Analysis
-
max time kernel
85s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 16:36
Static task
static1
Behavioral task
behavioral1
Sample
UltraViewer_setup_6.6_en.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
UltraViewer_setup_6.6_en.exe
Resource
android-33-x64-arm64-20240611.1-en
General
-
Target
UltraViewer_setup_6.6_en.exe
-
Size
3.2MB
-
MD5
96d0e3328a5ca47056741fc4cfe70f45
-
SHA1
656eaf078d2375e7b54a3ab950848320eba7bd40
-
SHA256
0fa31dd2affdad98dbca7d8b7a9dc02c56093ff2ca06e6b03db7aa4cd4bf5260
-
SHA512
6cf3a431d4c300b945bee4ce6fea72985d6ded02618f8ddbe66e9b6d0be89272db202dd2bb9fbfca360c476daed6485d146cc96c7924faa5339787e100580f63
-
SSDEEP
98304:Q5zqs0pDMRE7Xy42GKw2tmRWhuwQPUFmD9ViPa:QqDli4Z/2tmUhuwSi2ca
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
Processes:
UltraViewer_setup_6.6_en.tmpUVUninstallHelper.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Service.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeuv_x64.exepid process 3796 UltraViewer_setup_6.6_en.tmp 2296 UVUninstallHelper.exe 3220 UltraViewer_Desktop.exe 1508 UltraViewer_Desktop.exe 464 UltraViewer_Service.exe 756 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 3300 uv_x64.exe -
Loads dropped DLL 34 IoCs
Processes:
UltraViewer_setup_6.6_en.tmpregasm.exeUltraViewer_Desktop.exeregasm.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exepid process 3796 UltraViewer_setup_6.6_en.tmp 3796 UltraViewer_setup_6.6_en.tmp 3796 UltraViewer_setup_6.6_en.tmp 1064 regasm.exe 1064 regasm.exe 1064 regasm.exe 1064 regasm.exe 1064 regasm.exe 1064 regasm.exe 3220 UltraViewer_Desktop.exe 3220 UltraViewer_Desktop.exe 3220 UltraViewer_Desktop.exe 3220 UltraViewer_Desktop.exe 3220 UltraViewer_Desktop.exe 3220 UltraViewer_Desktop.exe 2132 regasm.exe 2132 regasm.exe 2132 regasm.exe 2132 regasm.exe 1508 UltraViewer_Desktop.exe 1508 UltraViewer_Desktop.exe 1508 UltraViewer_Desktop.exe 756 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe -
Processes:
resource yara_rule C:\Program Files (x86)\UltraViewer\is-PSSQ7.tmp upx behavioral1/memory/3220-428-0x0000000000400000-0x000000000084C000-memory.dmp upx behavioral1/memory/3220-447-0x0000000000400000-0x000000000084C000-memory.dmp upx behavioral1/memory/1508-461-0x0000000000400000-0x000000000084C000-memory.dmp upx behavioral1/memory/1508-477-0x0000000000400000-0x000000000084C000-memory.dmp upx behavioral1/memory/756-491-0x0000000000400000-0x000000000084C000-memory.dmp upx behavioral1/memory/116-512-0x0000000000400000-0x000000000084C000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
UltraViewer_Service.exedescription ioc process File opened for modification \??\PhysicalDrive0 UltraViewer_Service.exe -
Drops file in System32 directory 12 IoCs
Processes:
svchost.exeRegAsm.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log RegAsm.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
UltraViewer_setup_6.6_en.tmpUltraViewer_Service.exedescription ioc process File created C:\Program Files (x86)\UltraViewer\unins000.dat UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-THLLN.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-NEA6S.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\is-S2C0E.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\emotions\is-CC4AF.tmp UltraViewer_setup_6.6_en.tmp File opened for modification C:\Program Files (x86)\UltraViewer\uv_x64.exe UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\is-U3OJQ.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-PSSQ7.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\emotions\is-EKE0B.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-HF907.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-5EN8E.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\UltraViewerService_log.txt UltraViewer_Service.exe File created C:\Program Files (x86)\UltraViewer\is-7M7LM.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-KEESJ.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\emotions\is-T2GM8.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-7EJT5.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-R3R13.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-T2APQ.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-S1F9B.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-EKVVK.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-ECMBF.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-6NM6E.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-A5USK.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-AQ5N1.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\is-3K0GS.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\is-9QIPT.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\emotions\is-5OFAQ.tmp UltraViewer_setup_6.6_en.tmp File opened for modification C:\Program Files (x86)\UltraViewer\uvh.dll UltraViewer_setup_6.6_en.tmp File opened for modification C:\Program Files (x86)\UltraViewer\uvh64.dll UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-13CP0.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-G48Q7.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-69AJU.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-91MSB.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-G9U1C.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-UC3KQ.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-M5SKF.