18bd99b74d03afa90e54bf663e6ec02a5261aa27c40b157e97c758e2b0a2d5e5

Analysis

max time kernel
111s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2023, 19:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cuteftppro.exe
Size

5.9MB
MD5

76cad3621e2200d856d7cb550376df02
SHA1

4b37cb45eb7bea08055936ad776e43e8b92d6d6f
SHA256

18bd99b74d03afa90e54bf663e6ec02a5261aa27c40b157e97c758e2b0a2d5e5
SHA512

d1a4f6a8f20a932e982da85fef3126d4a7c952410b128e7b9d95d4d851f40001ee66d861e6a27cb87d3dfe10bc657e2bddc773d7baa8abf28efa71b6620bee32
SSDEEP

98304:htc+aGgiFVnqU9WNzPzDcN4FB/z6I+fZk88enjNDToTwDKavDw8+CQWoG9VXo:haezoNfo+FpzB+fZQejx0TgKa7B7VL5o

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4328	Setup.exe
4372	IKernel.exe
4160	IKernel.exe
1712	iKernel.exe

Loads dropped DLL 20 IoCs

pid	Process
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4328	Setup.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe
4160	IKernel.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\Autorun.inf	cuteftppro.exe
File created	C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\Autorun.inf	cuteftppro.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor6cf7.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\obje6d65.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\core6ce8.rra	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\IScript\iscr6e10.rra	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuse6d84.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\temp.000	Setup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini	IKernel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\VersionIndependentProgID	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ = "ISetupCABFiles"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupComponent"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ = "ISetupFileErrors"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\VersionIndependentProgID	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\InprocServer32\ThreadingModel = "Apartment"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptDriverWrapper	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\ = "ISetupShellLink2"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ = "ISetupType"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupFeatureLog"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupLogDB"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\ = "ISetupCABFile2"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ = "ISetupObjectContext"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\FLAGS	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\ = "SetupLogServices Class"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "PSFactoryBuffer"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\ = "ISetupShellLink"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\ProgID	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\FLAGS\ = "0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupComponents"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ = "ISetupFeature"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ = "ISetupBasicFeatureStateEvents"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\FLAGS\ = "0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\ = "ISetupFilesCost"	IKernel.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4328	4072	cuteftppro.exe	82
PID 4072 wrote to memory of 4328	4072	cuteftppro.exe	82
PID 4072 wrote to memory of 4328	4072	cuteftppro.exe	82
PID 4328 wrote to memory of 4372	4328	Setup.exe	83
PID 4328 wrote to memory of 4372	4328	Setup.exe	83
PID 4328 wrote to memory of 4372	4328	Setup.exe	83
PID 4160 wrote to memory of 1712	4160	IKernel.exe	85
PID 4160 wrote to memory of 1712	4160	IKernel.exe	85
PID 4160 wrote to memory of 1712	4160	IKernel.exe	85

C:\Users\Admin\AppData\Local\Temp\cuteftppro.exe
"C:\Users\Admin\AppData\Local\Temp\cuteftppro.exe"
1⤵
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4372

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
  "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
596KB

MD5
bf25eb6a1e0aa2fff0cb190270b95418

SHA1
79cad1291ac8b042af8454328ef7c71ce04a7c9d

SHA256
4535320c5b9596a6210109f68c647dbdbd0289ba63286fd389dea910855491f1

SHA512
66a4ee419548e63c0a007be91ad58d5e1a6cf37e5df70a5da7ddcc0a1f4831bb42ba67c6cc8ce3d54b99fa77a9249ace9b5cc4836e957103b9901484bb04337b

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
596KB

MD5
bf25eb6a1e0aa2fff0cb190270b95418

SHA1
79cad1291ac8b042af8454328ef7c71ce04a7c9d

SHA256
4535320c5b9596a6210109f68c647dbdbd0289ba63286fd389dea910855491f1

SHA512
66a4ee419548e63c0a007be91ad58d5e1a6cf37e5df70a5da7ddcc0a1f4831bb42ba67c6cc8ce3d54b99fa77a9249ace9b5cc4836e957103b9901484bb04337b

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
596KB

MD5
bf25eb6a1e0aa2fff0cb190270b95418

SHA1
79cad1291ac8b042af8454328ef7c71ce04a7c9d

SHA256
4535320c5b9596a6210109f68c647dbdbd0289ba63286fd389dea910855491f1

SHA512
66a4ee419548e63c0a007be91ad58d5e1a6cf37e5df70a5da7ddcc0a1f4831bb42ba67c6cc8ce3d54b99fa77a9249ace9b5cc4836e957103b9901484bb04337b

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
596KB

MD5
bf25eb6a1e0aa2fff0cb190270b95418

SHA1
79cad1291ac8b042af8454328ef7c71ce04a7c9d

SHA256
4535320c5b9596a6210109f68c647dbdbd0289ba63286fd389dea910855491f1

SHA512
66a4ee419548e63c0a007be91ad58d5e1a6cf37e5df70a5da7ddcc0a1f4831bb42ba67c6cc8ce3d54b99fa77a9249ace9b5cc4836e957103b9901484bb04337b

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\IKernel.ex_

Filesize
336KB

MD5
4d63bbff28afc7a69b6defaf048306a7

SHA1
8e8a6fb997051e7e4bc9b32be517f40e4c8ecd9b

SHA256
4eb9a6a4c0b1147290c74d2160533e49e043335255be9a60b6c83638d83e5590

SHA512
251e3782bd481564a52729386df31f338a9ae1d80123e222684c9e753dd0c8c3106e98d9fa5d2874ff6345182f1909ae1b7864716d5632d42ca91bf94422ff65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\Setup.exe

Filesize
55KB

MD5
1aeb989e361af85f5099de3da25457f4

SHA1
4f494142e3fb00c6d6845525cd4540ba3f7be9ef

SHA256
ab9e0291a763efc32e84e7117f9a0fbc99b681c96df0bb27a66433a726667e5c

SHA512
0ecd71f3deb154c8f48ec278822820f41ab15c6efe76b00b8f6a95e28a62a97fbb8c44eb38293cae3fe3a0fe29fedbc660671885c4e3f7eb0016b6dbf3b4b273

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\Setup.exe

Filesize
55KB

MD5
1aeb989e361af85f5099de3da25457f4

SHA1
4f494142e3fb00c6d6845525cd4540ba3f7be9ef

SHA256
ab9e0291a763efc32e84e7117f9a0fbc99b681c96df0bb27a66433a726667e5c

SHA512
0ecd71f3deb154c8f48ec278822820f41ab15c6efe76b00b8f6a95e28a62a97fbb8c44eb38293cae3fe3a0fe29fedbc660671885c4e3f7eb0016b6dbf3b4b273

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\data1.cab

Filesize
1.1MB

MD5
51cb8845b4828d1db7df37c546b3c7b0

SHA1
4c21d6c1079920e9eee356922384d6de748a7719

SHA256
5c4794ace8cb2714aca03ce3d8c018e391b90cf22eedc5aad5669ba9cdb5c2a7

SHA512
bf2ab7e638838b283a5ac3bd05c9d42ca7c7dd3ff21a683b72ed7ca83dc85314873b59bbd9daa5f476d863e110c60a1da3010e985383999bfb8fca86c8fcc70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\layout.bin

Filesize
453B

MD5
9016e98163dce3b836a74126d9b96643

SHA1
36b1257da1f0dab189d98e911824d65e289c611a

SHA256
3ddf2cd37c0ff21079389abcbb7c875b6ea7574219a1f9568c7a9eef2e51c62b

SHA512
1b9612a780cd09509c8c31e479a66d99ae5d33d39907e4d409859d5eed2af12066bfb2ae60b2ada128391fe2002ec8c9a920bfeac564727a015d0321c6e967ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\setup.ini

Filesize
144B

MD5
ef6d0d0f816fdeab842b492e8add9ab0

SHA1
0e16e5187a85b2feb19898506c627fba98a9c109

SHA256
d5981ca808498e19b0655337dffe8be137c729dba1bf57a3785c0d635722e73d

SHA512
15ad3a14bda2264798c4d77f96c7a3677d8282c45cfbddde228c0bc851998fc0e9b6c1fd13fad7ff6bf3cfd5c0e1fad543715acd53ca6ede6df1a42ee82e143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft66CF.tmp\Disk1\setup.inx

Filesize
147KB

MD5
c9cb671f9adb844fd6fb5479aaad27da

SHA1
2c3e556b2b2d24e6f06f9492db04c349d0ae4423

SHA256
01a861ca8dbeeeddac0c3e9fea26857f311e51535f77b98d6f35b375d589d191

SHA512
06c7600b67179372a64942c609652e9092bed1a089a01bef9d70eebd86b1e7eb900c1a89b1f66d2cfa300b1a9aa5f295d262429cb4c296b44a636512ab78de33

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1CCBCF78-EF12-4137-B3CA-99F30A2E7D21}\_IsRes.dll

Filesize
252KB

MD5
48ea604d4fa7d9af5b121c04db6a2fec

SHA1
dc3c04977106bc1fbf1776a6b27899d7b81fb937

SHA256
cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b

SHA512
9206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1CCBCF78-EF12-4137-B3CA-99F30A2E7D21}\_IsRes.dll

Filesize
252KB

MD5
48ea604d4fa7d9af5b121c04db6a2fec

SHA1
dc3c04977106bc1fbf1776a6b27899d7b81fb937

SHA256
cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b

SHA512
9206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1CCBCF78-EF12-4137-B3CA-99F30A2E7D21}\_IsUser.dll

Filesize
84KB

MD5
a5a58b45cb5b654520132baf44b01f8e

SHA1
f3e8166744c8a6d32158011264ea20db8afa4b11

SHA256
b9d0f4015d4f9cf67ae524e8a38507abcddb78ae798ca45de6fd2148627ce78c

SHA512
3522ff86d3756e0f303bd3a37a21d3a59799999cf1df00a045522ba0c7719a7bce6c84039a17c2599cb28a961aafa8b366f09f2d15c5063916bf297ba6f5cfcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1CCBCF78-EF12-4137-B3CA-99F30A2E7D21}\_IsUser.dll

Filesize
84KB

MD5
a5a58b45cb5b654520132baf44b01f8e

SHA1
f3e8166744c8a6d32158011264ea20db8afa4b11

SHA256
b9d0f4015d4f9cf67ae524e8a38507abcddb78ae798ca45de6fd2148627ce78c

SHA512
3522ff86d3756e0f303bd3a37a21d3a59799999cf1df00a045522ba0c7719a7bce6c84039a17c2599cb28a961aafa8b366f09f2d15c5063916bf297ba6f5cfcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1CCBCF78-EF12-4137-B3CA-99F30A2E7D21}\gtapi.dll

Filesize
3KB

MD5
66f378f86c80b95eb4102d676f8652e0

SHA1
23ae9cffd8faef93a3874def1e3d9f7bb6f4201d

SHA256
7a8fd69d0323c4c886a55d46276eb35bb55f4662a0cf4435d36daed643b85a96

SHA512
4a558b42f42c2084740a14272558717ed155afbb9984cfb1525cc8acf0e5c7a8b7093c7a62f10cdd5f75c40607f4c9f1d3241c798561896cddcf6da535032377

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1CCBCF78-EF12-4137-B3CA-99F30A2E7D21}\gtapi.dll

Filesize
3KB

MD5
66f378f86c80b95eb4102d676f8652e0

SHA1
23ae9cffd8faef93a3874def1e3d9f7bb6f4201d

SHA256
7a8fd69d0323c4c886a55d46276eb35bb55f4662a0cf4435d36daed643b85a96

SHA512
4a558b42f42c2084740a14272558717ed155afbb9984cfb1525cc8acf0e5c7a8b7093c7a62f10cdd5f75c40607f4c9f1d3241c798561896cddcf6da535032377

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1CCBCF78-EF12-4137-B3CA-99F30A2E7D21}\isrt.dll

Filesize
324KB

MD5
61c056d2df7ab769d6fd801869b828a9

SHA1
4213d0395692fa4181483ffb04eef4bda22cceee

SHA256
148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66

SHA512
a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1CCBCF78-EF12-4137-B3CA-99F30A2E7D21}\isrt.dll

Filesize
324KB

MD5
61c056d2df7ab769d6fd801869b828a9

SHA1
4213d0395692fa4181483ffb04eef4bda22cceee

SHA256
148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66

SHA512
a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172

Download Submit
\??\c:\users\admin\appdata\local\temp\pft66cf.tmp\disk1\data1.hdr

Filesize
20KB

MD5
d5717596a988c8ca6c9150464304dc49

SHA1
7936bdc9dafe36a70148946ae8928d8d37d567be

SHA256
4a28e3ee6e23cd1f88280593b48d558690f3e35d5550f6196a73e420fc547020

SHA512
27a70bad5e57a2aafe33ac0fd562c693a82bb74045e91e8fae9f7906033a0d88763b21e002559a5c26a95f8d73428c3df2375caf610eeeda3f504a1798d36b68

Download Submit
memory/4160-168-0x00000000036E0000-0x000000000370C000-memory.dmp

Filesize
176KB

Download
memory/4160-173-0x0000000003850000-0x0000000003866000-memory.dmp

Filesize
88KB

Download
memory/4160-157-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads