c37a5bd22e9a2565e57e81ce8d97a8d6aa17633ad819607f34ea924d00f9944e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00113722_XP_Vista_7/setup.exe
Size

444KB
MD5

fbab280d0cac5e21c72f0a1a7b5b9608
SHA1

f142143a5d63b51d45647c3d29d6d1468c6af321
SHA256

15ff52f3a2d8f23241bf7f8f90095ee3741e66fa177fb5b6dc729decc82a4a99
SHA512

e3e559297d9ef5c0040b0e1bd6e3371945789df163e767fe758118e092f3a090b7412e8e0883af9f69e89923bc4eb8be2ba75ded88c1b8b277d1f5d7aa2ad251
SSDEEP

6144:QB+BhEjoBfLdbNVOY5LY9CsDykwXNMWAi3cuOjyLDWCa6P58Rt3qgDHt5Fsp6Yr7:eohjbbHOY5c9CsDrgMLiMuf8e

Score

7^/10

discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral19/files/0x0006000000016fe8-81.dat	acprotect
behavioral19/files/0x00060000000173e5-85.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2652	ISBEW64.exe
956	Monitor.exe

Loads dropped DLL 11 IoCs

pid	Process
2256	setup.exe
2256	setup.exe
2256	setup.exe
2256	setup.exe
2256	setup.exe
2256	setup.exe
2256	setup.exe
2256	setup.exe
2256	setup.exe
956	Monitor.exe
956	Monitor.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral19/memory/2256-27-0x0000000010000000-0x0000000010197000-memory.dmp	upx
behavioral19/memory/2256-30-0x0000000010000000-0x0000000010197000-memory.dmp	upx
behavioral19/files/0x0006000000016fe8-81.dat	upx
behavioral19/memory/2256-83-0x0000000003F70000-0x0000000003FFE000-memory.dmp	upx
behavioral19/files/0x00060000000173e5-85.dat	upx
behavioral19/memory/2256-87-0x00000000042B0000-0x0000000004340000-memory.dmp	upx
behavioral19/memory/2256-110-0x0000000010000000-0x0000000010197000-memory.dmp	upx
behavioral19/memory/2256-111-0x0000000003F70000-0x0000000003FFE000-memory.dmp	upx
behavioral19/memory/2256-112-0x00000000042B0000-0x0000000004340000-memory.dmp	upx
behavioral19/memory/2256-417-0x0000000010000000-0x0000000010197000-memory.dmp	upx
behavioral19/memory/2256-418-0x0000000003F70000-0x0000000003FFE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Dare-U mouse = "\"C:\\Program Files (x86)\\uRage Illuminated Driver\\Monitor.exe\""	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\skin_config.ini	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\advac8ac.rra	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\delete_macro_warn_normal.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Mouse\mouse.jpg	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\Mouse\mousc9e4.rra	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Mouse\mouse2.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Mouse\mouse4.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Main_control_5050over.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\macro_set_warn_mask.bmp	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\resec938.rra	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\macrc88d.rra	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\config\Defac83f.rra	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\lanc84e.rra	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\Profc88d.rra	setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\data1.cab	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\scroll_arrow_up.bmp	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\skin_support_control.ini	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\stop_record_down.bmp	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\macro_set_warn_down.jpg	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\macrc909.rra	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\skinc948.rra	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\skinc957.rra	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\starc9c5.rra	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Mouse\mouse7.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Main_control_5050down.jpg	setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\setuc7f1.rra	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\Mainc87d.rra	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\Mainc88d.rra	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\skin_main_control.ini	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\skin_shortcut.ini	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\slider_dpi.bmp	setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\datac7e1.rra	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\Confc81f.rra	setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\setup.exe	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\children_mask.bmp	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\Mouse\mousc9f3.rra	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\Macrc86d.rra	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Main_control_normal.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\delete_macro_warn_down.jpg	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\delec909.rra	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\delete_macro_warn_over.