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-VARLU.tmp UltraViewer_setup_6.6_en.tmp File opened for modification C:\Program Files (x86)\UltraViewer\uv_clib.dll UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\emotions\is-TOTT0.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-3MR90.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\is-GHSF6.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\is-VSG4B.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-T725G.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-GR1T7.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-NL8EA.tmp UltraViewer_setup_6.6_en.tmp File opened for modification C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\is-SGRQM.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\emotions\is-ARFQQ.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\emotions\is-QGFNM.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-QS2B5.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-7KGSU.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\is-7EOA8.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\is-6QC4L.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\emotions\is-R2E24.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-6FMJA.tmp UltraViewer_setup_6.6_en.tmp File opened for modification C:\Program Files (x86)\UltraViewer\UltraViewerService_log.txt UltraViewer_Service.exe File created C:\Program Files (x86)\UltraViewer\is-DR2AA.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\emotions\is-SAJRC.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-OU8MV.tmp UltraViewer_setup_6.6_en.tmp File opened for modification C:\Program Files (x86)\UltraViewer\RemoteControl40.dll UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\is-UNDFR.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\is-791HD.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\images\emotions\is-RLK40.tmp UltraViewer_setup_6.6_en.tmp File created C:\Program Files (x86)\UltraViewer\Language\is-I2L4M.tmp UltraViewer_setup_6.6_en.tmp -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2032 sc.exe 2392 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1896 ipconfig.exe -
Kills process with taskkill 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3472 taskkill.exe 5072 taskkill.exe 4588 taskkill.exe 1852 taskkill.exe 4940 taskkill.exe 4388 taskkill.exe 3220 taskkill.exe 4848 taskkill.exe 4188 taskkill.exe 3220 taskkill.exe 312 taskkill.exe 216 taskkill.exe 2504 taskkill.exe 4000 taskkill.exe 4740 taskkill.exe 2032 taskkill.exe 540 taskkill.exe 1660 taskkill.exe 4028 taskkill.exe 4372 taskkill.exe 4028 taskkill.exe 4224 taskkill.exe 4648 taskkill.exe 3352 taskkill.exe 3900 taskkill.exe 2284 taskkill.exe 2740 taskkill.exe 4072 taskkill.exe 4368 taskkill.exe 4284 taskkill.exe 220 taskkill.exe 216 taskkill.exe 3160 taskkill.exe 4224 taskkill.exe 1432 taskkill.exe 2740 taskkill.exe 444 taskkill.exe 3532 taskkill.exe 2392 taskkill.exe 4576 taskkill.exe 3504 taskkill.exe 4416 taskkill.exe 4024 taskkill.exe 2688 taskkill.exe 4660 taskkill.exe 396 taskkill.exe 2376 taskkill.exe 2172 taskkill.exe 960 taskkill.exe 1772 taskkill.exe 1940 taskkill.exe 3164 taskkill.exe 3736 taskkill.exe 1288 taskkill.exe 4828 taskkill.exe 2044 taskkill.exe 3412 taskkill.exe 3884 taskkill.exe 3000 taskkill.exe 2500 taskkill.exe 3348 taskkill.exe 3968 taskkill.exe 3708 taskkill.exe 4588 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
UltraViewer_Service.exechrome.exeUltraViewer_Desktop.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections UltraViewer_Service.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UltraViewer_Service.exe Key created \REGISTRY\USER\.DEFAULT\Software UltraViewer_Desktop.exe Key created \REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\UltraViewer_Desktop UltraViewer_Desktop.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\UltraViewer_Desktop\Settings\CurrentLanguageBrief = "en" UltraViewer_Desktop.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" UltraViewer_Service.exe Key created \REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\UltraViewer_Desktop\Options UltraViewer_Desktop.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" UltraViewer_Service.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\UltraViewer_Desktop\Options\UsingOlderThan610Settings = "0" UltraViewer_Desktop.exe Key created \REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\UltraViewer_Desktop\Settings UltraViewer_Desktop.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133630294022730477" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" UltraViewer_Service.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" UltraViewer_Service.exe Key created \REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings UltraViewer_Desktop.exe -
Modifies registry class 64 IoCs
Processes:
regasm.exeregasm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90382CF6-F52A-31EA-8F51-CD53FF62CCA9}\TypeLib regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F32897E-31F7-3D22-9821-B21205A85233}\InprocServer32\RuntimeVersion = "v4.0.30319" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF7B1856-DAED-4296-96DB-94C798525565}\TypeLib\Version = "1.0" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EED0E2AF-0F07-4E45-B05B-4A085F0959ED}\TypeLib regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DE95010-7A4E-39EB-A27D-55D78C446976}\TypeLib\Version = "1.0" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6750236C-BC64-3F71-AB21-D9F17828ECB4} regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF83752C-2529-4326-AB56-ADD3A8308D7D}\Implemented Categories regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BBB5724-30DB-449E-8D07-5AB723663BEF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA52DBBC-B050-328B-8EB0-81990853A4C3}\ProxyStubClsid32 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DDC2D16-3C82-49E8-A4CF-25963E126372} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{490965B4-B610-395F-88AB-AF3A3CE0FB44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F4C3F1B-C055-30FB-8139-6DCA449AC245}\ = "_ERNDM8H9IEventHandler" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EED0E2AF-0F07-4E45-B05B-4A085F0959ED}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{762C2BAD-2474-31E5-835A-A7F0E6846927} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95F987F0-C6A4-3A91-A739-1BB87174857C}\TypeLib\Version = "1.5" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CB85C9B-3350-3576-8B71-207D99770DA6}\ = "_myPictureBox" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1B54F3D-DA87-3F78-A755-B6ACDFAB5410}\ = "_PowerModeChangedEventHandler" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.ExtendTreeView\CLSID\ = "{315D07B8-9F8F-3885-AB17-1C3D460CEE4E}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03ECBE75-0432-45BF-9EFA-F7F439997557}\InprocServer32\ = "mscoree.dll" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{452116E2-E64A-4EB5-988D-F11EC3B61D3F}\TypeLib regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66D294A1-137A-36A8-B70D-1F457E0F7E9D}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD6FAC76-6CB4-35B6-900D-2C9B4D1CF9AA}\ProgId\ = "RemoteControl.VistaTreeView" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{024C9DB6-AFA3-32C6-8676-F5070527EC54}\1.0.0.0\Class = "RemoteControl.clsStoredFrame+VFunction+EnumPowerState" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8F41B6C-85DD-43F4-96C4-CF6737D94DD4}\ProxyStubClsid32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C73A943E-85B7-3DD6-A013-EBB02E575C2E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28D06E4D-6B44-40D3-8AB3-E11DBEDD4CCC} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{321B83DF-C38D-3211-9708-26A3E8EBCB3C}\ = "_DblClickEventHandler__________19" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0F42C63-C702-303B-B3DA-E21DBD96E40A}\ProxyStubClsid32 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C68E0CBC-AE05-362D-9B31-138A663CA116}\1.0.0.0 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75A28301-6615-38C1-AA2E-EB4E89DD92D8}\ProxyStubClsid32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE272A8A-DD78-3059-BE82-4A145DF84B62}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C73DFB9-7ED4-3C48-AC1F-CA6EDD6A4E18}\ProxyStubClsid32 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99E71D7F-9CF7-36F0-B0A2-14F60AAD78B6}\ProgId regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.clsByteArrayBuilder\ = "RemoteControl.clsByteArrayBuilder" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B14C8EF1-40C8-45B4-9513-807F82448620}\ToolBoxBitmap32\ = "C:\\Program Files (x86)\\UltraViewer\\RemoteControl.dll, 101" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1974493F-5A90-487C-B171-8805C0B6D42B}\InprocServer32\1.0.0.0\Assembly = "RemoteControl, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF392D85-EB03-4034-9D59-D586E4F00F42}\InprocServer32\RuntimeVersion = "v4.0.30319" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A51AA61E-A267-3D28-B62B-C12F6FF94016}\ProxyStubClsid32 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F0F4AA4-2B0F-390B-8D60-64642C4BE09A}\ProxyStubClsid32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE832103-079C-38B7-A8B7-C56399D9D918}\TypeLib\Version = "1.0" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C61AF02-ACB0-3588-A612-C9864E9B61FA}\ = "_AfterUndoEventHandler" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39C18FD8-027E-3C23-B618-B43C0A70E45F}\InprocServer32 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{359D2CB9-07D4-46FD-AEE3-F53541CDF63D}\ProxyStubClsid32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9258F48-4D65-3D3C-B7EF-4D40BCEECDA5}\TypeLib\Version = "1.5" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7E0FC80-4F34-4AF6-8D1B-E6865BEC95F2} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD21F0F4-5174-3D60-B84D-5BA86C8194A3}\ = "_CheckWakeStatusEventHandler_2" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEA38B91-2B2E-318F-AAA4-449FAD36D692}\ProxyStubClsid32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F18BABE-95AC-318E-B081-5AAA1653699C}\ = "_ComboboxItem" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{730898A5-F254-326D-9A20-5852C26B5ED4} regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF51F143-5809-3B31-ADA7-6A2A0DB2C975}\ProxyStubClsid32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62A7C086-6E75-4CE5-88B7-FFFFD229323D}\TypeLib\ = "{F58D911B-3BCE-4ED7-9CA3-2F32BE5A915C}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CBF0A198-B5CF-3317-A8CC-9F04435867D6}\TypeLib\Version = "1.0" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE70695C-E833-31A0-9AC8-8BEDEC0B7325}\TypeLib\Version = "1.0" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HtmlAgilityPack.HtmlDocument regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DC37026-E60A-3D43-86FF-F0AD766E85CB}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RemoteControl.VComboBox regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF392D85-EB03-4034-9D59-D586E4F00F42}\InprocServer32\Assembly = "RemoteControl, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{55AD9A55-C879-4B8B-99AB-AD5CFC268F10}\ = "RemoteControl.VStringBuilder" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E5FC489-BF74-487D-ABA6-3E5185723DA7} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A51AA61E-A267-3D28-B62B-C12F6FF94016}\TypeLib\Version = "1.0" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE70695C-E833-31A0-9AC8-8BEDEC0B7325}\ProxyStubClsid32 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95F987F0-C6A4-3A91-A739-1BB87174857C}\ProxyStubClsid32 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12653B18-0C6E-3A61-8A65-DA321031629C}\ProgId regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{046EE856-9C88-44B5-BF63-D804EFA487B7}\ = "_VWakeUp" regasm.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
UltraViewer_Desktop.exeUltraViewer_Desktop.exepid process 3220 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
chrome.exeUVUninstallHelper.exeUltraViewer_setup_6.6_en.tmpmspaint.exeUltraViewer_Desktop.exeUltraViewer_Service.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exepid process 1820 chrome.exe 1820 chrome.exe 2296 UVUninstallHelper.exe 3796 UltraViewer_setup_6.6_en.tmp 3796 UltraViewer_setup_6.6_en.tmp 2036 mspaint.exe 2036 mspaint.exe 3220 UltraViewer_Desktop.exe 3220 UltraViewer_Desktop.exe 464 UltraViewer_Service.exe 464 UltraViewer_Service.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 464 UltraViewer_Service.exe 464 UltraViewer_Service.exe 464 UltraViewer_Service.exe 464 UltraViewer_Service.exe 464 UltraViewer_Service.exe 464 UltraViewer_Service.exe 464 UltraViewer_Service.exe 464 UltraViewer_Service.exe 464 UltraViewer_Service.exe 464 UltraViewer_Service.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exepid process 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exeUVUninstallHelper.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeDebugPrivilege 2296 UVUninstallHelper.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeShutdownPrivilege 1820 chrome.exe Token: SeCreatePagefilePrivilege 1820 chrome.exe Token: SeDebugPrivilege 1796 taskkill.exe Token: SeDebugPrivilege 4468 taskkill.exe Token: SeDebugPrivilege 4588 taskkill.exe Token: SeDebugPrivilege 3472 taskkill.exe Token: SeDebugPrivilege 312 taskkill.exe Token: SeDebugPrivilege 4740 taskkill.exe Token: SeDebugPrivilege 3532 taskkill.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeDebugPrivilege 4156 taskkill.exe Token: SeDebugPrivilege 1732 taskkill.exe Token: SeDebugPrivilege 4828 taskkill.exe Token: SeDebugPrivilege 1104 taskkill.exe Token: SeDebugPrivilege 4076 taskkill.exe Token: SeDebugPrivilege 4460 taskkill.exe Token: SeDebugPrivilege 2816 taskkill.exe Token: SeDebugPrivilege 448 taskkill.exe Token: SeDebugPrivilege 3584 taskkill.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
chrome.exeUltraViewer_setup_6.6_en.tmppid process 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 3796 UltraViewer_setup_6.6_en.tmp -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe 1820 chrome.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
mspaint.exeOpenWith.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exeUltraViewer_Desktop.exepid process 2036 mspaint.exe 1348 OpenWith.exe 3220 UltraViewer_Desktop.exe 3220 UltraViewer_Desktop.exe 3220 UltraViewer_Desktop.exe 3220 UltraViewer_Desktop.exe 1508 UltraViewer_Desktop.exe 756 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 4368 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe 116 UltraViewer_Desktop.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
UltraViewer_setup_6.6_en.exechrome.exedescription pid process target process PID 5048 wrote to memory of 3796 5048 UltraViewer_setup_6.6_en.exe UltraViewer_setup_6.6_en.tmp PID 5048 wrote to memory of 3796 5048 UltraViewer_setup_6.6_en.exe UltraViewer_setup_6.6_en.tmp PID 5048 wrote to memory of 3796 5048 UltraViewer_setup_6.6_en.exe UltraViewer_setup_6.6_en.tmp PID 1820 wrote to memory of 1568 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1568 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 4796 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 2208 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 2208 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe PID 1820 wrote to memory of 1896 1820 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UltraViewer_setup_6.6_en.exe"C:\Users\Admin\AppData\Local\Temp\UltraViewer_setup_6.6_en.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\is-QUTC3.tmp\UltraViewer_setup_6.6_en.tmp"C:\Users\Admin\AppData\Local\Temp\is-QUTC3.tmp\UltraViewer_setup_6.6_en.tmp" /SL5="$40210,2903087,121344,C:\Users\Admin\AppData\Local\Temp\UltraViewer_setup_6.6_en.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\is-QU0VJ.tmp\UVUninstallHelper.exe"C:\Users\Admin\AppData\Local\Temp\is-QU0VJ.tmp\UVUninstallHelper.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296 -
C:\Windows\SysWOW64\net.exe"net" stop UltraViewService3⤵
- Discovers systems in the same network
PID:3392 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UltraViewService4⤵PID:2556
-
C:\Windows\SysWOW64\net.exe"net" stop UltraViewService3⤵
- Discovers systems in the same network
PID:1380 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop UltraViewService4⤵PID:5064
-
C:\Windows\SysWOW64\sc.exe"sc" delete UltraViewService3⤵
- Launches sc.exe
PID:2032 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4588 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3472 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:312 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4740 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4284 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3532 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4460 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:3220 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1048
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2080
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4916
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:3884 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:2392 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:3352 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:3968 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4228
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3160
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:1940 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:3900 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:688
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1652
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:1380
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:2284 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2060
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1576
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:3164 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:2480
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4040
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3736
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:1432
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1944
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2520
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:2376 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4304
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1048
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:396
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3348
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4432
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4872
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:3000 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1632
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:1836
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:2500
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:2044 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:3708 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4660
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:2740 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:220 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1852
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:376
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:2432
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:216 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:2476
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2716
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4200
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2376
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:4072 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:2172 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:2032 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4588 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3060
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:1852 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1104
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4416
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:2504 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4940 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4044
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:1240
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4148
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2068
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:960 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4576 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:3504 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4916
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:540 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3060
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:3736 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3000
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:4416 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:428
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:216
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:1580
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:1660 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4596
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:4224 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4000
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:2748
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2192
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4572
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4432
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3884
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3768
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3500
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4828
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:1432 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4412
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3588
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4648 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3220
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4984
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:5072 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4000 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:4848 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3140
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4640
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:1220
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:1772 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:2688 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4156
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:3412 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4728
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:216 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3160
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3688
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:5016
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4224
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4808
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4660 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3348
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4408
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:4024 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4872
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:2392
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2688
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4156
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3412
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4728
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:216
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:3160 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:5100
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:5016
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4224 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1348
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4660
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3348
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4916
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:444 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4028 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:2900
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4824
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3548
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2676
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4412
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2716
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:2660
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3392
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:692
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:396 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1804
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4712
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1508
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:1840
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1852
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:820
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3940
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3480
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1760
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:624
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1944
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3192
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3676
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:2500 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:752
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4372 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:2740 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:1288 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:824
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:5008
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:8
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:2320
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3208
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3412
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:4188 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:1580
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:3220 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:4224
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:4388 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4368 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵
- Kills process with taskkill
PID:3348 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:1364
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:1220
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵
- Kills process with taskkill
PID:4028 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:4964
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Desktop.exe"3⤵PID:3320
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "UltraViewer_Service.exe"3⤵PID:3412
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl.dll" /tlb3⤵
- Loads dropped DLL
- Modifies registry class
PID:1064 -
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe" validate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3220 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" "C:\Program Files (x86)\UltraViewer\HtmlAgilityPack.dll" /tlb3⤵
- Loads dropped DLL
- Modifies registry class
PID:2132 -
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe" install3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1508 -
C:\Windows\SysWOW64\sc.exesc failure "UltraViewService" reset= 0 actions= restart/600004⤵
- Launches sc.exe
PID:2392 -
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe" regasm403⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:756 -
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4368
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99247ab58,0x7ff99247ab68,0x7ff99247ab782⤵PID:1568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:22⤵PID:4796
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:82⤵PID:2208
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:82⤵PID:1896
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:12⤵PID:3700
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:12⤵PID:4436
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3580 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:12⤵PID:4940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:82⤵PID:756
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:82⤵PID:4640
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4636 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:12⤵PID:400
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4944 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:12⤵PID:4416
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3108 --field-trial-handle=1836,i,4653598945891401440,7605232190898478497,131072 /prefetch:12⤵PID:2640
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3940
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:3584
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:1896
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RepairResume.jpeg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:3972
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1348
-
C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe"C:\Program Files (x86)\UltraViewer\UltraViewer_Service.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:464 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl40.dll" /tlb /codebase2⤵
- Drops file in System32 directory
PID:3676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl40.dll" /tlb /codebase2⤵PID:4992
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Program Files (x86)\UltraViewer\RemoteControl40.dll" /tlb /codebase2⤵PID:448
-
C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exeUltraViewer_Desktop.exe -pid:4368 -debughwnd:-12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:116 -
C:\Program Files (x86)\UltraViewer\uv_x64.exeuv_x64.exe hook 4368 1317602⤵
- Executes dropped EXE
PID:3300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD500dc215cee6be49802295ad6802da661
SHA18a04d6be54ea950986469e951f64641f54e0b080
SHA25678750e7bd53ed088d8365fc2e69b74883a813b0ea0d461873ad61fd8059dbd31
SHA512b82a020fd0d5ffe480389f3472fba4a5695bd045493eabfd5de3cc628ed19ba731eca8266e7a8594235ef93453b196b9a914b2376c0d9709d3e63718894c0785
-
Filesize
2B
MD59cfefed8fb9497baa5cd519d7d2bb5d7
SHA1094b0fe0e302854af1311afab85b5203ba457a3b
SHA256dbd3a49d0d906b4ed9216b73330d2fb080ef2f758c12f3885068222e5e17151c
SHA51241dd75307a2e7c49caf53fff15aada688275ef4d7950bedf028612b73f343ed45cf51fe1d4d27f58ed12e93e0fd0ae7f69428db169211554d1b380c91aa5cd01
-
Filesize
14KB
MD5f1aec4996c20919cf409233381a7f2cc
SHA1a42ca00c2fdf629b59bf28cbdb4a4f8dd8a379c2
SHA25633ef5c04e6abe19e5f56f28c8f71b323606c803625ae238340231f6e36a2ef82
SHA512cdd564cb07a528839133ca64aacadbfab212d150974ece5b9d11cc928f0a75070032434782824d486b894bcfd362d27ea7f9c6c1ed96e1152aa3a0ffa7266c3f
-
Filesize
1KB
MD5ac089148d930e0380d34164d2b16eb2b
SHA1961a0615d0e3491cdbb4d226092bfef4b5be4ce0
SHA25630b1a2e3b1f3d5c25b617438d9c24c492f292c6059a8de02ff5e0666e4d9a3f6
SHA512977c5bf445ae5a3c696c5af6ba97fd3963291f88cd946f2ce8d35f70ff16764fa3c5e1eafa6b14e5beac75da1d77bea6f99bd2164e36c037dfd44ee0244908e8
-
Filesize
496KB
MD55da17fa97fce539c78e3018ee1c29cd0
SHA1cff12edd4361fa5c310250ebaacbfc54274f00c8
SHA25692254cb54bbdd875f6950c2afbfe17c001bbf7dccd43d43eafdb7d9bfec35afe
SHA5121f402ebe99cf95c55e9b524b91c9002a68f04f7f7d7a29e189c2226ad88e76bf18047b201c75de805b4dcde9830d765d705946b045937aa40d3e2e5465e5dcc5
-
Filesize
1.1MB
MD54e6629225fb913a103de0bc3f42e51b4
SHA163239d6b2fee80aeb2595656f11d2669475ea53f
SHA2562dabe96727b0bdd1c83d08d06df0f77971f729af88af18e039814c6a7538b705
SHA51241c73c49d5d76e0e2150a9d4393608fd4df99f77f3baf389c6f8d4cc23451de39f05bc058d821936cc1512eec68d574ac843a31e4609c8417b5f2e81bbb403c6
-
Filesize
255KB
MD5eeae895cae230a0df9e6e56aa40fd8a2
SHA1eca9c588e2b22a950073023d434901ebb3648825
SHA2560912b7e1e2585f79f9f4a74d0145106a853ec38f9b4ccbafcdee335c8653445a
SHA51209d0810f0986a8cc9d4a7aaa2d9ea3a92dde278480a5bb38720fc13e22148622ce56043b86b1069c986d111c0763179652795d3e651ec1e66f0d12429a63b61c
-
Filesize
310B
MD542b8d26600dcb85572ee43616f929d6a
SHA131a4c46641129ef59eb925621c1aa4f8401d776c
SHA25699f95d44f1e42cf485132e722679f9d0c6f6cd5f560ce76dfd98abf8558377bc
SHA512d485b45f06de66ff31b8db6706868ac3d3f89b3980bffaa05b539f0ad2b2373e72fd1aab4cfb8cf0dca7d52b43df195336f53cc9cfe99a9d87143c02a5470eae
-
Filesize
235KB
MD5dc87d34efd1406e84d8f4559749f062f
SHA12999d519d6b305d3db6ee8601e1879b8d9d9681a
SHA25610ff43f2d4a991c83caefce1c4442fa95258d0d93f168dde339f52322aa371e9
SHA5129420a088bbcd8746ed734c4986f0153b8db606caabc190b3a2005e3087ae0135a832c310ccd5712e1fd77b9661f2efa6b509c72008e0d9a422480c871cb7f2be
-
Filesize
1012KB
MD554f25d41d8a7896b10aad1de0fdc5551
SHA1618803beffa5e001009884f9797f2f12a091608f
SHA256786230e60306a1cbc9f0ad3c5b41add3b151b3cfa5d24ae8027910a4f65187eb
SHA512271dc150f91d8a0fb12e39e6c70b988573b269df02900d77b1e880bdf62fb393ffb44af0085e6571249f88a591d6a1a6e481fc9243262c9d8c6a1d5907982831
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
124KB
MD58b3f15a335710c799eae2395fa6b322d
SHA181b9f58fe2c61e26e758690f59fa4de4bc8b462b
SHA25609ab11cb97673838faf91b8d06ed9ff7ad460d7791715ee983b83004984a452c
SHA512c0dd2302d5d00d8c1f7b21972a12d0ce8bfda07603e8cb3006e6df696458d15e3b8e7eeefa712195e3337ddda6de0f683d66963dde5484172517c6338e48dda9
-
Filesize
811B
MD52fff0e3fa81f188548ecda561dfd1f94
SHA186f727e17ad57985b66660cd9e17bde1c0bb5689
SHA25603f45f2caf4297595431ea59528da1a8aa69f830003d25f58811c03143c871f1
SHA5121aa6cf26344239ff209c2bbceebf8419365a8e7be72ca233cbfbaf2e5a66b5b002272a65d9c90a1c6e1262d5420b5cdd48072731edb0fc3ac383e3375dfa9829
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD5f2bbc7a43ec267f83a8a59a25961851e
SHA15fb2bd658e2a657c142aca060ffbe88de938580c
SHA2568c0aa34ddd177d3ed29b49df18d9f011ddcbeae5ec5b30c30287175a88183f23
SHA5120a4804530d1b6cd99ad1c0684fd1465c490962765571f49c932b211c48689bdb92732e7c104daffd5545c2c3af5a6c2f4514efa523256221a72106b0da14588c
-
Filesize
257KB
MD51291b349c723366b6609eb666be511d6
SHA1ade1984c9a6f30db495ca37dc8d797575f92069e
SHA256de254acc80af597f7d93bcb3d36900f76d920b4e027d4f6ab08f34829d25fb24
SHA512666d4c4d1f2ed7f7bcf81ddb070361b99d9e880cb0d527858d70f0783da4fc854a0522f5736ae5dbeb79448333d324ce3625bed90d0ae9bb100cfda4dfcdbd7d
-
Filesize
257KB
MD5818b16ef39c633736652925861aeb428
SHA15468c1fd3f0aa3baa198310d08b5f29e9bd6c7e8
SHA25605058ac95a35854973a65ddf68a6601f7ecf74bb2055a0662b3b3dd50b402f44
SHA512ace1ec0959b9bb3c82379cef5e51c873c4e716d7ea141fcbe8240b58dfdffc12f884bf86f7c3acca85caa4aeb43c231dcf6d45867e601f08261b33021eeb8469
-
Filesize
257KB
MD5b04fe0abc6f39da9ce35d3cd9800d1df
SHA10dd1cb61a2d138178afc858c0811cf3575b23de6
SHA256ff26111dde334756242117e5e1fa68ddbff32f1fc27153d1814303df694faf1e
SHA51202ff92faa63aa446631fd97537d2d523203426ebccbd2fdafbd88bf50c70354df01489b5085cb13be187901d4e571be524db7badcd327e4e47432bced18dc39b
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD581cc3ddcb2974a02db7a3cd4955a2a9a
SHA1b9c9d796a84cf9e6d14582c9bbe5713dc129a5d0
SHA256b660cfa1d78e3d585e184c23a2cdd37749a2e1a8f37797fc96d9bc119036e023
SHA5121b61546278e7457f1afe5850d6c62f34212d9030b4e86469f9ac51bb37761f883812c917b0575e08aa8855733cc79256b8ae8c9c0664b0d29a9cb0938cdfa3a6
-
Filesize
507B
MD576ffb2f33cb32ade8fc862a67599e9d8
SHA1920cc4ab75b36d2f9f6e979b74db568973c49130
SHA256f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310
SHA512f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e
-
Filesize
43KB
MD5ececb301656f5f8c6a46a8abf8d928fe
SHA19bdf8a054c71d34837262ab306db92d3ee70db3b
SHA256801bbe7a174ca09bb029aedf54c3073d96c033fa01dcd68f4240983d2ad7cb6b
SHA512314178d1b1ab4391d327b9f687fe5cd066a5dc9ecb75528a7572ade31f4630af618717eaf5dd75a436182d77a999fc67fafea3a60ad2a8f03111542ba1c813f6
-
Filesize
225B
MD5679aca3e8125584e8704b2dfdfa20a0b
SHA1bab48dc1c46f6d8b2c38cf47d9435ae9f8bf295e
SHA256470ce4147bff777ebefc7ccc9e2d1bc5df203b727134fc90b0134bf3cdc7add4
SHA5128441e36e9091dae33350083b1824bc154f969c4fa86c5984c45e0bd59536933e48773ff4bfb4297e543cb270149025dca82c6bdfad2ca1639f4df58f8abcae6e
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
121KB
MD548ad1a1c893ce7bf456277a0a085ed01
SHA1803997ef17eedf50969115c529a2bf8de585dc91
SHA256b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3
SHA5127c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4
-
Filesize
1.1MB
MD5e845838d99d29c4bba4ad35ee996dea3
SHA134a9f433ce1e3339e07d75f0a74efd676b1d7cca
SHA256b727418174ad4f929ad9206e4df51865def55c0d2874bda487cbae6f2946938d
SHA512fba499d125eec733535d6b5d93fa43e628e526e7bc3b1aab7e848a80ac373cb09db9cb6777567c51877267001d3dc308b2edae1ac51e109c2936bd3c20928f1d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e