DgI4vacQx+wOWj9ViPm:Ef80gsl3s1gFvQ+oRcm

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 3 IoCs

pid	Process
3956	tmp9659.tmp
2824	tmp9659.tmp
1476	UVUninstallHelper.exe

Loads dropped DLL 9 IoCs

pid	Process
2824	tmp9659.tmp
2824	tmp9659.tmp
2824	tmp9659.tmp
2272	regasm.exe
2272	regasm.exe
2272	regasm.exe
2272	regasm.exe
2272	regasm.exe
2272	regasm.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231b7-384.dat	upx
behavioral2/files/0x00060000000231b7-405.dat	upx
behavioral2/files/0x00060000000231b7-406.dat	upx
behavioral2/memory/1856-410-0x0000000000400000-0x0000000000816000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\UltraViewer\uv_x64.exe	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-0QQNJ.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-P899Q.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-8VQFN.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-Q5SGF.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-SMC2L.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-2LS8C.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-ABM6J.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-ESV3V.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-QN8OT.tmp	tmp9659.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-3BP4I.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-7UD84.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-CRC1U.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-01B4G.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-K9DMR.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-G8KFK.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-L3U9K.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-N22HU.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-LCF42.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-K188S.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-GKT0A.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-2IBQG.tmp	tmp9659.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uv_clib.dll	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-NVSRJ.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-DI9LH.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-BPHLU.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-A3RNQ.tmp	tmp9659.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\RemoteControl40.dll	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-AUU98.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-7U9V6.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-NO6S9.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Update\is-FSSK7.tmp	tmp9659.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-OKL1M.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-009KH.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-73OG5.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-CRA3P.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\sounds\is-KLSC8.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-MDUUI.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-CJIG4.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-6F77U.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-HFV80.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-I2S4B.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-ODVI0.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-KV4FM.tmp	tmp9659.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvh64.dll	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\js\is-H2A6H.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-8F26H.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-CB044.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-JCU7U.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-O9E4T.tmp	tmp9659.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uva.dll	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-4AQR8.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-PL9IJ.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-ORMF7.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-23CDO.tmp	tmp9659.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvh.dll	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-KTQ73.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-5G9HM.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-LLEHD.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-875FR.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\is-TMHHS.tmp	tmp9659.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-MSI4C.tmp	tmp9659.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
460	sc.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1660	net.exe
1976	net.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2444	taskkill.exe
4316	taskkill.exe
2512	taskkill.exe
4836	taskkill.exe
4368	taskkill.exe
2248	taskkill.exe
4348	taskkill.exe
4736	taskkill.exe
3700	taskkill.exe
1880	taskkill.exe
1868	taskkill.exe
3876	taskkill.exe
3004	taskkill.exe
3788	taskkill.exe
3116	taskkill.exe
3972	taskkill.exe
3464	taskkill.exe
3808	taskkill.exe
2308	taskkill.exe
4232	taskkill.exe
4772	taskkill.exe
1980	taskkill.exe
1464	taskkill.exe
5032	taskkill.exe
4584	taskkill.exe
1796	taskkill.exe
368	taskkill.exe
1508	taskkill.exe
3996	taskkill.exe
812	taskkill.exe
3712	taskkill.exe
3908	taskkill.exe
4224	taskkill.exe
4100	taskkill.exe
2340	taskkill.exe
460	taskkill.exe
4672	taskkill.exe
2760	taskkill.exe
2716	taskkill.exe
3748	taskkill.exe
1300	taskkill.exe
2544	taskkill.exe
2760	taskkill.exe
1676	taskkill.exe
1748	taskkill.exe
3004	taskkill.exe
1744	taskkill.exe
636	taskkill.exe
624	taskkill.exe
2216	taskkill.exe
2716	taskkill.exe
2304	taskkill.exe
2260	taskkill.exe
4384	taskkill.exe
5044	taskkill.exe
2996	taskkill.exe
3908	taskkill.exe
2708	taskkill.exe
1960	taskkill.exe
4160	taskkill.exe
4280	taskkill.exe
4028	taskkill.exe
5048	taskkill.exe
3300	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A074C60F-D82F-4695-9E07-826FDAAF223E}\ProgId	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451AA1DC-A41C-4F36-BFFF-9E33442C950B}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F1067D5-F16B-49BF-A440-A88D6A845B91}\InprocServer32\1.0.0.0\Assembly = "RemoteControl, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BE2E2B3-7F62-4AD6-AE57-940676669502}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DD0548C-662A-455A-8F82-51A9AFFB641C}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12653B18-0C6E-3A61-8A65-DA321031629C}\InprocServer32\ = "mscoree.dll"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VFileWatcher	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CA5DE22-F295-3F03-8D69-018007836F60}\ProgId	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1B1099AC-1EBD-34C4-8973-1C49DD556385}\1.0.0.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.mReboot\ = "RemoteControl.mReboot"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12653B18-0C6E-3A61-8A65-DA321031629C}\InprocServer32\Assembly = "RemoteControl, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08830907-EBD1-4ABA-A249-1691BB305416}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E65BD510-2AA1-3A63-A724-2103AA8FE2BE}\ = "RemoteControl.CJsonScript"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75C87975-804F-456D-9D3B-8B4A621F6E6B}\ProgId	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VOnlineContactTreeView\CLSID	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451AA1DC-A41C-4F36-BFFF-9E33442C950B}\ProgId	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62A7C086-6E75-4CE5-88B7-FFFFD229323D}\ = "_VControllerThread"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B3A19CB-4A4E-4FAE-AA9E-66B99C2B16CD}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E75ED84D-F3D1-403B-A38E-E8BAC234681B}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B22E101-DC80-3C11-AB81-B0C68158A4DC}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{93ECA15C-2992-42A0-9CD4-5725C7895EDA}\Version	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C79739A5-5221-35B5-AB83-7EAA9317803A}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCE15B3B-6579-475D-9FAD-A51A54779699}\InprocServer32\1.0.0.0\Class = "RemoteControl.VObjectDictionary"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C0C272BB-F685-435C-87A0-05E22D8D05A4}\ProgId\ = "RemoteControl.VListDouble"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VListByteArray\ = "RemoteControl.VListByteArray"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7FC939D-118A-492D-997F-6CB79048C6CA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63743E71-D65A-48D5-A754-0C729968ADBA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{61D3CD51-9E62-4180-9002-513ABD50A4C1}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F271EFB2-B5CC-4AEF-AADE-16693B26BA0B}\ = "_VTCPClient"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.MouseHook\CLSID\ = "{0CD04A1C-5525-3C3D-B932-DBE5FEE1B00A}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E71D7F-9CF7-36F0-B0A2-14F60AAD78B6}\InprocServer32\1.0.0.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32A7F76C-B1E7-47B9-ADA0-144BA21C27CD}\ProgId\ = "RemoteControl.VIntBooleanDict"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85C54413-2591-451A-B485-025CE2B9593F}\InprocServer32\1.0.0.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D87B5289-A84D-4B4D-B241-3A42C6D05D54}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VPinger\CLSID\ = "{AD6583C2-0B5C-49A5-A13C-E9C530F8A3A8}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VistaTreeView\ = "RemoteControl.VistaTreeView"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CA5DE22-F295-3F03-8D69-018007836F60}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8EBA524-0098-31CD-9C50-7FE7774022FC}\InprocServer32\ = "mscoree.dll"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF83752C-2529-4326-AB56-ADD3A8308D7D}\ProgId	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B22E101-DC80-3C11-AB81-B0C68158A4DC}\InprocServer32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F1067D5-F16B-49BF-A440-A88D6A845B91}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{536CEB69-5373-4841-A192-CB34F6913CB7}\InprocServer32\ThreadingModel = "Both"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4AA6ABE-1A1A-41C4-A006-D175F931B657}\Version	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08830907-EBD1-4ABA-A249-1691BB305416}\InprocServer32\Class = "RemoteControl.clsStoredFrame+VTelegram"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4E482A0-F8DF-4E68-B101-489B1AFD0BD2}\ = "RemoteControl.VStopWatch"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74E9E864-ED65-4721-A2A5-A526E21E8DA0}\ProxyStubClsid32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7FC939D-118A-492D-997F-6CB79048C6CA}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F4D4BB2-FA01-418B-B261-2CC14A6D7D4A}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C2D3CD4-F2EB-4CB3-9CBD-09181267DD05}\InprocServer32\1.0.0.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28D06E4D-6B44-40D3-8AB3-E11DBEDD4CCC}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E75ED84D-F3D1-403B-A38E-E8BAC234681B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63743E71-D65A-48D5-A754-0C729968ADBA}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DC2EF02C-DA10-4070-B5C4-0F504F7E53F5}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VStopWatch	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF53CD8B-ECFF-4E34-A776-654C5306F4F6}\Control	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC99602-9551-3713-ACBC-AF77516182E3}\InprocServer32\ = "mscoree.dll"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8EBA524-0098-31CD-9C50-7FE7774022FC}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VCheckbox	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA7B8BCD-DBC6-4248-BBDD-81C0681C2E49}\ProgId	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451AA1DC-A41C-4F36-BFFF-9E33442C950B}\InprocServer32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCE15B3B-6579-475D-9FAD-A51A54779699}\InprocServer32\1.0.0.0	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.clsWakeUp	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72550BB6-0686-42EA-9C8F-F446DA8486CE}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VAudio+RemoteClientInfo	regasm.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	UVUpdater.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	UVUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	UVUpdater.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4244	UVUpdater.exe
4244	UVUpdater.exe
1476	UVUninstallHelper.exe
2824	tmp9659.tmp
2824	tmp9659.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	UVUpdater.exe
Token: SeDebugPrivilege	1476	UVUninstallHelper.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	5048	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	3996	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	4836	taskkill.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	4368	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	460	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	tmp9659.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 3956	4244	UVUpdater.exe	87
PID 4244 wrote to memory of 3956	4244	UVUpdater.exe	87
PID 4244 wrote to memory of 3956	4244	UVUpdater.exe	87
PID 3956 wrote to memory of 2824	3956	tmp9659.tmp	88
PID 3956 wrote to memory of 2824	3956	tmp9659.tmp	88
PID 3956 wrote to memory of 2824	3956	tmp9659.tmp	88
PID 2824 wrote to memory of 1476	2824	tmp9659.tmp	91
PID 2824 wrote to memory of 1476	2824	tmp9659.tmp	91
PID 2824 wrote to memory of 1476	2824	tmp9659.tmp	91
PID 2824 wrote to memory of 1660	2824	tmp9659.tmp	92
PID 2824 wrote to memory of 1660	2824	tmp9659.tmp	92
PID 2824 wrote to memory of 1660	2824	tmp9659.tmp	92
PID 1660 wrote to memory of 3256	1660	net.exe	94
PID 1660 wrote to memory of 3256	1660	net.exe	94
PID 1660 wrote to memory of 3256	1660	net.exe	94
PID 2824 wrote to memory of 1976	2824	tmp9659.tmp	96
PID 2824 wrote to memory of 1976	2824	tmp9659.tmp	96
PID 2824 wrote to memory of 1976	2824	tmp9659.tmp	96
PID 1976 wrote to memory of 1412	1976	net.exe	98
PID 1976 wrote to memory of 1412	1976	net.exe	98
PID 1976 wrote to memory of 1412	1976	net.exe	98
PID 2824 wrote to memory of 460	2824	tmp9659.tmp	99
PID 2824 wrote to memory of 460	2824	tmp9659.tmp	99
PID 2824 wrote to memory of 460	2824	tmp9659.tmp	99
PID 2824 wrote to memory of 2716	2824	tmp9659.tmp	101
PID 2824 wrote to memory of 2716	2824	tmp9659.tmp	101
PID 2824 wrote to memory of 2716	2824	tmp9659.tmp	101
PID 2824 wrote to memory of 1508	2824	tmp9659.tmp	103
PID 2824 wrote to memory of 1508	2824	tmp9659.tmp	103
PID 2824 wrote to memory of 1508	2824	tmp9659.tmp	103
PID 2824 wrote to memory of 5048	2824	tmp9659.tmp	105
PID 2824 wrote to memory of 5048	2824	tmp9659.tmp	105
PID 2824 wrote to memory of 5048	2824	tmp9659.tmp	105
PID 2824 wrote to memory of 2308	2824	tmp9659.tmp	107
PID 2824 wrote to memory of 2308	2824	tmp9659.tmp	107
PID 2824 wrote to memory of 2308	2824	tmp9659.tmp	107
PID 2824 wrote to memory of 624	2824	tmp9659.tmp	109
PID 2824 wrote to memory of 624	2824	tmp9659.tmp	109
PID 2824 wrote to memory of 624	2824	tmp9659.tmp	109
PID 2824 wrote to memory of 3700	2824	tmp9659.tmp	111
PID 2824 wrote to memory of 3700	2824	tmp9659.tmp	111
PID 2824 wrote to memory of 3700	2824	tmp9659.tmp	111
PID 2824 wrote to memory of 2512	2824	tmp9659.tmp	113
PID 2824 wrote to memory of 2512	2824	tmp9659.tmp	113
PID 2824 wrote to memory of 2512	2824	tmp9659.tmp	113
PID 2824 wrote to memory of 2340	2824	tmp9659.tmp	115
PID 2824 wrote to memory of 2340	2824	tmp9659.tmp	115
PID 2824 wrote to memory of 2340	2824	tmp9659.tmp	115
PID 2824 wrote to memory of 1948	2824	tmp9659.tmp	118
PID 2824 wrote to memory of 1948	2824	tmp9659.tmp	118
PID 2824 wrote to memory of 1948	2824	tmp9659.tmp	118
PID 2824 wrote to memory of 2996	2824	tmp9659.tmp	120
PID 2824 wrote to memory of 2996	2824	tmp9659.tmp	120
PID 2824 wrote to memory of 2996	2824	tmp9659.tmp	120
PID 2824 wrote to memory of 3908	2824	tmp9659.tmp	122
PID 2824 wrote to memory of 3908	2824	tmp9659.tmp	122
PID 2824 wrote to memory of 3908	2824	tmp9659.tmp	122
PID 2824 wrote to memory of 3996	2824	tmp9659.tmp	124
PID 2824 wrote to memory of 3996	2824	tmp9659.tmp	124
PID 2824 wrote to memory of 3996	2824	tmp9659.tmp	124
PID 2824 wrote to memory of 4652	2824	tmp9659.tmp	126
PID 2824 wrote to memory of 4652	2824	tmp9659.tmp	126
PID 2824 wrote to memory of 4652	2824	tmp9659.tmp	126
PID 2824 wrote to memory of 4836	2824	tmp9659.tmp	128

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume5\Program Files (x86)\UltraViewer\Update\UVUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume5\Program Files (x86)\UltraViewer\Update\UVUpdater.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\tmp9659.tmp
  "C:\Users\Admin\AppData\Local\Temp\tmp9659.tmp" /SP- /donotlangovr=1 /verysilent /noicons /NORESTART /CloseApplications=no /netframework=""
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\is-51EQ1.tmp\tmp9659.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-51EQ1.tmp\tmp9659.tmp" /SL5="$60062,3135717,121344,C:\Users\Admin\AppData\Local\Temp\tmp9659.tmp" /SP- /donotlangovr=1 /verysilent /noicons /NORESTART /CloseApplications=no /netframework=""
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\is-BPUH7.tmp\UVUninstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\is-BPUH7.tmp\UVUninstallHelper.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1476
  - - C:\Windows\SysWOW64\net.exe
      "net" stop UltraViewService
      4⤵
      Discovers systems in the same network
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UltraViewService
        5⤵
        
        PID:3256
  - - C:\Windows\SysWOW64\net.exe
      "net" stop UltraViewService
      4⤵
      Discovers systems in the same network
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UltraViewService
        5⤵
        
        PID:1412
  - - C:\Windows\SysWOW64\sc.exe
      "sc" delete UltraViewService
      4⤵
      Launches sc.exe
      PID:460
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1508
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5048
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2308
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:624
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3700
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2512
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2340
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1948
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2996
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3996
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4652
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4836
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4372
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4232
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3300
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:812
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3716
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3712
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4368
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3876
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4160
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3748
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3776
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2816
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4772
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3880
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1980
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:460
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1300
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2444
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:636
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2544
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4048
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4224
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2656
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4524
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1880
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2760
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3788
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3116
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5032
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4584
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2316
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4672
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1868
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1748
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1960
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4348
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1796
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4100
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4736
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4160
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:3004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:368
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:3972
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:3464
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:2260
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:3716
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:2760
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1744
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4316
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4384
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:636
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4280
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:3808
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:5044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl.dll" /tlb
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2272
  - - C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe
      "C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe" validate
      4⤵
      PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraViewer\Language\English.txt

Filesize
14KB

MD5
b6a8ccdc51964e1551bef57b4a42a899

SHA1
52de4c2fc039af9a2f1295e8419123ba89ee5858

SHA256
c615da39ed0990bbad49686307872b18084b51bc8e401bd47a36509c66d2cc0a

SHA512
8d1e92a56373f79d850789152c9758a1f36a71bb9ee68982d50ea92537c3ce2f30ff9cfb707040f4c7dd3eb459082cfc849e511823bc4c210a88aa6db011dda6

Download Submit
C:\Program Files (x86)\UltraViewer\Language\LanguageList.ini

Filesize
1KB

MD5
473b3896eae7ea66f61e9d0ffbe5b9b1

SHA1
d7ef69586317f7472ce400bc7bef75bfa4095592

SHA256
d3ee6fc3b7418afa19292eb7f6b872cae8ec04290b9ee1bd4cea8d8e88aec52f

SHA512
981ae52e4206bf04b345642ae87c88889e83d0c47e7251755d179d00fd35117e670205dab9d15042e26bc53dc18112206a5a650120928a52916bfadbc3a1fb66

Download Submit
C:\Program Files (x86)\UltraViewer\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Program Files (x86)\UltraViewer\NAudio.dll

Filesize
496KB

MD5
5da17fa97fce539c78e3018ee1c29cd0

SHA1
cff12edd4361fa5c310250ebaacbfc54274f00c8

SHA256
92254cb54bbdd875f6950c2afbfe17c001bbf7dccd43d43eafdb7d9bfec35afe

SHA512
1f402ebe99cf95c55e9b524b91c9002a68f04f7f7d7a29e189c2226ad88e76bf18047b201c75de805b4dcde9830d765d705946b045937aa40d3e2e5465e5dcc5

Download Submit
C:\Program Files (x86)\UltraViewer\NAudio.dll

Filesize
496KB

MD5
5da17fa97fce539c78e3018ee1c29cd0

SHA1
cff12edd4361fa5c310250ebaacbfc54274f00c8

SHA256
92254cb54bbdd875f6950c2afbfe17c001bbf7dccd43d43eafdb7d9bfec35afe

SHA512
1f402ebe99cf95c55e9b524b91c9002a68f04f7f7d7a29e189c2226ad88e76bf18047b201c75de805b4dcde9830d765d705946b045937aa40d3e2e5465e5dcc5

Download Submit
C:\Program Files (x86)\UltraViewer\NAudio.dll

Filesize
496KB

MD5
5da17fa97fce539c78e3018ee1c29cd0

SHA1
cff12edd4361fa5c310250ebaacbfc54274f00c8

SHA256
92254cb54bbdd875f6950c2afbfe17c001bbf7dccd43d43eafdb7d9bfec35afe

SHA512
1f402ebe99cf95c55e9b524b91c9002a68f04f7f7d7a29e189c2226ad88e76bf18047b201c75de805b4dcde9830d765d705946b045937aa40d3e2e5465e5dcc5

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
8b0a95c5fdd5fe1c7e44d3881d743a15

SHA1
24aed0d76560523117cc398774639bc40497412a

SHA256
ef76e684b52be8dc8d75bc3d965679151aa241f3115be746e519d95380d9daa1

SHA512
8a07498ce3dd95f477cd7d9db0e43ea485ef4f473afbc23d54f0f747e92bae663c29272000bdf3f0252642050ab58960188f589862beb0fbe667b20eb18f3541

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
8b0a95c5fdd5fe1c7e44d3881d743a15

SHA1
24aed0d76560523117cc398774639bc40497412a

SHA256
ef76e684b52be8dc8d75bc3d965679151aa241f3115be746e519d95380d9daa1

SHA512
8a07498ce3dd95f477cd7d9db0e43ea485ef4f473afbc23d54f0f747e92bae663c29272000bdf3f0252642050ab58960188f589862beb0fbe667b20eb18f3541

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
8b0a95c5fdd5fe1c7e44d3881d743a15

SHA1
24aed0d76560523117cc398774639bc40497412a

SHA256
ef76e684b52be8dc8d75bc3d965679151aa241f3115be746e519d95380d9daa1

SHA512
8a07498ce3dd95f477cd7d9db0e43ea485ef4f473afbc23d54f0f747e92bae663c29272000bdf3f0252642050ab58960188f589862beb0fbe667b20eb18f3541

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
8b0a95c5fdd5fe1c7e44d3881d743a15

SHA1
24aed0d76560523117cc398774639bc40497412a

SHA256
ef76e684b52be8dc8d75bc3d965679151aa241f3115be746e519d95380d9daa1

SHA512
8a07498ce3dd95f477cd7d9db0e43ea485ef4f473afbc23d54f0f747e92bae663c29272000bdf3f0252642050ab58960188f589862beb0fbe667b20eb18f3541

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
8b0a95c5fdd5fe1c7e44d3881d743a15

SHA1
24aed0d76560523117cc398774639bc40497412a

SHA256
ef76e684b52be8dc8d75bc3d965679151aa241f3115be746e519d95380d9daa1

SHA512
8a07498ce3dd95f477cd7d9db0e43ea485ef4f473afbc23d54f0f747e92bae663c29272000bdf3f0252642050ab58960188f589862beb0fbe667b20eb18f3541

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
8b0a95c5fdd5fe1c7e44d3881d743a15

SHA1
24aed0d76560523117cc398774639bc40497412a

SHA256
ef76e684b52be8dc8d75bc3d965679151aa241f3115be746e519d95380d9daa1

SHA512
8a07498ce3dd95f477cd7d9db0e43ea485ef4f473afbc23d54f0f747e92bae663c29272000bdf3f0252642050ab58960188f589862beb0fbe667b20eb18f3541

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.dll

Filesize
1.0MB

MD5
8b0a95c5fdd5fe1c7e44d3881d743a15

SHA1
24aed0d76560523117cc398774639bc40497412a

SHA256
ef76e684b52be8dc8d75bc3d965679151aa241f3115be746e519d95380d9daa1

SHA512
8a07498ce3dd95f477cd7d9db0e43ea485ef4f473afbc23d54f0f747e92bae663c29272000bdf3f0252642050ab58960188f589862beb0fbe667b20eb18f3541

Download Submit
C:\Program Files (x86)\UltraViewer\RemoteControl.tlb

Filesize
236KB

MD5
6905ce31fccabd2c0b51bf910698ad83

SHA1
940ea6dbd498cb89423e58186222da2cc09fb45f

SHA256
670896b87a02b8cf9d715ad0c62ed04160ddc5fc075adc52cb2eb038f9ecd282

SHA512
6a31920226a5b774134ad7ff686b42f1965496efc6516e1dae4634b7c172243a35ba005dcb50e3c2d570a1e9228cc2fd11cc67679a0b79998ff67dbd71b0cbc4

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe

Filesize
980KB

MD5
f667dddcbff846d6463fe5b99c3a3c1d

SHA1
ea23cb8d610234c1502daacfd159bfc56c1f290f

SHA256
e8aba8e6511bda3048bebac4608ec15119f7d8c1470239f9164b0f6114d44a60

SHA512
369bf71faf3192757e45f313aa12ab820a301087d35324eed3f9970dd54c91d9dbe5a70262408cbb072a0f1dff4eb6b80ace2764534d84499d8868ef3ab48e53

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe

Filesize
980KB

MD5
f667dddcbff846d6463fe5b99c3a3c1d

SHA1
ea23cb8d610234c1502daacfd159bfc56c1f290f

SHA256
e8aba8e6511bda3048bebac4608ec15119f7d8c1470239f9164b0f6114d44a60

SHA512
369bf71faf3192757e45f313aa12ab820a301087d35324eed3f9970dd54c91d9dbe5a70262408cbb072a0f1dff4eb6b80ace2764534d84499d8868ef3ab48e53

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe

Filesize
980KB

MD5
f667dddcbff846d6463fe5b99c3a3c1d

SHA1
ea23cb8d610234c1502daacfd159bfc56c1f290f

SHA256
e8aba8e6511bda3048bebac4608ec15119f7d8c1470239f9164b0f6114d44a60

SHA512
369bf71faf3192757e45f313aa12ab820a301087d35324eed3f9970dd54c91d9dbe5a70262408cbb072a0f1dff4eb6b80ace2764534d84499d8868ef3ab48e53

Download Submit
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe.config

Filesize
310B

MD5
42b8d26600dcb85572ee43616f929d6a

SHA1
31a4c46641129ef59eb925621c1aa4f8401d776c

SHA256
99f95d44f1e42cf485132e722679f9d0c6f6cd5f560ce76dfd98abf8558377bc

SHA512
d485b45f06de66ff31b8db6706868ac3d3f89b3980bffaa05b539f0ad2b2373e72fd1aab4cfb8cf0dca7d52b43df195336f53cc9cfe99a9d87143c02a5470eae

Download Submit
C:\Program Files (x86)\UltraViewer\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Program Files (x86)\UltraViewer\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Program Files (x86)\UltraViewer\uvh.dll

Filesize
124KB

MD5
8b3f15a335710c799eae2395fa6b322d

SHA1
81b9f58fe2c61e26e758690f59fa4de4bc8b462b

SHA256
09ab11cb97673838faf91b8d06ed9ff7ad460d7791715ee983b83004984a452c

SHA512
c0dd2302d5d00d8c1f7b21972a12d0ce8bfda07603e8cb3006e6df696458d15e3b8e7eeefa712195e3337ddda6de0f683d66963dde5484172517c6338e48dda9

Download Submit
C:\Program Files (x86)\UltraViewer\uvh.dll

Filesize
124KB

MD5
8b3f15a335710c799eae2395fa6b322d

SHA1
81b9f58fe2c61e26e758690f59fa4de4bc8b462b

SHA256
09ab11cb97673838faf91b8d06ed9ff7ad460d7791715ee983b83004984a452c

SHA512
c0dd2302d5d00d8c1f7b21972a12d0ce8bfda07603e8cb3006e6df696458d15e3b8e7eeefa712195e3337ddda6de0f683d66963dde5484172517c6338e48dda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-51EQ1.tmp\tmp9659.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-51EQ1.tmp\tmp9659.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPUH7.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPUH7.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPUH7.tmp\UVUninstallHelper.exe.config

Filesize
225B

MD5
679aca3e8125584e8704b2dfdfa20a0b

SHA1
bab48dc1c46f6d8b2c38cf47d9435ae9f8bf295e

SHA256
470ce4147bff777ebefc7ccc9e2d1bc5df203b727134fc90b0134bf3cdc7add4

SHA512
8441e36e9091dae33350083b1824bc154f969c4fa86c5984c45e0bd59536933e48773ff4bfb4297e543cb270149025dca82c6bdfad2ca1639f4df58f8abcae6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPUH7.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPUH7.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPUH7.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9659.tmp

Filesize
3.4MB

MD5
d57b027724dd6245caa59445629eac66

SHA1
e3c30a6ae00e194add89640dfd660273cda305b9

SHA256
34207eec931e949b65424ac12c68340c3124e7a826b449fae610438457506800

SHA512
83f133831126e7e63f3cb33331ac16cd5b833fee1ae886cfd7a410306f83b7b850d4d1090cb37530243181a81a13fe9699864ffe32635bbc438cdb4a4ce77fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9659.tmp

Filesize
3.4MB

MD5
d57b027724dd6245caa59445629eac66

SHA1
e3c30a6ae00e194add89640dfd660273cda305b9

SHA256
34207eec931e949b65424ac12c68340c3124e7a826b449fae610438457506800

SHA512
83f133831126e7e63f3cb33331ac16cd5b833fee1ae886cfd7a410306f83b7b850d4d1090cb37530243181a81a13fe9699864ffe32635bbc438cdb4a4ce77fe3

Download Submit
memory/1856-425-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1856-424-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1856-421-0x0000000005B40000-0x000000000606C000-memory.dmp

Filesize
5.2MB

Download
memory/1856-418-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1856-410-0x0000000000400000-0x0000000000816000-memory.dmp

Filesize
4.1MB

Download
memory/2272-396-0x0000000005EC0000-0x0000000005F5C000-memory.dmp

Filesize
624KB

Download
memory/2272-397-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/2272-401-0x0000000006C50000-0x0000000006CD2000-memory.dmp

Filesize
520KB

Download
memory/2272-386-0x0000000000F30000-0x0000000000F42000-memory.dmp

Filesize
72KB

Download
memory/2272-391-0x000000007EF80000-0x000000007EF90000-memory.dmp

Filesize
64KB

Download
memory/2272-394-0x0000000006330000-0x00000000068D4000-memory.dmp

Filesize
5.6MB

Download
memory/2272-395-0x0000000005D80000-0x0000000005E12000-memory.dmp

Filesize
584KB

Download
memory/2272-390-0x0000000005C60000-0x0000000005D72000-memory.dmp

Filesize
1.1MB

Download
memory/2824-232-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2824-170-0x0000000003310000-0x0000000003332000-memory.dmp

Filesize
136KB

Download
memory/2824-417-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2824-177-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2824-297-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2824-355-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3956-231-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3956-153-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4244-233-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/4244-157-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/4244-155-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/4244-133-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/4244-204-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download