41417357bea0db8034e2ba21ee6f463d1bdd0f2c5c5b77baa55cda8a583f12ee

Analysis

max time kernel
146s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/06/2023, 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume5/Program Files (x86)/UltraViewer/Update/UVUpdater.exe
Size

3.4MB
MD5

9f6011cda9bd22412484a0fc33e7ca8a
SHA1

136b33e3e335d0c2901fb7b85fe26fc5e88445d5
SHA256

8f4f9a43bbfbe3b842a5cdd7cbc621f0171bafda89e3b88310ec473e9a56eae0
SHA512

3ade22ddd54506b510ec04300bc9fb4a8618a224806b3779e3e007fbfe33b5ce12ff741029d7ad17b0574ef980a39e519d48da964122bfffab1939dfe77b34f7
SSDEEP

98304:E5zZ80gsEX+Ljsp0d8DgI4vacQx+wOWj9ViPm:Ef80gsl3s1gFvQ+oRcm

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 3 IoCs

pid	Process
1592	tmp38F6.tmp
1408	tmp38F6.tmp
1464	UVUninstallHelper.exe

Loads dropped DLL 5 IoCs

pid	Process
1420	UVUpdater.exe
1592	tmp38F6.tmp
1408	tmp38F6.tmp
1408	tmp38F6.tmp
1408	tmp38F6.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-5APKL.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-MPRJ5.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-POU0G.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\is-LURMJ.tmp	tmp38F6.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\msvbvm60.dll	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\is-OTG7I.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-7MCK9.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-BJPA0.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\is-SLUQT.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\is-VK7Q4.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-K9NG4.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-CVK70.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-FE7MQ.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-2JVE3.tmp	tmp38F6.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\RemoteControl20.dll	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\is-PHNF0.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-LINHR.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-AOSG3.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-TK4FO.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-UONLD.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-8V0MG.tmp	tmp38F6.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\RemoteControl40.dll	tmp38F6.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uv_x64.exe	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-UI3F4.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-GUB3V.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-9IN7E.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\is-14RTO.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-6AU48.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-EHPTK.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-N62U6.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-VQ94P.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-T6DLL.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-VLTTI.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-AS6RM.tmp	tmp38F6.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uva64.dll	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Update\is-GEALP.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-2T5KV.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-7SN4D.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\is-KCVFE.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-G65NO.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-R6VSD.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-QO0CL.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-VM16J.tmp	tmp38F6.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvc.dll	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-ASB8C.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-RPVLI.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-DERLP.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-5MFEA.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-UR1SM.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-9MGOT.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\is-6IVBO.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-5NDLE.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-IB8I3.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-LPRMC.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-UA1AJ.tmp	tmp38F6.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\is-EGIGC.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-QVT9D.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-Q8PAR.tmp	tmp38F6.tmp
File opened for modification	C:\Program Files (x86)\UltraViewer\uvh64.dll	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\Language\is-H83S9.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\images\emotions\is-J9APJ.tmp	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\unins000.dat	tmp38F6.tmp
File created	C:\Program Files (x86)\UltraViewer\is-SU70B.tmp	tmp38F6.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1108	sc.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
548	net.exe
1612	net.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1696	taskkill.exe
572	taskkill.exe
1660	taskkill.exe
1928	taskkill.exe
1736	taskkill.exe
1944	taskkill.exe
1656	taskkill.exe
820	taskkill.exe
1744	taskkill.exe
1964	taskkill.exe
2004	taskkill.exe
656	taskkill.exe
1636	taskkill.exe
1208	taskkill.exe
1236	taskkill.exe
928	taskkill.exe
924	taskkill.exe
860	taskkill.exe
1584	taskkill.exe
1548	taskkill.exe
1920	taskkill.exe
1100	taskkill.exe
1056	taskkill.exe
2028	taskkill.exe
1800	taskkill.exe
360	taskkill.exe
1664	taskkill.exe
1904	taskkill.exe
1636	taskkill.exe
1748	taskkill.exe
1708	taskkill.exe
844	taskkill.exe
680	taskkill.exe
1744	taskkill.exe
980	taskkill.exe
1588	taskkill.exe
1404	taskkill.exe
548	taskkill.exe
1124	taskkill.exe
844	taskkill.exe
284	taskkill.exe
1636	taskkill.exe
1960	taskkill.exe
1780	taskkill.exe
1292	taskkill.exe
980	taskkill.exe
556	taskkill.exe
1316	taskkill.exe
1348	taskkill.exe
1648	taskkill.exe
1188	taskkill.exe
1912	taskkill.exe
1004	taskkill.exe
316	taskkill.exe
568	taskkill.exe
1732	taskkill.exe
1640	taskkill.exe
928	taskkill.exe
1800	taskkill.exe
1288	taskkill.exe
1220	taskkill.exe
616	taskkill.exe
756	taskkill.exe
1228	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UVUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	UVUpdater.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	UVUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	UVUpdater.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1420	UVUpdater.exe
1420	UVUpdater.exe
1464	UVUninstallHelper.exe
1408	tmp38F6.tmp
1408	tmp38F6.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	UVUpdater.exe
Token: SeDebugPrivilege	1464	UVUninstallHelper.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	240	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1408	tmp38F6.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1592	1420	UVUpdater.exe	28
PID 1420 wrote to memory of 1592	1420	UVUpdater.exe	28
PID 1420 wrote to memory of 1592	1420	UVUpdater.exe	28
PID 1420 wrote to memory of 1592	1420	UVUpdater.exe	28
PID 1420 wrote to memory of 1592	1420	UVUpdater.exe	28
PID 1420 wrote to memory of 1592	1420	UVUpdater.exe	28
PID 1420 wrote to memory of 1592	1420	UVUpdater.exe	28
PID 1592 wrote to memory of 1408	1592	tmp38F6.tmp	29
PID 1592 wrote to memory of 1408	1592	tmp38F6.tmp	29
PID 1592 wrote to memory of 1408	1592	tmp38F6.tmp	29
PID 1592 wrote to memory of 1408	1592	tmp38F6.tmp	29
PID 1592 wrote to memory of 1408	1592	tmp38F6.tmp	29
PID 1592 wrote to memory of 1408	1592	tmp38F6.tmp	29
PID 1592 wrote to memory of 1408	1592	tmp38F6.tmp	29
PID 1408 wrote to memory of 1464	1408	tmp38F6.tmp	30
PID 1408 wrote to memory of 1464	1408	tmp38F6.tmp	30
PID 1408 wrote to memory of 1464	1408	tmp38F6.tmp	30
PID 1408 wrote to memory of 1464	1408	tmp38F6.tmp	30
PID 1408 wrote to memory of 1464	1408	tmp38F6.tmp	30
PID 1408 wrote to memory of 1464	1408	tmp38F6.tmp	30
PID 1408 wrote to memory of 1464	1408	tmp38F6.tmp	30
PID 1408 wrote to memory of 548	1408	tmp38F6.tmp	31
PID 1408 wrote to memory of 548	1408	tmp38F6.tmp	31
PID 1408 wrote to memory of 548	1408	tmp38F6.tmp	31
PID 1408 wrote to memory of 548	1408	tmp38F6.tmp	31
PID 548 wrote to memory of 1608	548	net.exe	33
PID 548 wrote to memory of 1608	548	net.exe	33
PID 548 wrote to memory of 1608	548	net.exe	33
PID 548 wrote to memory of 1608	548	net.exe	33
PID 1408 wrote to memory of 1612	1408	tmp38F6.tmp	34
PID 1408 wrote to memory of 1612	1408	tmp38F6.tmp	34
PID 1408 wrote to memory of 1612	1408	tmp38F6.tmp	34
PID 1408 wrote to memory of 1612	1408	tmp38F6.tmp	34
PID 1612 wrote to memory of 1664	1612	net.exe	36
PID 1612 wrote to memory of 1664	1612	net.exe	36
PID 1612 wrote to memory of 1664	1612	net.exe	36
PID 1612 wrote to memory of 1664	1612	net.exe	36
PID 1408 wrote to memory of 1108	1408	tmp38F6.tmp	37
PID 1408 wrote to memory of 1108	1408	tmp38F6.tmp	37
PID 1408 wrote to memory of 1108	1408	tmp38F6.tmp	37
PID 1408 wrote to memory of 1108	1408	tmp38F6.tmp	37
PID 1408 wrote to memory of 1208	1408	tmp38F6.tmp	39
PID 1408 wrote to memory of 1208	1408	tmp38F6.tmp	39
PID 1408 wrote to memory of 1208	1408	tmp38F6.tmp	39
PID 1408 wrote to memory of 1208	1408	tmp38F6.tmp	39
PID 1408 wrote to memory of 1956	1408	tmp38F6.tmp	42
PID 1408 wrote to memory of 1956	1408	tmp38F6.tmp	42
PID 1408 wrote to memory of 1956	1408	tmp38F6.tmp	42
PID 1408 wrote to memory of 1956	1408	tmp38F6.tmp	42
PID 1408 wrote to memory of 1588	1408	tmp38F6.tmp	44
PID 1408 wrote to memory of 1588	1408	tmp38F6.tmp	44
PID 1408 wrote to memory of 1588	1408	tmp38F6.tmp	44
PID 1408 wrote to memory of 1588	1408	tmp38F6.tmp	44
PID 1408 wrote to memory of 1656	1408	tmp38F6.tmp	46
PID 1408 wrote to memory of 1656	1408	tmp38F6.tmp	46
PID 1408 wrote to memory of 1656	1408	tmp38F6.tmp	46
PID 1408 wrote to memory of 1656	1408	tmp38F6.tmp	46
PID 1408 wrote to memory of 1004	1408	tmp38F6.tmp	48
PID 1408 wrote to memory of 1004	1408	tmp38F6.tmp	48
PID 1408 wrote to memory of 1004	1408	tmp38F6.tmp	48
PID 1408 wrote to memory of 1004	1408	tmp38F6.tmp	48
PID 1408 wrote to memory of 240	1408	tmp38F6.tmp	50
PID 1408 wrote to memory of 240	1408	tmp38F6.tmp	50
PID 1408 wrote to memory of 240	1408	tmp38F6.tmp	50

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume5\Program Files (x86)\UltraViewer\Update\UVUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume5\Program Files (x86)\UltraViewer\Update\UVUpdater.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\tmp38F6.tmp
  "C:\Users\Admin\AppData\Local\Temp\tmp38F6.tmp" /SP- /donotlangovr=1 /verysilent /noicons /NORESTART /CloseApplications=no /netframework=""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\is-7BLPF.tmp\tmp38F6.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7BLPF.tmp\tmp38F6.tmp" /SL5="$10162,3135717,121344,C:\Users\Admin\AppData\Local\Temp\tmp38F6.tmp" /SP- /donotlangovr=1 /verysilent /noicons /NORESTART /CloseApplications=no /netframework=""
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\is-NPHO7.tmp\UVUninstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\is-NPHO7.tmp\UVUninstallHelper.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\Windows\SysWOW64\net.exe
      "net" stop UltraViewService
      4⤵
      Discovers systems in the same network
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UltraViewService
        5⤵
        
        PID:1608
  - - C:\Windows\SysWOW64\net.exe
      "net" stop UltraViewService
      4⤵
      Discovers systems in the same network
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop UltraViewService
        5⤵
        
        PID:1664
  - - C:\Windows\SysWOW64\sc.exe
      "sc" delete UltraViewService
      4⤵
      Launches sc.exe
      PID:1108
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1208
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1588
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1656
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:240
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1932
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1108
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:268
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2044
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1780
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1228
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1928
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1100
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:860
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:820
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1636
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1748
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1904
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1744
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:548
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1108
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1056
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1960
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1148
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1348
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:568
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:860
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1648
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1124
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1188
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:656
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1288
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1780
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1636
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:360
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1888
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:908
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1292
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:680
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1608
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:284
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1744
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1100
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:568
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:756
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1732
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:556
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:860
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1288
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:928
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1636
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1664
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:572
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:820
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1736
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1548
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1316
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1912
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:548
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1404
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1920
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:928
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1220
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:616
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1236
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /f /im "UltraViewer_Desktop.exe"
      4⤵
      Kills process with taskkill
      PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraViewer\is-LURMJ.tmp

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7BLPF.tmp\tmp38F6.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7BLPF.tmp\tmp38F6.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NPHO7.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NPHO7.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NPHO7.tmp\UVUninstallHelper.exe.config

Filesize
225B

MD5
679aca3e8125584e8704b2dfdfa20a0b

SHA1
bab48dc1c46f6d8b2c38cf47d9435ae9f8bf295e

SHA256
470ce4147bff777ebefc7ccc9e2d1bc5df203b727134fc90b0134bf3cdc7add4

SHA512
8441e36e9091dae33350083b1824bc154f969c4fa86c5984c45e0bd59536933e48773ff4bfb4297e543cb270149025dca82c6bdfad2ca1639f4df58f8abcae6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp38F6.tmp

Filesize
3.4MB

MD5
d57b027724dd6245caa59445629eac66

SHA1
e3c30a6ae00e194add89640dfd660273cda305b9

SHA256
34207eec931e949b65424ac12c68340c3124e7a826b449fae610438457506800

SHA512
83f133831126e7e63f3cb33331ac16cd5b833fee1ae886cfd7a410306f83b7b850d4d1090cb37530243181a81a13fe9699864ffe32635bbc438cdb4a4ce77fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp38F6.tmp

Filesize
3.4MB

MD5
d57b027724dd6245caa59445629eac66

SHA1
e3c30a6ae00e194add89640dfd660273cda305b9

SHA256
34207eec931e949b65424ac12c68340c3124e7a826b449fae610438457506800

SHA512
83f133831126e7e63f3cb33331ac16cd5b833fee1ae886cfd7a410306f83b7b850d4d1090cb37530243181a81a13fe9699864ffe32635bbc438cdb4a4ce77fe3

Download Submit
\Users\Admin\AppData\Local\Temp\is-7BLPF.tmp\tmp38F6.tmp

Filesize
1.1MB

MD5
e845838d99d29c4bba4ad35ee996dea3

SHA1
34a9f433ce1e3339e07d75f0a74efd676b1d7cca

SHA256
b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d

SHA512
fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d

Download Submit
\Users\Admin\AppData\Local\Temp\is-NPHO7.tmp\UVUninstallHelper.exe

Filesize
43KB

MD5
ececb301656f5f8c6a46a8abf8d928fe

SHA1
9bdf8a054c71d34837262ab306db92d3ee70db3b

SHA256
801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b

SHA512
314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6

Download Submit
\Users\Admin\AppData\Local\Temp\is-NPHO7.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-NPHO7.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp38F6.tmp

Filesize
3.4MB

MD5
d57b027724dd6245caa59445629eac66

SHA1
e3c30a6ae00e194add89640dfd660273cda305b9

SHA256
34207eec931e949b65424ac12c68340c3124e7a826b449fae610438457506800

SHA512
83f133831126e7e63f3cb33331ac16cd5b833fee1ae886cfd7a410306f83b7b850d4d1090cb37530243181a81a13fe9699864ffe32635bbc438cdb4a4ce77fe3

Download Submit
memory/1408-134-0x0000000002010000-0x0000000002032000-memory.dmp

Filesize
136KB

Download
memory/1408-149-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1408-239-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1408-337-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1408-358-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1420-73-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/1420-148-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/1592-119-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1592-224-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download