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\skin_profile.ini	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\starc9b5.rra	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\support_page_over.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Config_normal.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\_Setup.dll	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\Monitor.exe	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\config\Default3.gmp	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\color_page_normal.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\skin_advance_expand.ini	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\start_record_down.bmp	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\logoce57.rra	setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\layout.bin	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\lan.dll	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Config_over.jpg	setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\_Setc7f1.rra	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Main_control_down.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\scroll_arrow_down.bmp	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\Optica03.rra	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Config_down.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Main_control_over.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Profile_down.jpg	setup.exe
File opened for modification	C:\Program Files (x86)\uRage Illuminated Driver\skins\Profile_mask.bmp	setup.exe
File created	C:\Program Files (x86)\uRage Illuminated Driver\skins\chilc8ac.rra	setup.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\ = "{7B90789A-10ED-4F8A-B537-8AB74FED0023}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\Version = "1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\ = "{7B90789A-10ED-4F8A-B537-8AB74FED0023}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ = "IISBEW64Utils"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32\ = "C:\\ProgramData\\InstallShield\\ISEngine12.0\\IsBE.dll"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\ = "ISENG64Lib"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ = "IISBEW64Utils"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\Version = "1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR\ = "C:\\ProgramData\\InstallShield\\ISEngine12.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}	setup.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeBackupPrivilege	2056	vssvc.exe
Token: SeRestorePrivilege	2056	vssvc.exe
Token: SeAuditPrivilege	2056	vssvc.exe
Token: SeRestorePrivilege	296	DrvInst.exe
Token: SeRestorePrivilege	296	DrvInst.exe
Token: SeRestorePrivilege	296	DrvInst.exe
Token: SeRestorePrivilege	296	DrvInst.exe
Token: SeRestorePrivilege	296	DrvInst.exe
Token: SeRestorePrivilege	296	DrvInst.exe
Token: SeRestorePrivilege	296	DrvInst.exe
Token: SeLoadDriverPrivilege	296	DrvInst.exe
Token: SeLoadDriverPrivilege	296	DrvInst.exe
Token: SeLoadDriverPrivilege	296	DrvInst.exe
Token: SeRestorePrivilege	1576	DrvInst.exe
Token: SeRestorePrivilege	1576	DrvInst.exe
Token: SeRestorePrivilege	1576	DrvInst.exe
Token: SeRestorePrivilege	1576	DrvInst.exe
Token: SeRestorePrivilege	1576	DrvInst.exe
Token: SeRestorePrivilege	1576	DrvInst.exe
Token: SeRestorePrivilege	1576	DrvInst.exe
Token: SeLoadDriverPrivilege	1576	DrvInst.exe
Token: SeLoadDriverPrivilege	1576	DrvInst.exe
Token: SeLoadDriverPrivilege	1576	DrvInst.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
956	Monitor.exe
956	Monitor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2652	2256	setup.exe	30
PID 2256 wrote to memory of 2652	2256	setup.exe	30
PID 2256 wrote to memory of 2652	2256	setup.exe	30
PID 2256 wrote to memory of 2652	2256	setup.exe	30
PID 2256 wrote to memory of 956	2256	setup.exe	36
PID 2256 wrote to memory of 956	2256	setup.exe	36
PID 2256 wrote to memory of 956	2256	setup.exe	36
PID 2256 wrote to memory of 956	2256	setup.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\00113722_XP_Vista_7\setup.exe
"C:\Users\Admin\AppData\Local\Temp\00113722_XP_Vista_7\setup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\{3E2BACCB-ACDB-4D5A-9491-4662C9D10F80}\ISBEW64.exe
  C:\Users\Admin\AppData\Local\Temp\{3E2BACCB-ACDB-4D5A-9491-4662C9D10F80}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{17A1B14F-103E-4CDA-8A56-A1669E8419FE}
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Program Files (x86)\uRage Illuminated Driver\Monitor.exe
  "C:\Program Files (x86)\uRage Illuminated Driver\Monitor.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A8" "000000000000059C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000005B4" "00000000000003A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\uRage Illuminated Driver\Monitor.exe

