Malware Analysis Report

2025-08-10 22:11

Sample ID 231011-xb4a3sef6w
Target #PO 4500515595 ULTRA TEC_1.zip
SHA256 6153872c1610031f5242968a5b2818fb307f800886262a0e932e9bcaeb980859
Tags
formbook ey16 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6153872c1610031f5242968a5b2818fb307f800886262a0e932e9bcaeb980859

Threat Level: Known bad

The file #PO 4500515595 ULTRA TEC_1.zip was found to be: Known bad.

Malicious Activity Summary

formbook ey16 rat spyware stealer trojan

Formbook

Formbook payload

Blocklisted process makes network request

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 18:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 18:41

Reported

2023-10-12 11:03

Platform

win7-20230831-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2828 set thread context of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2528 set thread context of 1192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Explorer.EXE
PID 2820 set thread context of 1192 N/A C:\Windows\SysWOW64\help.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\help.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1192 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1192 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1192 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1192 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 2820 wrote to memory of 1868 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1868 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1868 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1868 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe

"C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gtpTbwW.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gtpTbwW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8D0.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\help.exe

"C:\Windows\SysWOW64\help.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.therealopulent.com udp
CA 23.227.38.74:80 www.therealopulent.com tcp
US 8.8.8.8:53 www.paover.com udp
CA 72.10.173.130:80 www.paover.com tcp
US 8.8.8.8:53 www.cirbs.com udp
US 44.230.85.241:80 www.cirbs.com tcp

Files

memory/2828-0-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2828-1-0x0000000000350000-0x00000000003DE000-memory.dmp

memory/2828-2-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2828-3-0x0000000000560000-0x0000000000570000-memory.dmp

memory/2828-4-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2828-5-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2828-6-0x0000000000660000-0x000000000066C000-memory.dmp

memory/2828-7-0x0000000004F40000-0x0000000004FAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF8D0.tmp

MD5 24ea0f7ce8c7b0e4a50b1a106027abe4
SHA1 a8567838ecf7544ed3aa332668822ac3b2e553b8
SHA256 efe6d31564707d553a06158373e2e00d28b1aa881f2bee59d25d00191afed12f
SHA512 895519826b4ac0038b585e71433795c82ef445b5716b9bf45b51f2fd79d929f399cea2553ece4d1c76def02fa5b2186cc7d1f672a4de3cc1069bb84b069f1963

memory/2720-15-0x000000006ECB0000-0x000000006F25B000-memory.dmp

memory/2720-16-0x000000006ECB0000-0x000000006F25B000-memory.dmp

memory/2720-17-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/2528-18-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2528-20-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2720-19-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/2528-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2528-23-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2828-24-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2528-25-0x0000000000980000-0x0000000000C83000-memory.dmp

memory/2720-26-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/1192-29-0x0000000002E70000-0x0000000002F70000-memory.dmp

memory/2528-28-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2528-30-0x0000000000190000-0x00000000001A5000-memory.dmp

memory/1192-31-0x0000000004D40000-0x0000000004E2C000-memory.dmp

memory/2720-32-0x000000006ECB0000-0x000000006F25B000-memory.dmp

memory/2820-33-0x00000000007E0000-0x00000000007E6000-memory.dmp

memory/2820-34-0x00000000007E0000-0x00000000007E6000-memory.dmp

memory/2820-35-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2820-36-0x0000000000980000-0x0000000000C83000-memory.dmp

memory/2820-37-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2820-39-0x0000000000600000-0x0000000000694000-memory.dmp

memory/1192-40-0x0000000004020000-0x00000000040B9000-memory.dmp

memory/1192-41-0x0000000004020000-0x00000000040B9000-memory.dmp

memory/1192-43-0x0000000004020000-0x00000000040B9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 18:41

Reported

2023-10-12 11:03

Platform

win10v2004-20230915-en

Max time kernel

170s

Max time network

172s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3840 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3840 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3840 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3840 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 3840 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 3840 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\SysWOW64\schtasks.exe
PID 3840 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3840 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3840 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3840 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3840 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3840 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 776 wrote to memory of 3368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wscript.exe
PID 776 wrote to memory of 3368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wscript.exe
PID 776 wrote to memory of 3368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wscript.exe
PID 3368 wrote to memory of 3804 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 3804 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 3804 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe

"C:\Users\Admin\AppData\Local\Temp\#PO 4500515595 ULTRA TEC.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gtpTbwW.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gtpTbwW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autofmt.exe

"C:\Windows\SysWOW64\autofmt.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\SysWOW64\wscript.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 www.yccop.cfd udp
US 8.8.8.8:53 www.wellhousesctx.com udp
US 35.212.127.26:80 www.wellhousesctx.com tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 www.aunoption.com udp
TH 147.50.231.116:80 www.aunoption.com tcp
US 8.8.8.8:53 www.wellhousesctx.com udp
US 35.212.127.26:80 www.wellhousesctx.com tcp
US 8.8.8.8:53 116.231.50.147.in-addr.arpa udp

Files

memory/3840-0-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/3840-1-0x0000000000030000-0x00000000000BE000-memory.dmp

memory/3840-2-0x00000000050A0000-0x0000000005644000-memory.dmp

memory/3840-3-0x0000000004AF0000-0x0000000004B82000-memory.dmp

memory/3840-4-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3840-5-0x0000000004AA0000-0x0000000004AAA000-memory.dmp

memory/3840-6-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/3840-7-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/3840-8-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3840-9-0x0000000005F90000-0x0000000005F9C000-memory.dmp

memory/3840-10-0x00000000064A0000-0x000000000650E000-memory.dmp

memory/3840-11-0x0000000008B10000-0x0000000008BAC000-memory.dmp

memory/3540-16-0x0000000005240000-0x0000000005276000-memory.dmp

memory/3540-17-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/3540-18-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3540-19-0x0000000005310000-0x0000000005320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp

MD5 91a17735fc66345ccca918b9384e53ba
SHA1 56065f0ae5d7eafd937e2b0578e40a86eae1d65a
SHA256 f3fa972ce39f8177f330c0f3d351fc86b53fc4bacaa0cd9eebd4ad60265678ce
SHA512 8ebe5d17c153fe05b76516867c890b80dc88ad407819c321543cdb95e98d74f4fae52afab1e43fd176e8f3ce1868bc7bb1f48ceec4753f03501ebc6d55c7a75a

memory/3540-21-0x0000000005950000-0x0000000005F78000-memory.dmp

memory/4992-22-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3840-24-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/3540-25-0x0000000005860000-0x0000000005882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gxxrvrnz.xng.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3540-26-0x0000000006130000-0x0000000006196000-memory.dmp

memory/3540-32-0x0000000006210000-0x0000000006276000-memory.dmp

memory/3540-37-0x0000000006380000-0x00000000066D4000-memory.dmp

memory/4992-38-0x00000000016E0000-0x0000000001A2A000-memory.dmp

memory/3540-40-0x0000000006820000-0x000000000683E000-memory.dmp

memory/4992-42-0x0000000001390000-0x00000000013A5000-memory.dmp

memory/776-44-0x00000000094C0000-0x000000000965B000-memory.dmp

memory/3540-43-0x00000000068F0000-0x000000000693C000-memory.dmp

memory/4992-41-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3540-45-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3540-46-0x000000007F0B0000-0x000000007F0C0000-memory.dmp

memory/3540-47-0x0000000006E00000-0x0000000006E32000-memory.dmp

memory/3540-48-0x00000000717C0000-0x000000007180C000-memory.dmp

memory/3540-58-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

memory/3540-59-0x0000000007A50000-0x0000000007AF3000-memory.dmp

memory/3540-60-0x0000000008180000-0x00000000087FA000-memory.dmp

memory/3540-61-0x0000000007B40000-0x0000000007B5A000-memory.dmp

memory/3540-62-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/3540-63-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

memory/3540-64-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3540-65-0x0000000007DE0000-0x0000000007E76000-memory.dmp

memory/3540-66-0x0000000007D60000-0x0000000007D71000-memory.dmp

memory/3540-67-0x0000000005310000-0x0000000005320000-memory.dmp

memory/4992-69-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4992-70-0x0000000001400000-0x0000000001415000-memory.dmp

memory/776-71-0x0000000009170000-0x000000000929D000-memory.dmp

memory/776-72-0x00000000094C0000-0x000000000965B000-memory.dmp

memory/3540-73-0x0000000007D90000-0x0000000007D9E000-memory.dmp

memory/3540-74-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

memory/3540-75-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

memory/3540-76-0x0000000007E80000-0x0000000007E88000-memory.dmp

memory/3540-78-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/3368-79-0x0000000000420000-0x0000000000447000-memory.dmp

memory/3368-80-0x0000000000420000-0x0000000000447000-memory.dmp

memory/3368-81-0x0000000000550000-0x000000000057F000-memory.dmp

memory/3368-82-0x0000000002670000-0x00000000029BA000-memory.dmp

memory/776-83-0x0000000009170000-0x000000000929D000-memory.dmp

memory/3368-84-0x0000000000550000-0x000000000057F000-memory.dmp

memory/3368-86-0x00000000023E0000-0x0000000002474000-memory.dmp

memory/776-87-0x000000000BC90000-0x000000000BDEA000-memory.dmp

memory/776-88-0x000000000BC90000-0x000000000BDEA000-memory.dmp

memory/776-90-0x000000000BC90000-0x000000000BDEA000-memory.dmp