Filesize
480KB

MD5
8605e95013158b04e10ea65edb8fd7d7

SHA1
16cada78a223c0f8c45a553a31e03ab53ca32abc

SHA256
f7344a7d7e983d7804dbb8f9fb33ee40e2826fa92babc060a640e4c07b5baadf

SHA512
e575de8d42b47beff90c8b3fe5d109d98e356c09ae1ec4a10034f4e51ed4ce99a75abca95fc08013d48003faa9a0cb3792efc908366102de8340b7eae4edae4c

Download Submit
C:\Program Files (x86)\uRage Illuminated Driver\Monitor.exe

Filesize
249KB

MD5
afe37f0b8b97796ce69009335170d9ef

SHA1
dfd4c5c274d2b975210f4788d062389fbd2ad967

SHA256
1ca2e18770b281cea3a146e8b0e879aa7487f9b6ca37747194dd0d098ce36d03

SHA512
ce53a43f4b304c5cd9b18638fb31a75db8c632b2f7bcb75d0dd0371cbd8439dd814f3a9def66166bd50bb9115ca9974eec2e94a5224e830d2bbe93f711d33309

Download Submit
C:\Program Files (x86)\uRage Illuminated Driver\config.ini

Filesize
947B

MD5
c0d8ed555b4d717f948435fcf917003a

SHA1
e8932c1cb32e664e23a00ab12cf143305cf4e572

SHA256
4683b617831cede90122c1f62262d7feea55f59c5e318db2aaef770c20b5c9b1

SHA512
66f96a654da89397135567568de90a4f493c03562f8483ffbef32c7d299b542ad09f06ec66be94d4b919d67b4dc5719189de1b920e5dfe3e3cdf716a195b7166

Download Submit
C:\Program Files (x86)\uRage Illuminated Driver\config\Default0.gmp

Filesize
14KB

MD5
03bcd3a960d9327f07e066f716130c01

SHA1
56ac5965c9b03b11cbd89cbca4842b73df09d9da

SHA256
f5aba80126685252392c28dc8eab3af20739ab3b17fb80c1b2650f89b6b39603

SHA512
2de889a089bcf6915d97004bc2c75893fc8897fda1b08a7803c60d715dd91d626d734ae45d312a04753580c191ab4132e64134d00b03f001d0d73f0fa52b5965

Download Submit
C:\Program Files (x86)\uRage Illuminated Driver\config\Default1.gmp

Filesize
14KB

MD5
451abbd0589a1989e6b6195b5cd1a958

SHA1
d88ed6757199dfdd86fa994b2a5cb598493dc612

SHA256
d5679cb8781a8c0f1ba2d909656e526e77057a637c9043ca8bb86e1c9e0883e9

SHA512
71c3b589b872144e869ccb6d4deab87c632ee634875c53a79cb7787eb0b8a08fc0e1a36b6e9e5d4a5db4ad37ef5ac56a3be87cf39093744a161362145469864e

Download Submit
C:\Program Files (x86)\uRage Illuminated Driver\config\Default2.gmp

Filesize
14KB

MD5
e11fd9eeb6362f8b7e5b1e09e3480f6a

SHA1
825ecc62c82ee20544e29c9286f60e23f1187040

SHA256
47c3f4b91d603f406bfb0269cd515d07eb39358e98ff856ebf76a58d7a97986e

SHA512
4e01fa5ce64f64ea86114d2ac0694b480994fdbcb2f2feee53bbbef547a0447d7621739b98c95dd8c406b01d7a6202e3c44d7fcdbbfff9c59aef622d6710181e

Download Submit
C:\Program Files (x86)\uRage Illuminated Driver\config\Default3.gmp

Filesize
14KB

MD5
764f00ad0e0e6c0603e9a733ced184e3

SHA1
4a2acd52282045eca7c9d64d3b7f22aa0ee01442

SHA256
bf2192f10e4d7b5463e55ddf374d7452eaf99dff653c739542f11f9a44e4d147

SHA512
c668a85d063d5106591b931cee71aff916b3a4f715818f3459e3496195a1dd49ecd54b2f58f95092cbf8f11aa362f40093988c5a54d7fc1c4e28c1e35d43004a

Download Submit
C:\Program Files (x86)\uRage Illuminated Driver\config\Default4.gmp

Filesize
14KB

MD5
2a389b8ce96b539afd243bfbd392ade3

SHA1
1e09d49fe818883769317e36b9747bb2c18cca8a

SHA256
424d40dc7d835bb145c12da203772601aa13edb61582c6e78564b7d4eaded023

SHA512
d2fefd92eb098b32fbae24faf9eb76c0c03122f9094ade4a36568a6c9fb8f648dfadee2e3c4a7541d872290f8a22b846138e4c7600b7569db3483d058b177c50

Download Submit
C:\Program Files (x86)\uRage Illuminated Driver\skins\Profile_mask.bmp

Filesize
589KB

MD5
c0e43bf45e85e4e851a284ca4c26aa42

SHA1
2ba7d7a81fd5f5d431d66e04acbb21d0e3bac714

SHA256
71dad51b75429e158437c7f766275363529f13292c24141d6ca7ae2651b62591

SHA512
9669315eb77d53997cd46319941cd0c5880a266f930908fcefee64073c99f54639edb9ad52d641a05ddf2244d9698cd406119aef466f6ba2f435e7311927ef89

Download Submit
C:\ProgramData\InstallShield\ISEngine12.0\IsBE.dll

Filesize
52KB

MD5
9cf7faee57a20bf15a2fc9b423ebc512

SHA1
12cbf4d0a941bd5a8f847754fdaf4841e7751cce

SHA256
d34f26d85bfb94a5f017fdaf58b94ecf9553919d2aa9a9955ff0a2e3d7c11e4a

SHA512
44c715be4a98b9ce99c6d926500be3e365f8a08a4d8c85ae9342dc9ce76de29544f14acbf42d69f7f9e40ebdf0c6faa8cb5d4b3fc9d523479b12cf0823678672

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E2BACCB-ACDB-4D5A-9491-4662C9D10F80}\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\DIFxData.ini

Filesize
86B

MD5
10baa5b67536f4433f37534b9c8bb828

SHA1
82e5c34b1279afda223b639b49078d03c52875f5

SHA256
1b9fd5c1f18357bd459be20bfcbf47ee18fa0c5d5cc42f6aed2705d5868b65f4

SHA512
49c6798ebb3b6137cafb78b88350d02094367523dcf8f9e580de1941e514b8b3df786d1d817090e5dab80ac4d0d015796b2ce28b296db31d111e0d0bbaeebb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E2BACCB-ACDB-4D5A-9491-4662C9D10F80}\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\FontData.ini

Filesize
39B

MD5
00f313e3e007599349a0c4d81c7807c4

SHA1
f0171f15aab836a1979d3833e46b5e59e4ea32e0

SHA256
766ee687d90b0217eb41cb85aca04375bdc24db986a33536631f864b7ce1a08a

SHA512
8bb25a62c0b1640dec36403a493ed54c05f7cde7b7357c8faea785a79c4b76bbe6a3d6fe78db52b558a37abac90c2b2e8b13868a76294554d51670e9fa8764ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3E2BACCB-ACDB-4D5A-9491-4662C9D10F80}\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\setup.inx

Filesize
216KB

MD5
e4699f5e75afd4817b8177410c728f42

SHA1
66937777108223432aff722c48093d50fde2a5fa

SHA256
a01fa3bf12c1688e3d65b7cb5c43055a71c914c7a38ca29b05ef3b7c48790b7a

SHA512
582472c286eec1d3ab183edd9e7029f645ac9a03f71116deebd2d6cfc4344c3f4177ec8b424f1625443b17acb77301bd28d1f65e552555a38c7c12a9e8b46493

Download Submit
C:\Users\Admin\AppData\Local\Temp\{83CCC34B-01CE-4868-BD2A-E71EB8BF155A}\_isdel.ini

Filesize
282B

MD5
62b6b099b2a3ff0d1345555ad3b00ac2

SHA1
119e48e2bec70831e136762f7fd5a6a2f3e1ef3b

SHA256
9e523654f74ab1392530e6ac72fd58a25d9ff8dc96963cd0a4b9be0be91ddfc2

SHA512
16c7a3a111fedd7cf934fb5e07d1881455ff2bd33d251e6368c864acdf305c777190d60fdc2011858ee25129de4785fadffc2b86684dafe8cd8f72c99bb2eab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{83CCC34B-01CE-4868-BD2A-E71EB8BF155A}\setup.ini

Filesize
441B

MD5
a872c61d7506d43e72ffde85eedb978d

SHA1
42f4e9147eefb7ccd8a8c45fbc8d8f4e3f031b4e

SHA256
fbc16c57ab07e7ccc67dd0bc5d3c94390a95430be0bc4f2c17e0c34723fdb8a4

SHA512
9c96b5df32153bdf8425109a03c4994150676dabbb297eaa3b16dccf0131d170ab64cb700c748457037c9c21c4a90b2fb767288d36cef04bddf4242e7decf74d

Download Submit
\Program Files (x86)\InstallShield Installation Information\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\setup.exe

Filesize
444KB

MD5
fbab280d0cac5e21c72f0a1a7b5b9608

SHA1
f142143a5d63b51d45647c3d29d6d1468c6af321

SHA256
15ff52f3a2d8f23241bf7f8f90095ee3741e66fa177fb5b6dc729decc82a4a99

SHA512
e3e559297d9ef5c0040b0e1bd6e3371945789df163e767fe758118e092f3a090b7412e8e0883af9f69e89923bc4eb8be2ba75ded88c1b8b277d1f5d7aa2ad251

Download Submit
\Program Files (x86)\uRage Illuminated Driver\Monitor.exe

Filesize
380KB

MD5
58226bb228d4f7913e32551470fe8b51

SHA1
8617ed804eaee1a25ff2c308cccfe21c5921ec22

SHA256
c8ce80e40a83b7abba5265dcb689eefee752b9f242f5baf8133e16df0748505a

SHA512
6fc7aebb0f9c3d77868edcf00c772db622b8931b3741db2d25509809154148a76f23abfddf0fac77ce8bbb5c406d1807cadb3538c48153f7244ca3c9e9432a8f

Download Submit
\Program Files (x86)\uRage Illuminated Driver\hiddriver.dll

Filesize
60KB

MD5
87f07d947179cc94fa5058309df534d6

SHA1
155f1bcb75fa00963bab411a7f5888947cb13c4e

SHA256
38893b04e27db106dbeb7209893bd3f1473f32ea1a717c0233c9b6935dd24be4

SHA512
64694a614a892504619308936cbcdb56aee1d571a9df02b6c07532bf217dca5933b8dfedd14220ab98810f5fe29e8a1238385197c1bec153acb4ba677f4529c8

Download Submit
\Program Files (x86)\uRage Illuminated Driver\lan.dll

Filesize
56KB

MD5
619d8b4e6c9718ccc9af58fdce6ccde5

SHA1
79cc9b6a1a3df8215e403396851a616b8de7b5ff

SHA256
22f9515f7f268fc4633c96e04f9fe56fde38f9f0ecb8017d47c0851aa7cada06

SHA512
5f3d07cf58571e61b26197491cbe65e5d187f3171071319b76285274446ca9daa2bdd3f3a11b31b882254e7eb1877ed61873a65c2206996ab97421857459ec66

Download Submit
\Users\Admin\AppData\Local\Temp\{3E2BACCB-ACDB-4D5A-9491-4662C9D10F80}\ISBEW64.exe

Filesize
68KB

MD5
4b56c021299344676f123fcb48f53c1e

SHA1
cbef3152c477c9176120030b164a4a807b527d8e

SHA256
0444971c7c19df0c4e5f8ad75c12ac277638470460eb7747122539960ed5e99f

SHA512
097bbc9f0140e9a14e494b6569e38b88ad390d6befa03e75a8c671e2e5fd93ee55ad50994733c957c32c85f2061d6f4d32b4b8257b3b44d5924ca10e940f779a

Download Submit
\Users\Admin\AppData\Local\Temp\{3E2BACCB-ACDB-4D5A-9491-4662C9D10F80}\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\_IsRes.dll

Filesize
120KB

MD5
e54601d8a464a455de081d63d4b7927d

SHA1
0ff6da399c123394cca3b4cc64a41d8037787b73

SHA256
1e154a29673d129414ab56b995d04afcfa1a02af47dabaa28cd11c25f7d6026a

SHA512
5a213430fb8dc6a19c24122f8d9cd03479ee7ae421eac77d1026f16bf520a1f113d43380e2a60d5f0133e09aa7ad323a7ef9d1cccc3eea1e905f09701b118e05

Download Submit
\Users\Admin\AppData\Local\Temp\{3E2BACCB-ACDB-4D5A-9491-4662C9D10F80}\{F1A273BD-6A9E-41D8-A111-5E56ACD286F8}\isrt.dll

Filesize
203KB

MD5
b35dde51d14f9400e73196693148734e

SHA1
9410c5268f5558e57d044780d0d5dcc7aa181299

SHA256
70fa7f0aa2feb397597b2785a4bfdb2c9cd36e0edb51f4f0dfe6ac086290ac86

SHA512
6bb24c8864078c923007c1818bb0a590ebe84e2fbe6f2642dc951b05c42da1c33861f150c4ea8943657259c1c309a69b8cb1817b6a207cb9e577bc3aa8bfa79d

Download Submit
\Users\Admin\AppData\Local\Temp\{83CCC34B-01CE-4868-BD2A-E71EB8BF155A}\_Setup.dll

Filesize
160KB

MD5
30ebd4e80b1dda05eac709a1dc5965b4

SHA1
2418232370026574baabc84b105f6dd9e458ad86

SHA256
8802e54ce01babf7bb22d0da5c83bebc5c05d0ccd73566a5f836690e9278a696

SHA512
5115afea66734fe53c9479a6569b7fbc1ef395432781367cd68c7f4878ca3884bad0a960f76db2a40314484f329c4288a6ecf4a93cc49642c5e412448c5a2557

Download Submit
memory/956-434-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/2256-112-0x00000000042B0000-0x0000000004340000-memory.dmp

Filesize
576KB

Download
memory/2256-83-0x0000000003F70000-0x0000000003FFE000-memory.dmp

Filesize
568KB

Download
memory/2256-87-0x00000000042B0000-0x0000000004340000-memory.dmp

Filesize
576KB

Download
memory/2256-30-0x0000000010000000-0x0000000010197000-memory.dmp

Filesize
1.6MB

Download
memory/2256-418-0x0000000003F70000-0x0000000003FFE000-memory.dmp

Filesize
568KB

Download
memory/2256-27-0x0000000010000000-0x0000000010197000-memory.dmp

Filesize
1.6MB

Download
memory/2256-417-0x0000000010000000-0x0000000010197000-memory.dmp

Filesize
1.6MB

Download
memory/2256-111-0x0000000003F70000-0x0000000003FFE000-memory.dmp

Filesize
568KB

Download
memory/2256-110-0x0000000010000000-0x0000000010197000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads