DriverReviverSetup_ppc4.exe
This report is generated from a file or URL submitted to this webservice on February 4th 2019 07:23:57 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Found a dropped file containing the Windows username (possible fingerprint attempt)
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 11 domains and 10 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxps://dl.reviversoft.com/utils/DriverReviverSetup_ppc4.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 12
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/68 Antivirus vendors marked sample as malicious (2% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
3/91 Antivirus vendors marked dropped file "ga_utility.exe" as malicious (classified as "malicious.moderate.ml" with 3% detection rate)
10/67 Antivirus vendors marked dropped file "DriverReviverUpdater.exe" as malicious (classified as "Gen:Variant.Razy" with 14% detection rate)
2/70 Antivirus vendors marked dropped file "notifier.exe" as malicious (classified as "PUP.Optional" with 2% detection rate)
3/68 Antivirus vendors marked dropped file "tray.exe" as malicious (classified as "PUP.Optional" with 4% detection rate)
1/90 Antivirus vendors marked dropped file "System.dll" as malicious (classified as "malicious.moderate.ml" with 1% detection rate)
1/70 Antivirus vendors marked dropped file "Uninstall.exe" as malicious (classified as "PUP.Optional" with 1% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
3/68 Antivirus vendors marked spawned process "DriverReviverSetup_b44_5.27.0.22.exe" (PID: 4156) as malicious (classified as "PUP.Optional" with 4% detection rate)
3/91 Antivirus vendors marked spawned process "ga_utility.exe" (PID: 3896) as malicious (classified as "malicious.moderate.ml" with 3% detection rate)
1/67 Antivirus vendors marked spawned process "DriverReviver.exe" (PID: 3904) as malicious (classified as "PUP.Optional" with 1% detection rate)
1/67 Antivirus vendors marked spawned process "DriverReviver.exe" (PID: 4624) as malicious (classified as "PUP.Optional" with 1% detection rate)
3/91 Antivirus vendors marked spawned process "ga_utility.exe" (PID: 4916) as malicious (classified as "malicious.moderate.ml" with 3% detection rate)
1/67 Antivirus vendors marked spawned process "DriverReviver.exe" (PID: 4756) as malicious (classified as "PUP.Optional" with 1% detection rate)
1/67 Antivirus vendors marked spawned process "DriverReviver.exe" (PID: 4796) as malicious (classified as "PUP.Optional" with 1% detection rate)
1/67 Antivirus vendors marked spawned process "DriverReviver.exe" (PID: 5456) as malicious (classified as "PUP.Optional" with 1% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"DriverReviverSetup_ppc4.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2092356043-4041700817-663127204-1001"
"DriverReviverSetup_b44_5.27.0.22.exe" allocated memory in "%TEMP%\nsa9536.tmp\nsEnvVariables.dll"
"DriverReviverSetup_b44_5.27.0.22.exe" allocated memory in "C:\Program Files\ReviverSoft\Driver Reviver\offline\registration\files\btn-purchase.png"
"DriverReviverSetup_b44_5.27.0.22.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Reviver"
"DriverReviverSetup_b44_5.27.0.22.exe" allocated memory in "C:\Program Files\ReviverSoft\Driver Reviver\7za.exe"
"DriverReviverSetup_b44_5.27.0.22.exe" allocated memory in "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\ReviverSoft\Driver Reviver\Uninstall.lnk"
"ReviverSoftSmartMonitorSetup.exe" allocated memory in "C:\Users\%USERNAME%\AppData\Local\Temp\nsy9B8A.tmp\execDos.dll" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"DriverReviverSetup_ppc4.exe" wrote 1500 bytes to a remote process "C:\DriverReviverSetup_b44_5.27.0.22.exe" (Handle: 324)
"DriverReviverSetup_ppc4.exe" wrote 4 bytes to a remote process "C:\DriverReviverSetup_b44_5.27.0.22.exe" (Handle: 324)
"DriverReviverSetup_ppc4.exe" wrote 32 bytes to a remote process "C:\DriverReviverSetup_b44_5.27.0.22.exe" (Handle: 324)
"DriverReviverSetup_ppc4.exe" wrote 52 bytes to a remote process "C:\DriverReviverSetup_b44_5.27.0.22.exe" (Handle: 324)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 32 bytes to a remote process "%TEMP%\nsa9536.tmp\ga_utility.exe" (Handle: 372)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ga_utility.exe" (Handle: 372)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ga_utility.exe" (Handle: 372)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ns309C.tmp" (Handle: 976)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ns309C.tmp" (Handle: 976)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ns309C.tmp" (Handle: 976)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ReviverSoftSmartMonitorSetup.exe" (Handle: 968)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ReviverSoftSmartMonitorSetup.exe" (Handle: 968)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ReviverSoftSmartMonitorSetup.exe" (Handle: 968)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ReviverSoftSmartMonitorSetup.exe" (Handle: 968)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 32 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\DriverReviver.exe" (Handle: 176)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 52 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\DriverReviver.exe" (Handle: 176)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 4 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\DriverReviver.exe" (Handle: 176)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 32 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\DriverReviver.exe" (Handle: 968)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 52 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\DriverReviver.exe" (Handle: 968)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 4 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\DriverReviver.exe" (Handle: 968)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ga_utility.exe" (Handle: 1060)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ga_utility.exe" (Handle: 1060)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ga_utility.exe" (Handle: 1060)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 32 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\DriverReviver.exe" (Handle: 1124)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 52 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\DriverReviver.exe" (Handle: 1124)
"DriverReviverSetup_b44_5.27.0.22.exe" wrote 4 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\DriverReviver.exe" (Handle: 1124)
"ns309C.tmp" wrote 32 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\binary_archive_converter.exe" (Handle: 72)
"ns309C.tmp" wrote 52 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\binary_archive_converter.exe" (Handle: 72)
"ns309C.tmp" wrote 4 bytes to a remote process "C:\Program Files\ReviverSoft\Driver Reviver\binary_archive_converter.exe" (Handle: 72)
"ReviverSoftSmartMonitorSetup.exe" wrote 32 bytes to a remote process "C:\Program Files\ReviverSoft\Smart Monitor\ReviverSoft Smart Monitor Service.exe" (Handle: 356)
"ReviverSoftSmartMonitorSetup.exe" wrote 52 bytes to a remote process "C:\Program Files\ReviverSoft\Smart Monitor\ReviverSoft Smart Monitor Service.exe" (Handle: 356)
"ReviverSoftSmartMonitorSetup.exe" wrote 4 bytes to a remote process "C:\Program Files\ReviverSoft\Smart Monitor\ReviverSoft Smart Monitor Service.exe" (Handle: 356)
"ReviverSoftSmartMonitorSetup.exe" wrote 32 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 404)
"ReviverSoftSmartMonitorSetup.exe" wrote 52 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 404)
"ReviverSoftSmartMonitorSetup.exe" wrote 4 bytes to a remote process "C:\Windows\System32\sc.exe" (Handle: 404) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "54.85.112.141": ...
URL: http://update.simplestar.com/api/update (AV positives: 1/70 scanned on 12/26/2018 08:12:02)
URL: http://update.simplestar.com/api/pulse/settings (AV positives: 1/70 scanned on 12/20/2018 01:57:06)
File SHA256: ea9f875eb4399b30d5e43c38175a49b21ee77df90b5d908e83be0838f798c18f (AV positives: 3/70 scanned on 02/01/2019 10:01:11)
File SHA256: 28717c1910af121ad2176b58aaddd69583f710572116c65c36bb067ff04f2856 (AV positives: 2/71 scanned on 12/23/2018 09:04:52)
File SHA256: f97c769b2ec49a1f037374b5dfdfdd2d5717e6a855574a8b6562ad42dac8ae5a (Date: 10/14/2018 13:47:03)
File SHA256: 38c4d3d41295bf69ffef1fd15a020a5117606c307ae8c71cb3ca33d35f723be2 (Date: 09/26/2018 12:35:00)
File SHA256: 11e4d3578d6358d163b26397861c239584f0403482dbc63f3281c79e93a3b225 (AV positives: 2/68 scanned on 08/29/2018 22:31:40)
File SHA256: 36f59fbdd323a8ae8820b9f01fc60e3c84d67ae40d5b33e77b524d0db0b28415 (AV positives: 4/67 scanned on 07/24/2018 19:20:43)
File SHA256: 9da7e43e9faae5ee3652569c8d1f3889b214903bfefd617a255bf4ff0f164134 (AV positives: 15/65 scanned on 06/01/2018 21:09:06)
Found malicious artifacts related to "54.230.129.17": ...
File SHA256: 860a67055f69510ae0cec68aa9c3b53e29b005d893839fd627e4ed779dd041df (Date: 02/03/2019 07:53:16)
File SHA256: 531a3777633ee6d91b81451f2b7a03b60a37e48d1a5eada6a6e66bdd19c7841b (Date: 02/03/2019 07:24:31)
File SHA256: 13aa6e64f6720d63df31fbc46252a2c22f94d091ca36183868f829e4e882c14b (Date: 02/03/2019 07:23:46)
File SHA256: 494b9900937fe3cff0c2aa74ddc2946de0c657af4a555527d06d7bca6bf7da4d (Date: 02/03/2019 07:23:34)
File SHA256: 0420d3b1dc3e031779c5637ace77fcedb1520d7874bdc3f1b3763d4706973e78 (Date: 02/02/2019 00:31:32)
File SHA256: 5ad4ac535f067aea3b02d0a5ef5c995148cd62da9e5c4382218f14ef8b54992e (AV positives: 1/67 scanned on 11/15/2018 15:50:37)
File SHA256: 77cc19688e2a27e7fe9e3c963cad722da26d155b2c1d9607fc7e1c4a267732f2 (AV positives: 1/68 scanned on 10/31/2018 16:01:32)
File SHA256: d15d45215bbf79d94b9277ca8a18144e31817699adfe54003605f530d076ce9e (AV positives: 6/69 scanned on 07/17/2018 00:00:23)
File SHA256: 5f156233c3668c513a2ab6adc36a9970cf94070dec724d2ffdda5da867a7a6ce (AV positives: 3/69 scanned on 07/07/2018 00:16:19)
Found malicious artifacts related to "54.230.129.145": ...
File SHA256: e5469e5d031347395ba950d4b65237437ec3960a14fe83c32ad5885e22544a27 (Date: 02/02/2019 00:21:43)
File SHA256: 5dca5fe98a15c292fe0520804082de31f7efdb8a7bc0516f90248be3b668ae24 (Date: 01/03/2019 01:59:30)
File SHA256: a417339b42da5f6c82970b92d815acc9649b9e61a2d737b9a942de85ec0233dc (Date: 12/22/2018 06:49:34)
File SHA256: 251943933fbbfb0469ec2db992529cb8f6ecc2b2cf10b3002abbea1c6aff3d7b (AV positives: 9/68 scanned on 08/25/2018 06:31:42)
File SHA256: 6aca7e99dc9544a8a500a5ad8894efec55c475eb7c864f5cb5316a135b13a662 (AV positives: 27/68 scanned on 07/16/2018 23:43:31)
File SHA256: 6814ccc39081ba825baddb6d8280902f59f4af9478d1af7176cda772544b8511 (AV positives: 1/65 scanned on 06/30/2018 00:23:21)
Found malicious artifacts related to "54.230.129.107": ...
File SHA256: 3175e7fa51b952d55531a117e28c5eeb31777d0b9b388989e77555acf6291ad5 (Date: 02/03/2019 08:27:28)
File SHA256: 452c19e2b91db42a05c2f45d98f03ceff8b663d3ed63987fc4caf9f1b6a9fd75 (Date: 02/03/2019 08:09:10)
File SHA256: 0429c1c58b117f61a7c66736df32e58c17cef48da3cd79345c994fb3eeda0950 (Date: 02/03/2019 08:06:58)
File SHA256: 8227fa854f0346e411d3f2a8c8fedcd105042350f338a909263f734020ef0c2d (Date: 02/03/2019 07:56:24)
File SHA256: 04f4e087d39ee361b588d0e2c46b3174b94e24e14dce7dc6471794eea399bb79 (Date: 02/03/2019 07:28:28)
File SHA256: 98f46c3a69a979e6c89f4435ebf89296d09e4e02d95d4772231cc4fa7bfad052 (AV positives: 3/69 scanned on 11/15/2018 21:03:09)
File SHA256: 686da93d8fc95a7cfd37bad5692fec3c5ad84c723a09848bdf060c174d0ba492 (AV positives: 19/68 scanned on 10/26/2018 19:53:07)
File SHA256: 26ddd2affdf1bd04ea8cb86aaeaaaa945455f3bceda62c0821ee3a44ea52ee48 (AV positives: 3/65 scanned on 07/02/2018 00:15:41)
Found malicious artifacts related to "54.230.129.149": ...
File SHA256: 880ce471a6ac4e1e2bd524075556f28dee6c92c75fa47135adada6aa5e5b804b (Date: 12/19/2018 09:30:08)
File SHA256: dda0f4c4db5ab8a196699b36c34522af2b43b1c95793b5a42a2d835579f17d5c (Date: 12/19/2018 04:23:54)
File SHA256: ed1ea57381c7a158136096f07c0c07beb79ed7bf071216a0b7f4a9fd85361cfe (Date: 12/19/2018 03:55:14)
File SHA256: e92b723d232670b680f5c86dcbaf2151fdf2c90808dbbe90b7de6d8e3c270a74 (Date: 12/19/2018 03:05:06)
File SHA256: 3983c6ee40f933bacd5bdd9a4ec40b2ee1e913c738043ac02a856ad40aa96a0f (Date: 12/19/2018 01:41:05)
File SHA256: 58f276a127fd8a7464d564f2a0caa3ef7cd6f623ac6c6dc48afc8ba14abfcf4c (AV positives: 1/69 scanned on 08/27/2018 13:11:52)
File SHA256: eb24e82ef7536bdca5af9affb90af3200e47e472fdee98f41f27c9841eb6b357 (AV positives: 5/54 scanned on 06/13/2014 12:22:33)
File SHA256: 90b56764fa3b8f1db6cc7f074c9bbce0531f280ae5844b8ff988626318e6fd13 (AV positives: 16/50 scanned on 03/25/2014 20:45:01)
Found malicious artifacts related to "54.230.129.122": ...
URL: http://a0c07b1dfbd600257377d3029d69ca112.profile.ams50.cloudfront.net/ (AV positives: 1/65 scanned on 09/24/2015 12:09:15)
URL: http://a858dc34a6055a9609ab6ecb7cb8ecaec.profile.ams50.cloudfront.net/ (AV positives: 1/63 scanned on 08/16/2015 08:52:10)
URL: http://a71ea13958f4d3e5cdf07eaa9996c7fc0.profile.ams50.cloudfront.net/ (AV positives: 1/63 scanned on 07/03/2015 09:08:05)
URL: http://ab4bbfedb97be27145ddb8b7fa6087101.profile.ams50.cloudfront.net/ (AV positives: 1/63 scanned on 06/22/2015 11:56:15)
URL: http://a7362f0605e68d8ad3914160373c80a60.profile.ams50.cloudfront.net/ (AV positives: 1/63 scanned on 04/30/2015 17:49:13)
File SHA256: b4cea4a6563da97a0f9a6cf6df4ae67d7f9cfb7497de02894a770b2fab14241c (Date: 01/30/2019 07:34:14)
File SHA256: 0dc45df994f2e859f882a51675203eb76bc33646a3310c1029cbdb4f6ea0b7a6 (Date: 01/21/2019 08:39:05)
File SHA256: dc568949ecc34aa11fa0b46958a5deadfc836c36f05629ec9284d44e96111a33 (Date: 01/21/2019 08:10:23)
File SHA256: f42dad31dddee13abc8285d1540f3205b832536b1e9a6f9b134830ffdf3a3ae2 (Date: 01/21/2019 04:52:37)
File SHA256: 407eebc5c30a2d144624e5c7ed7dd6af854d56b2e954329012e531b8f7cc29c2 (Date: 01/21/2019 04:50:25)
File SHA256: 46c00fe37dd49f0a68eb7348d05a243a000673b234beae4301d63c2a2b94ff41 (AV positives: 44/71 scanned on 01/06/2019 16:42:19)
File SHA256: aa5e781b839e3185ac975d8e55f5085586cca77cef2eea3b797903df14bf7239 (AV positives: 1/69 scanned on 11/04/2018 19:10:32)
File SHA256: b25c88c0132794e74d80c520ab01c45ed067a120280b5fba9f00d977712a4b74 (AV positives: 32/70 scanned on 08/28/2018 00:06:54)
File SHA256: ff7952492c72dc30cccc0365a7b97b55d31d4ab68b41e45a8dc6629d47d513ee (AV positives: 31/57 scanned on 01/31/2015 17:59:48)
File SHA256: 28b92c2dbf67a23b0d043884f8f255cd7d8efd19e5c4efa36b4f8d91bc449017 (AV positives: 24/57 scanned on 01/25/2015 19:53:35)
Found malicious artifacts related to "54.230.129.88": ...
File SHA256: 72608be90891ad2b6077bf686cb2f34cfeb949d2f8aae1f0c3ed82c63f72089e (Date: 01/21/2019 12:23:51)
File SHA256: 943bd85778a26d700d6b53d721eb8d5806b0771fbfd35d9d6b6d6cce01119e21 (Date: 01/21/2019 11:40:28)
File SHA256: 57325017a630a86822e85b153b0439ccbf44b33ed261ab4a3f6ba2683cf4e17f (Date: 01/21/2019 11:34:49)
File SHA256: b6529cbe584a926974493c2916d1fbcf22aa77a4d5475ff5fe27db67f78d04e8 (Date: 01/21/2019 11:32:33)
File SHA256: d0a25db8d34119bdcc5c209e3af04850f99f52c05cc9d4b2cdafcc5ab0ad5166 (Date: 01/21/2019 11:32:30)
File SHA256: e91c012fdbef7a70e5c55813cd4b1794c240c85dd5aced4573702b9cc121f935 (AV positives: 3/70 scanned on 11/22/2018 07:38:46)
File SHA256: 8b42b829b5969a149678749abb207a37c703326ec6a57f9004df228e146307de (AV positives: 2/69 scanned on 11/22/2018 07:39:01)
File SHA256: 48622338c914ee98a94bf8678bb7ee1f66b11abe21130a9cb2f741adb0698868 (AV positives: 3/70 scanned on 11/21/2018 18:04:40)
File SHA256: 701e9609607cf1bbe27b958d0626753d82edf5cd0f5ffe52cdec5f1f3d286b1d (AV positives: 2/68 scanned on 11/17/2018 03:45:58)
File SHA256: dbaecb443b3da00ada37d972a4b0b5aa715e606bd5ff08636f2394a772cef83a (AV positives: 38/68 scanned on 12/07/2017 23:16:57)
Found malicious artifacts related to "172.217.17.104": ...
File SHA256: f783b1b630052d09a0b0c94bc972bb84ad3735b470a8246a603d175c59df203d (AV positives: 43/70 scanned on 01/29/2019 22:59:25)
File SHA256: fc2bb071941c5832f5a8621c31d667de5eb230c7124142e4e7de79f5748ca1cf (AV positives: 7/71 scanned on 01/29/2019 18:36:36)
File SHA256: 7d02b521efdc9a8ae18f0f354e9baa1b78040954f4b5f9699a4cd4062edfda4b (AV positives: 48/70 scanned on 01/28/2019 21:25:57)
File SHA256: 952d35423c5fb3a6fc5d211b61db9a7873b49bcb27005e6b496979e03d97b6f8 (AV positives: 11/71 scanned on 01/26/2019 06:05:10)
File SHA256: d3fb0df7871b63814c7463b090fa49791c00b2d508855d88d3cacf178daa9eb3 (AV positives: 18/70 scanned on 01/25/2019 16:58:07)
File SHA256: aac872f8a34a1b6fc40a0c36cce9cf629f228a655261bcbede8b0ac0b49112dd (Date: 10/31/2018 01:40:25)
File SHA256: 2e79833b9cab11d861e27f3c185549afc5ac512c73cd239a3b68c9053817556a (Date: 10/25/2018 10:02:02)
File SHA256: b0177a03ba4b6106e9f8b486be3fa431a8750fcc5df02a7695334b60296e9995 (Date: 10/24/2018 03:10:43)
File SHA256: 5d80c176b5dcb7bdeb394cd5e2590618c4f2e575fb7938d2120d68f17262c1bf (Date: 10/24/2018 00:18:28)
File SHA256: 9a092f4200758ebf99aa946a117118ea80e381f1c1d8eb513468767390bc1a43 (Date: 10/23/2018 22:25:29)
Found malicious artifacts related to "172.217.17.67": ...
File SHA256: ff1b67b4c5b6a285dba9da4fd802cc85ae2f12fa8821c0601e0c574fb9c07b85 (AV positives: 50/70 scanned on 02/04/2019 00:28:00)
File SHA256: 605a3d202932651c42a1de5e8c5707cf756053df8a9e1bdcd8fa7e43d78c6bf1 (AV positives: 50/70 scanned on 02/03/2019 10:32:55)
File SHA256: 4ca76d414345b9070b693b6d674c32b99d631975e8634d9ab749ccb6d0647aa9 (AV positives: 31/70 scanned on 02/03/2019 05:56:04)
File SHA256: 2fa731eef459aed873dd12819364712e5a08a900c84ffd56e3c63e77fc8ee000 (AV positives: 53/70 scanned on 02/02/2019 22:36:15)
File SHA256: 00d16cecb7f4bbd974037f7bd52a33d92ea0e7f4b33ab94d74ed3997bba76bfa (AV positives: 55/69 scanned on 02/02/2019 22:36:19)
File SHA256: 92b8ae1bb041148a10cdcf62686486cf286f335ce4b7673c51fe24c31f2d2ab5 (Date: 01/07/2019 15:09:03)
File SHA256: 3b5fb0755a15e89e9c795737e472f24e2fe2acaa5216c515c50abc004b480f03 (Date: 01/07/2019 12:05:57)
File SHA256: fa9b730ec95db7584d9640e6d15afa29ca26d2a5d49d5abf6a5db28d425835e6 (Date: 12/18/2018 13:51:37)
File SHA256: 3677352d8e694620b02d61910a6e073fb84a387a3a91b54b0d6ed574f504f6bc (Date: 12/18/2018 12:30:34)
File SHA256: 8f7c5dc69c0c2148da832073f5c9afdb03e95955ebd04c0caed8ed418c6fc1d5 (Date: 12/17/2018 12:46:39) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "54.85.112.141": ...
URL: http://update.simplestar.com/api/update (AV positives: 1/70 scanned on 12/26/2018 08:12:02)
URL: http://update.simplestar.com/api/pulse/settings (AV positives: 1/70 scanned on 12/20/2018 01:57:06)
File SHA256: ea9f875eb4399b30d5e43c38175a49b21ee77df90b5d908e83be0838f798c18f (AV positives: 3/70 scanned on 02/01/2019 10:01:11)
File SHA256: 28717c1910af121ad2176b58aaddd69583f710572116c65c36bb067ff04f2856 (AV positives: 2/71 scanned on 12/23/2018 09:04:52)
File SHA256: f97c769b2ec49a1f037374b5dfdfdd2d5717e6a855574a8b6562ad42dac8ae5a (Date: 10/14/2018 13:47:03)
File SHA256: 38c4d3d41295bf69ffef1fd15a020a5117606c307ae8c71cb3ca33d35f723be2 (Date: 09/26/2018 12:35:00)
File SHA256: 11e4d3578d6358d163b26397861c239584f0403482dbc63f3281c79e93a3b225 (AV positives: 2/68 scanned on 08/29/2018 22:31:40)
File SHA256: 36f59fbdd323a8ae8820b9f01fc60e3c84d67ae40d5b33e77b524d0db0b28415 (AV positives: 4/67 scanned on 07/24/2018 19:20:43)
File SHA256: 9da7e43e9faae5ee3652569c8d1f3889b214903bfefd617a255bf4ff0f164134 (AV positives: 15/65 scanned on 06/01/2018 21:09:06)
Found malicious artifacts related to "54.230.129.17": ...
File SHA256: 860a67055f69510ae0cec68aa9c3b53e29b005d893839fd627e4ed779dd041df (Date: 02/03/2019 07:53:16)
File SHA256: 531a3777633ee6d91b81451f2b7a03b60a37e48d1a5eada6a6e66bdd19c7841b (Date: 02/03/2019 07:24:31)
File SHA256: 13aa6e64f6720d63df31fbc46252a2c22f94d091ca36183868f829e4e882c14b (Date: 02/03/2019 07:23:46)
File SHA256: 494b9900937fe3cff0c2aa74ddc2946de0c657af4a555527d06d7bca6bf7da4d (Date: 02/03/2019 07:23:34)
File SHA256: 0420d3b1dc3e031779c5637ace77fcedb1520d7874bdc3f1b3763d4706973e78 (Date: 02/02/2019 00:31:32)
File SHA256: 5ad4ac535f067aea3b02d0a5ef5c995148cd62da9e5c4382218f14ef8b54992e (AV positives: 1/67 scanned on 11/15/2018 15:50:37)
File SHA256: 77cc19688e2a27e7fe9e3c963cad722da26d155b2c1d9607fc7e1c4a267732f2 (AV positives: 1/68 scanned on 10/31/2018 16:01:32)
File SHA256: d15d45215bbf79d94b9277ca8a18144e31817699adfe54003605f530d076ce9e (AV positives: 6/69 scanned on 07/17/2018 00:00:23)
File SHA256: 5f156233c3668c513a2ab6adc36a9970cf94070dec724d2ffdda5da867a7a6ce (AV positives: 3/69 scanned on 07/07/2018 00:16:19)
Found malicious artifacts related to "54.230.129.145": ...
File SHA256: e5469e5d031347395ba950d4b65237437ec3960a14fe83c32ad5885e22544a27 (Date: 02/02/2019 00:21:43)
File SHA256: 5dca5fe98a15c292fe0520804082de31f7efdb8a7bc0516f90248be3b668ae24 (Date: 01/03/2019 01:59:30)
File SHA256: a417339b42da5f6c82970b92d815acc9649b9e61a2d737b9a942de85ec0233dc (Date: 12/22/2018 06:49:34)
File SHA256: 251943933fbbfb0469ec2db992529cb8f6ecc2b2cf10b3002abbea1c6aff3d7b (AV positives: 9/68 scanned on 08/25/2018 06:31:42)
File SHA256: 6aca7e99dc9544a8a500a5ad8894efec55c475eb7c864f5cb5316a135b13a662 (AV positives: 27/68 scanned on 07/16/2018 23:43:31)
File SHA256: 6814ccc39081ba825baddb6d8280902f59f4af9478d1af7176cda772544b8511 (AV positives: 1/65 scanned on 06/30/2018 00:23:21)
Found malicious artifacts related to "54.230.129.107": ...
File SHA256: 3175e7fa51b952d55531a117e28c5eeb31777d0b9b388989e77555acf6291ad5 (Date: 02/03/2019 08:27:28)
File SHA256: 452c19e2b91db42a05c2f45d98f03ceff8b663d3ed63987fc4caf9f1b6a9fd75 (Date: 02/03/2019 08:09:10)
File SHA256: 0429c1c58b117f61a7c66736df32e58c17cef48da3cd79345c994fb3eeda0950 (Date: 02/03/2019 08:06:58)
File SHA256: 8227fa854f0346e411d3f2a8c8fedcd105042350f338a909263f734020ef0c2d (Date: 02/03/2019 07:56:24)
File SHA256: 04f4e087d39ee361b588d0e2c46b3174b94e24e14dce7dc6471794eea399bb79 (Date: 02/03/2019 07:28:28)
File SHA256: 98f46c3a69a979e6c89f4435ebf89296d09e4e02d95d4772231cc4fa7bfad052 (AV positives: 3/69 scanned on 11/15/2018 21:03:09)
File SHA256: 686da93d8fc95a7cfd37bad5692fec3c5ad84c723a09848bdf060c174d0ba492 (AV positives: 19/68 scanned on 10/26/2018 19:53:07)
File SHA256: 26ddd2affdf1bd04ea8cb86aaeaaaa945455f3bceda62c0821ee3a44ea52ee48 (AV positives: 3/65 scanned on 07/02/2018 00:15:41)
Found malicious artifacts related to "54.230.129.149": ...
File SHA256: 880ce471a6ac4e1e2bd524075556f28dee6c92c75fa47135adada6aa5e5b804b (Date: 12/19/2018 09:30:08)
File SHA256: dda0f4c4db5ab8a196699b36c34522af2b43b1c95793b5a42a2d835579f17d5c (Date: 12/19/2018 04:23:54)
File SHA256: ed1ea57381c7a158136096f07c0c07beb79ed7bf071216a0b7f4a9fd85361cfe (Date: 12/19/2018 03:55:14)
File SHA256: e92b723d232670b680f5c86dcbaf2151fdf2c90808dbbe90b7de6d8e3c270a74 (Date: 12/19/2018 03:05:06)
File SHA256: 3983c6ee40f933bacd5bdd9a4ec40b2ee1e913c738043ac02a856ad40aa96a0f (Date: 12/19/2018 01:41:05)
File SHA256: 58f276a127fd8a7464d564f2a0caa3ef7cd6f623ac6c6dc48afc8ba14abfcf4c (AV positives: 1/69 scanned on 08/27/2018 13:11:52)
File SHA256: eb24e82ef7536bdca5af9affb90af3200e47e472fdee98f41f27c9841eb6b357 (AV positives: 5/54 scanned on 06/13/2014 12:22:33)
File SHA256: 90b56764fa3b8f1db6cc7f074c9bbce0531f280ae5844b8ff988626318e6fd13 (AV positives: 16/50 scanned on 03/25/2014 20:45:01)
Found malicious artifacts related to "54.230.129.122": ...
URL: http://a0c07b1dfbd600257377d3029d69ca112.profile.ams50.cloudfront.net/ (AV positives: 1/65 scanned on 09/24/2015 12:09:15)
URL: http://a858dc34a6055a9609ab6ecb7cb8ecaec.profile.ams50.cloudfront.net/ (AV positives: 1/63 scanned on 08/16/2015 08:52:10)
URL: http://a71ea13958f4d3e5cdf07eaa9996c7fc0.profile.ams50.cloudfront.net/ (AV positives: 1/63 scanned on 07/03/2015 09:08:05)
URL: http://ab4bbfedb97be27145ddb8b7fa6087101.profile.ams50.cloudfront.net/ (AV positives: 1/63 scanned on 06/22/2015 11:56:15)
URL: http://a7362f0605e68d8ad3914160373c80a60.profile.ams50.cloudfront.net/ (AV positives: 1/63 scanned on 04/30/2015 17:49:13)
File SHA256: b4cea4a6563da97a0f9a6cf6df4ae67d7f9cfb7497de02894a770b2fab14241c (Date: 01/30/2019 07:34:14)
File SHA256: 0dc45df994f2e859f882a51675203eb76bc33646a3310c1029cbdb4f6ea0b7a6 (Date: 01/21/2019 08:39:05)
File SHA256: dc568949ecc34aa11fa0b46958a5deadfc836c36f05629ec9284d44e96111a33 (Date: 01/21/2019 08:10:23)
File SHA256: f42dad31dddee13abc8285d1540f3205b832536b1e9a6f9b134830ffdf3a3ae2 (Date: 01/21/2019 04:52:37)
File SHA256: 407eebc5c30a2d144624e5c7ed7dd6af854d56b2e954329012e531b8f7cc29c2 (Date: 01/21/2019 04:50:25)
File SHA256: 46c00fe37dd49f0a68eb7348d05a243a000673b234beae4301d63c2a2b94ff41 (AV positives: 44/71 scanned on 01/06/2019 16:42:19)
File SHA256: aa5e781b839e3185ac975d8e55f5085586cca77cef2eea3b797903df14bf7239 (AV positives: 1/69 scanned on 11/04/2018 19:10:32)
File SHA256: b25c88c0132794e74d80c520ab01c45ed067a120280b5fba9f00d977712a4b74 (AV positives: 32/70 scanned on 08/28/2018 00:06:54)
File SHA256: ff7952492c72dc30cccc0365a7b97b55d31d4ab68b41e45a8dc6629d47d513ee (AV positives: 31/57 scanned on 01/31/2015 17:59:48)
File SHA256: 28b92c2dbf67a23b0d043884f8f255cd7d8efd19e5c4efa36b4f8d91bc449017 (AV positives: 24/57 scanned on 01/25/2015 19:53:35)
Found malicious artifacts related to "54.230.129.88": ...
File SHA256: 72608be90891ad2b6077bf686cb2f34cfeb949d2f8aae1f0c3ed82c63f72089e (Date: 01/21/2019 12:23:51)
File SHA256: 943bd85778a26d700d6b53d721eb8d5806b0771fbfd35d9d6b6d6cce01119e21 (Date: 01/21/2019 11:40:28)
File SHA256: 57325017a630a86822e85b153b0439ccbf44b33ed261ab4a3f6ba2683cf4e17f (Date: 01/21/2019 11:34:49)
File SHA256: b6529cbe584a926974493c2916d1fbcf22aa77a4d5475ff5fe27db67f78d04e8 (Date: 01/21/2019 11:32:33)
File SHA256: d0a25db8d34119bdcc5c209e3af04850f99f52c05cc9d4b2cdafcc5ab0ad5166 (Date: 01/21/2019 11:32:30)
File SHA256: e91c012fdbef7a70e5c55813cd4b1794c240c85dd5aced4573702b9cc121f935 (AV positives: 3/70 scanned on 11/22/2018 07:38:46)
File SHA256: 8b42b829b5969a149678749abb207a37c703326ec6a57f9004df228e146307de (AV positives: 2/69 scanned on 11/22/2018 07:39:01)
File SHA256: 48622338c914ee98a94bf8678bb7ee1f66b11abe21130a9cb2f741adb0698868 (AV positives: 3/70 scanned on 11/21/2018 18:04:40)
File SHA256: 701e9609607cf1bbe27b958d0626753d82edf5cd0f5ffe52cdec5f1f3d286b1d (AV positives: 2/68 scanned on 11/17/2018 03:45:58)
File SHA256: dbaecb443b3da00ada37d972a4b0b5aa715e606bd5ff08636f2394a772cef83a (AV positives: 38/68 scanned on 12/07/2017 23:16:57)
Found malicious artifacts related to "172.217.17.104": ...
File SHA256: f783b1b630052d09a0b0c94bc972bb84ad3735b470a8246a603d175c59df203d (AV positives: 43/70 scanned on 01/29/2019 22:59:25)
File SHA256: fc2bb071941c5832f5a8621c31d667de5eb230c7124142e4e7de79f5748ca1cf (AV positives: 7/71 scanned on 01/29/2019 18:36:36)
File SHA256: 7d02b521efdc9a8ae18f0f354e9baa1b78040954f4b5f9699a4cd4062edfda4b (AV positives: 48/70 scanned on 01/28/2019 21:25:57)
File SHA256: 952d35423c5fb3a6fc5d211b61db9a7873b49bcb27005e6b496979e03d97b6f8 (AV positives: 11/71 scanned on 01/26/2019 06:05:10)
File SHA256: d3fb0df7871b63814c7463b090fa49791c00b2d508855d88d3cacf178daa9eb3 (AV positives: 18/70 scanned on 01/25/2019 16:58:07)
File SHA256: aac872f8a34a1b6fc40a0c36cce9cf629f228a655261bcbede8b0ac0b49112dd (Date: 10/31/2018 01:40:25)
File SHA256: 2e79833b9cab11d861e27f3c185549afc5ac512c73cd239a3b68c9053817556a (Date: 10/25/2018 10:02:02)
File SHA256: b0177a03ba4b6106e9f8b486be3fa431a8750fcc5df02a7695334b60296e9995 (Date: 10/24/2018 03:10:43)
File SHA256: 5d80c176b5dcb7bdeb394cd5e2590618c4f2e575fb7938d2120d68f17262c1bf (Date: 10/24/2018 00:18:28)
File SHA256: 9a092f4200758ebf99aa946a117118ea80e381f1c1d8eb513468767390bc1a43 (Date: 10/23/2018 22:25:29)
Found malicious artifacts related to "172.217.17.67": ...
File SHA256: ff1b67b4c5b6a285dba9da4fd802cc85ae2f12fa8821c0601e0c574fb9c07b85 (AV positives: 50/70 scanned on 02/04/2019 00:28:00)
File SHA256: 605a3d202932651c42a1de5e8c5707cf756053df8a9e1bdcd8fa7e43d78c6bf1 (AV positives: 50/70 scanned on 02/03/2019 10:32:55)
File SHA256: 4ca76d414345b9070b693b6d674c32b99d631975e8634d9ab749ccb6d0647aa9 (AV positives: 31/70 scanned on 02/03/2019 05:56:04)
File SHA256: 2fa731eef459aed873dd12819364712e5a08a900c84ffd56e3c63e77fc8ee000 (AV positives: 53/70 scanned on 02/02/2019 22:36:15)
File SHA256: 00d16cecb7f4bbd974037f7bd52a33d92ea0e7f4b33ab94d74ed3997bba76bfa (AV positives: 55/69 scanned on 02/02/2019 22:36:19)
File SHA256: 92b8ae1bb041148a10cdcf62686486cf286f335ce4b7673c51fe24c31f2d2ab5 (Date: 01/07/2019 15:09:03)
File SHA256: 3b5fb0755a15e89e9c795737e472f24e2fe2acaa5216c515c50abc004b480f03 (Date: 01/07/2019 12:05:57)
File SHA256: fa9b730ec95db7584d9640e6d15afa29ca26d2a5d49d5abf6a5db28d425835e6 (Date: 12/18/2018 13:51:37)
File SHA256: 3677352d8e694620b02d61910a6e073fb84a387a3a91b54b0d6ed574f504f6bc (Date: 12/18/2018 12:30:34)
File SHA256: 8f7c5dc69c0c2148da832073f5c9afdb03e95955ebd04c0caed8ed418c6fc1d5 (Date: 12/17/2018 12:46:39) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
-
"DriverReviver.exe" checked file "C:"
"ga_utility.exe" checked file "C:" - source
- API Call
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "DriverReviverSetup_ppc4.exe" (Show Process)
Spawned process "DriverReviverSetup_b44_5.27.0.22.exe" with commandline "\DriverReviverSetup_b44_5.27.0.22.exe /BUILD_ID="44"" (Show Process)
Spawned process "ga_utility.exe" with commandline "-install_start -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" -language "en" -app_version "5.27.0.22" -product_code "DR" -app_name "Driver Reviver" -track_id "UA-66457935-4"" (Show Process)
Spawned process "ns309C.tmp" with commandline ""%PROGRAMFILES%\ReviverSoft\Driver Reviver\binary_archive_converter.exe" /lcipath="%PROGRAMFILES%\ReviverSoft\Driver Reviver\lci.lci"" (Show Process)
Spawned process "binary_archive_converter.exe" with commandline "/lcipath="%PROGRAMFILES%\ReviverSoft\Driver Reviver\lci.lci"" (Show Process)
Spawned process "ReviverSoftSmartMonitorSetup.exe" (Show Process)
Spawned process "ReviverSoft Smart Monitor Service.exe" with commandline "/Service" (Show Process)
Spawned process "sc.exe" with commandline "sc start "ReviverSoft Smart Monitor Service"" (Show Process)
Spawned process "DriverReviver.exe" with commandline "install lang=English -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370"" (Show Process)
Spawned process "DriverReviver.exe" with commandline "-build_id 44 -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370"" (Show Process)
Spawned process "ga_utility.exe" with commandline "-install_success -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" -language "en" -app_version "5.27.0.22" -product_code "DR" -app_name "Driver Reviver" -track_id "UA-66457935-4"" (Show Process)
Spawned process "DriverReviver.exe" with commandline "-no_update -scan -first_start_after_install -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370"" (Show Process)
Spawned process "DriverReviver.exe" with commandline "-osource """ (Show Process)
Spawned process "DriverReviver.exe" with commandline "openinsturl langid=en -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Checks for a resource fork (ADS) file
-
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 29
-
Environment Awareness
-
Found a dropped file containing the Windows username (possible fingerprint attempt)
- details
- Found dropped filename "Start Driver Reviver for HAPUBWS-PC@HAPUBWS_logon_.job" containing the Windows username "HAPUBWS"
- source
- Binary File
- relevance
- 5/10
-
Reads the active computer name
- details
-
"DriverReviverSetup_ppc4.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"DriverReviverSetup_b44_5.27.0.22.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"ga_utility.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"ReviverSoftSmartMonitorSetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"sc.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"DriverReviver.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"DriverReviver.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a dropped file containing the Windows username (possible fingerprint attempt)
-
General
-
Reads configuration files
- details
-
"DriverReviverSetup_ppc4.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
"DriverReviverSetup_b44_5.27.0.22.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini"
"ReviverSoftSmartMonitorSetup.exe" read file "%PROGRAMFILES%\desktop.ini"
"ReviverSoftSmartMonitorSetup.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
-
"DriverReviver.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Start Driver Reviver for HAPUBWS-PC@HAPUBWS_logon_.job" has type "VAX-order 68k Blit mpx/mux executable"
"ReviverSoftSmartMonitorSetup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"linker.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ga_utility.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"nsSessionSIDW.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"DriverReviverUpdater.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"notifier.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"DriverReviverSetup_b44_5.27.0.22.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"SystemInfo-vc100-mt.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"tray.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"ReviverSoftSmartMonitor.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"nsProcess.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"execDos.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"nsEnvVariables.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsExec.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"5.27.0.22"
Heuristic match: "/version[opt] = 'verion' (format "2.0.1.126") - max version of file that uses lci.lci"
Heuristic match: "Start App log.04/02/2019 07:45:00 Program version: 5.27.0.22, OS version: NTx86.6.1.1.256"
Heuristic match: "End App log.04/02/2019 07:47:00 Program version: 5.27.0.22, OS version: NTx86.6.1.1.256"
Heuristic match: "End App log.04/02/2019 07:45:00 Program version: 5.27.0.22, OS version: NTx86.6.1.1.256"
Heuristic match: "Start App log.04/02/2019 07:41:00 Program version: 5.27.0.22, OS version: NTx86.6.1.1.256"
Heuristic match: "End App log.04/02/2019 07:41:00 Program version: 5.27.0.22, OS version: NTx86.6.1.1.256"
Heuristic match: "-install_start -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" -language "en" -app_version "5.27.0.22" -product_code "DR" -app_name "Driver Reviver" -track_id "UA-66457935-4""
Heuristic match: "-install_success -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" -language "en" -app_version "5.27.0.22" -product_code "DR" -app_name "Driver Reviver" -track_id "UA-66457935-4"" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 54.85.112.141 on port 443 is sent without HTTP header
TCP traffic to 54.230.129.17 on port 80 is sent without HTTP header
TCP traffic to 54.230.129.145 on port 80 is sent without HTTP header
TCP traffic to 54.230.129.107 on port 80 is sent without HTTP header
TCP traffic to 54.230.129.149 on port 80 is sent without HTTP header
TCP traffic to 54.230.129.122 on port 80 is sent without HTTP header
TCP traffic to 54.230.129.188 on port 80 is sent without HTTP header
TCP traffic to 54.230.129.88 on port 80 is sent without HTTP header
TCP traffic to 172.217.17.104 on port 443 is sent without HTTP header
TCP traffic to 172.217.17.67 on port 80 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "ns309C.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\DriverReviverSetup_ppc4.exe" marked "%TEMP%\nsf72D7.tmp" for deletion
"C:\DriverReviverSetup_b44_5.27.0.22.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nso91E8.tmp" for deletion
"C:\DriverReviverSetup_b44_5.27.0.22.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp" for deletion
"C:\DriverReviverSetup_b44_5.27.0.22.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ns309C.tmp" for deletion
"C:\DriverReviverSetup_b44_5.27.0.22.exe" marked "C:\Program Files\ReviverSoft\Driver Reviver\binary_archive_converter.exe" for deletion
"%TEMP%\nsa9536.tmp\ReviverSoftSmartMonitorSetup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsd9A21.tmp" for deletion
"%TEMP%\nsa9536.tmp\ReviverSoftSmartMonitorSetup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsy9B8A.tmp" for deletion
"%TEMP%\nsa9536.tmp\ReviverSoftSmartMonitorSetup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsy9B8A.tmp\execDos.dll" for deletion
"%TEMP%\nsa9536.tmp\ReviverSoftSmartMonitorSetup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsy9B8A.tmp\System.dll" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"DriverReviverSetup_ppc4.exe" opened "%TEMP%\nsf72D7.tmp" with delete access
"DriverReviverSetup_b44_5.27.0.22.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nso91E8.tmp" with delete access
"DriverReviverSetup_b44_5.27.0.22.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp" with delete access
"DriverReviverSetup_b44_5.27.0.22.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsa9536.tmp\ns309C.tmp" with delete access
"DriverReviverSetup_b44_5.27.0.22.exe" opened "C:\Program Files\ReviverSoft\Driver Reviver\binary_archive_converter.exe" with delete access
"ReviverSoftSmartMonitorSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsd9A21.tmp" with delete access
"ReviverSoftSmartMonitorSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsy9B8A.tmp" with delete access
"ReviverSoftSmartMonitorSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsy9B8A.tmp\execDos.dll" with delete access
"ReviverSoftSmartMonitorSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsy9B8A.tmp\System.dll" with delete access
"ReviverSoftSmartMonitorSetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsy9B8A.tmp\" with delete access
"DriverReviver.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\ReviverSoft\Driver Reviver\S-1-5-21-2092356043-4041700817-663127204-1001\AppSettings.xml" with delete access
"DriverReviver.exe" opened "C:\Windows\Tasks\Start Driver Reviver for User(logon).job" with delete access
"DriverReviver.exe" opened "C:\Windows\Tasks\Start Driver Reviver for %OSUSER%-PC@%OSUSER%(logon).job" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies Software Policy Settings
- details
-
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"ReviverSoft Smart Monitor Service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"DriverReviver.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"DriverReviver.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"DriverReviver.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"DriverReviver.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"DriverReviver.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"ga_utility.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"ga_utility.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"ga_utility.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"ga_utility.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"ga_utility.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
-
"DriverReviver.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"ga_utility.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"linker.dll" claimed CRC 49504 while the actual is CRC 246085
"ga_utility.exe" claimed CRC 456504 while the actual is CRC 49504
"nsSessionSIDW.dll" claimed CRC 87310 while the actual is CRC 456504
"DriverReviverUpdater.exe" claimed CRC 119398 while the actual is CRC 87310
"tray.exe" claimed CRC 911671 while the actual is CRC 119398
"nsProcess.dll" claimed CRC 55001 while the actual is CRC 911671
"nsEnvVariables.dll" claimed CRC 43969 while the actual is CRC 22041
"Uninstall.exe" claimed CRC 506093 while the actual is CRC 25128
"binary_archive_converter.exe" claimed CRC 696696 while the actual is CRC 506093
"ReviverSoft Smart Monitor Service.exe" claimed CRC 764454 while the actual is CRC 696696 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegDeleteValueW
RegCloseKey
OpenProcessToken
RegEnumKeyW
RegOpenKeyExW
RegDeleteKeyW
CopyFileW
GetModuleFileNameW
GetFileAttributesW
GetFileSize
GetCommandLineW
LoadLibraryExW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetTempFileNameW
GetModuleHandleA
CreateThread
FindNextFileW
GetTempPathW
FindFirstFileW
GetModuleHandleW
WriteFile
CreateFileW
CreateProcessW
Sleep
GetTickCount
ShellExecuteExW
FindWindowExW
ShellExecuteW
UnhandledExceptionFilter
FindResourceExW
OutputDebugStringW
IsDebuggerPresent
ExitThread
TerminateProcess
GetModuleHandleExW
GetStartupInfoW
FindFirstFileExW
LockResource
GetCommandLineA
FindResourceW
HttpQueryInfoW
InternetQueryDataAvailable
InternetConnectW
InternetReadFile
InternetCloseHandle
HttpSendRequestW
InternetOpenW
CreateToolhelp32Snapshot
GetModuleFileNameA
LoadLibraryA
Process32NextW
OpenProcess
Process32FirstW
GetStartupInfoA
VirtualAlloc
RegEnumKeyExW
LoadLibraryExA
LoadLibraryW
FindWindowW
GetVersionExW
GetWindowThreadProcessId
VirtualProtect
SetSecurityDescriptorDacl
CreateFileMappingW
MapViewOfFile
CreateServiceW
CreateProcessAsUserW
StartServiceCtrlDispatcherW
GetFileAttributesExW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"DriverReviverSetup_ppc4.exe" wrote bytes "d0558c76647395760000000051c16e7694986e76ee9c6e7675dc7076273e70760fb3747600000000acdc8f771bf78f77c1089177c0d98f77152e8f7736da8f77d5d98f7730c68f77e0c28f7742c68f771bc68f7786c48f7772c68f7700000000" to virtual address "0x6D3D1000" (part of module "SHFOLDER.DLL")
"DriverReviverSetup_b44_5.27.0.22.exe" wrote bytes "7da38f7795a38f7782f38e7700d08f771f938e77987b9177bcce8f771af18f772c699177f8bf8f772fad8f7762f18f77d4ce8f7727f18f775ac68f77252e8f7787f18f77000000003d429c7700000000d1e4a8770822ab7700000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL")
"DriverReviverSetup_b44_5.27.0.22.exe" wrote bytes "c2000000" to virtual address "0x10004020" (part of module "SYSTEM.DLL")
"DriverReviverSetup_b44_5.27.0.22.exe" wrote bytes "d0558c76647395760000000051c16e7694986e76ee9c6e7675dc7076273e70760fb3747600000000acdc8f771bf78f77c1089177c0d98f77152e8f7736da8f77d5d98f7730c68f77a0c48f7742c68f771bc68f7786c48f7772c68f7700000000" to virtual address "0x6D3D1000" (part of module "SHFOLDER.DLL")
"ga_utility.exe" wrote bytes "b830124a74ffe0" to virtual address "0x765F1368" (part of module "WS2_32.DLL")
"ga_utility.exe" wrote bytes "4812a975" to virtual address "0x75AA8364" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "60124a74" to virtual address "0x71BE4028" (part of module "WEBIO.DLL")
"ga_utility.exe" wrote bytes "b840134a74ffe0" to virtual address "0x75A91248" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "f811a975" to virtual address "0x75AA834C" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "b8c0154a74ffe0" to virtual address "0x75A911F8" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "f8110000" to virtual address "0x75A912CC" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "f811a975" to virtual address "0x75AA83C4" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "f8110000" to virtual address "0x75A91408" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "4812a975" to virtual address "0x75AA8348" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "4812a975" to virtual address "0x75AA83C0" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "f811a975" to virtual address "0x75AA8368" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "48120000" to virtual address "0x75A9139C" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "f811a975" to virtual address "0x75AA83E0" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "4812a975" to virtual address "0x75AA83DC" (part of module "SSPICLI.DLL")
"ga_utility.exe" wrote bytes "c04ed3772054d477e065d477b538d5770000000000d08f7700000000c5ea8f770000000088ea8f7700000000e968dc758228d577ee29d57700000000d269dc75000000007dbb8f770000000009bedc7500000000ba188f7700000000" to virtual address "0x76831000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"DriverReviverSetup_b44_5.27.0.22.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"DriverReviver.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 12 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 27
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
-
Raw size of ".ndata" is zero
Raw size of ".data" is zero - source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Queries volume information
- details
-
"DriverReviverSetup_b44_5.27.0.22.exe" queries volume information of "C:\" at 00035636-00004156-0000010C-374845020239
"DriverReviverSetup_b44_5.27.0.22.exe" queries volume information of "%PROGRAMFILES%\ReviverSoft\Driver Reviver\DriverReviver.exe" at 00035636-00004156-0000010C-374935682325
"DriverReviverSetup_b44_5.27.0.22.exe" queries volume information of "C:\" at 00035636-00004156-0000010C-376525279604
"DriverReviverSetup_b44_5.27.0.22.exe" queries volume information of "%PROGRAMFILES%\ReviverSoft\Driver Reviver\DriverReviver.exe" at 00035636-00004156-0000010C-376529441510
"DriverReviverSetup_b44_5.27.0.22.exe" queries volume information of "C:\" at 00035636-00004156-0000010C-404376945362
"DriverReviverSetup_b44_5.27.0.22.exe" queries volume information of "%PROGRAMFILES%\ReviverSoft\Driver Reviver\Uninstall.exe" at 00035636-00004156-0000010C-404380847955 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"DriverReviverSetup_b44_5.27.0.22.exe" queries volume information of "C:\" at 00035636-00004156-0000010C-374845020239
"DriverReviverSetup_b44_5.27.0.22.exe" queries volume information of "C:\" at 00035636-00004156-0000010C-376525279604
"DriverReviverSetup_b44_5.27.0.22.exe" queries volume information of "C:\" at 00035636-00004156-0000010C-404376945362 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"DriverReviverSetup_b44_5.27.0.22.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DRIVER REVIVER")
"DriverReviverSetup_b44_5.27.0.22.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"DriverReviverSetup_b44_5.27.0.22.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\7-ZIP")
"DriverReviverSetup_b44_5.27.0.22.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\7-ZIP"; Key: "DISPLAYNAME"; Value: "00000000010000001800000037002D005A00690070002000310036002E00300034000000")
"DriverReviverSetup_b44_5.27.0.22.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"DriverReviverSetup_b44_5.27.0.22.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR")
"DriverReviverSetup_b44_5.27.0.22.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR"; Key: "DISPLAYNAME"; Value: "000000000100000014000000410064006F006200650020004100490052000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
General
-
Accesses Software Policy Settings
- details
-
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\2E4916B07F3DE90C8DDE2566FD9B9B400D89BBBA"; Key: "BLOB")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E6A3B45B062D509B3382282D196EFE97D5956CCB"; Key: "BLOB")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
- details
-
"o.ss2.us"
"ocsp.rootg2.amazontrust.com"
"ocsp.rootca1.amazontrust.com"
"crl.rootg2.amazontrust.com"
"crl.rootca1.amazontrust.com"
"ocsp.sca1b.amazontrust.com"
"crl.sca1b.amazontrust.com"
"ocsp.pki.goog"
"crl.pki.goog"
"api.reviversoft.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"54.85.112.141:443"
"54.230.129.17:80"
"54.230.129.145:80"
"54.230.129.107:80"
"54.230.129.149:80"
"54.230.129.122:80"
"54.230.129.188:80"
"54.230.129.88:80"
"172.217.17.104:443"
"172.217.17.67:80" - source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"DriverReviverSetup_b44_5.27.0.22.exe" created file "%TEMP%\nsv9516.tmp"
"DriverReviverSetup_b44_5.27.0.22.exe" created file "%TEMP%\nsa9536.tmp\System.dll"
"DriverReviverSetup_b44_5.27.0.22.exe" created file "%TEMP%\nsa9536.tmp\ga_utility.exe"
"DriverReviverSetup_b44_5.27.0.22.exe" created file "%TEMP%\nsa9536.tmp\ioSpecial.ini"
"DriverReviverSetup_b44_5.27.0.22.exe" created file "%TEMP%\nsa9536.tmp\modern-wizard.bmp"
"DriverReviverSetup_b44_5.27.0.22.exe" created file "%TEMP%\nsa9536.tmp\nsEnvVariables.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\{81222D68-017D-4DB5-872F-C02F40348975}"
"{81222D68-017D-4DB5-872F-C02F40348975}"
"\Sessions\1\BaseNamedObjects\{22590E47-FF51-4F4F-9202-77779ED45E36}"
"{22590E47-FF51-4F4F-9202-77779ED45E36}"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "Uninstall.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ReviverSoftSmartMonitorSetup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "linker.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "nsSessionSIDW.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "SystemInfo-vc100-mt.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ReviverSoftSmartMonitor.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "nsProcess.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "execDos.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "nsEnvVariables.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "nsExec.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "System.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "binary_archive_converter.exe" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ReviverSoft Smart Monitor Service.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "InstallOptions.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.ss2.us"
"GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.rootg2.amazontrust.com"
"GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.rootca1.amazontrust.com"
"GET /rootg2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.rootg2.amazontrust.com"
"GET /rootca1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.rootca1.amazontrust.com"
"GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAtddVZejBYhWliYrrhkNzQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.sca1b.amazontrust.com"
"GET /sca1b.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.sca1b.amazontrust.com"
"GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.pki.goog"
"GET /GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCGdPLQ2NqQ9M HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.pki.goog"
"GET /GTSGIAG3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.pki.goog" - source
- Network Traffic
- relevance
- 5/10
-
Loads rich edit control libraries
- details
- "DriverReviverSetup_b44_5.27.0.22.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6D230000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"DriverReviverSetup_ppc4.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"DriverReviverSetup_ppc4.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"DriverReviverSetup_b44_5.27.0.22.exe" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}")
"DriverReviver.exe" touched "XML DOM Document 3.0" (Path: "HKCU\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}")
"DriverReviver.exe" touched "Scheduling Agent Service Class" (Path: "HKCU\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}")
"DriverReviver.exe" touched "TaskScheduler class" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}")
"DriverReviver.exe" touched "PSOAInterface" (Path: "HKCU\CLSID\{00020424-0000-0000-C000-000000000046}\TREATAS")
"DriverReviver.exe" touched "PSDispatch" (Path: "HKCU\CLSID\{00020420-0000-0000-C000-000000000046}\TREATAS")
"DriverReviver.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
"DriverReviver.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
"DriverReviver.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TREATAS")
"DriverReviver.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"DriverReviver.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"DriverReviver.exe" touched "NetworkListManager" (Path: "HKCU\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\TREATAS")
"DriverReviver.exe" touched "Network List Manager" (Path: "HKCU\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\TREATAS")
"DriverReviver.exe" touched "WinInetBroker Class" (Path: "HKCU\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Reads Windows Trust Settings
- details
-
"ReviverSoft Smart Monitor Service.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
"DriverReviver.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"DriverReviverSetup_b44_5.27.0.22.exe" searching for class "#32770"
"DriverReviverSetup_b44_5.27.0.22.exe" searching for class "SysListView32"
"DriverReviver.exe" searching for class "MainWnd" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "DriverReviverSetup_b44_5.27.0.22.exe" with commandline "\DriverReviverSetup_b44_5.27.0.22.exe /BUILD_ID="44"" (Show Process)
Spawned process "ga_utility.exe" with commandline "-install_start -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" -lan ..." (Show Process)
Spawned process "ns309C.tmp" with commandline ""%PROGRAMFILES%\ReviverSoft\Driver Reviver\binary_archive_conver ..." (Show Process), Spawned process "binary_archive_converter.exe" with commandline "/lcipath="%PROGRAMFILES%\ReviverSoft\Driver Reviver\lci.lci"" (Show Process), Spawned process "ReviverSoftSmartMonitorSetup.exe" (Show Process), Spawned process "ReviverSoft Smart Monitor Service.exe" with commandline "/Service" (Show Process), Spawned process "sc.exe" with commandline "sc start "ReviverSoft Smart Monitor Service"" (Show Process), Spawned process "DriverReviver.exe" with commandline "install lang=English -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370 ..." (Show Process)
Spawned process "DriverReviver.exe" with commandline "-build_id 44 -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370"" (Show Process)
Spawned process "ga_utility.exe" with commandline "-install_success -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" -l ..." (Show Process)
Spawned process "DriverReviver.exe" with commandline "-no_update -scan -first_start_after_install -guid "CC169AEA-EF66 ..." (Show Process), Spawned process "DriverReviver.exe" with commandline "-osource """ (Show Process), Spawned process "DriverReviver.exe" with commandline "openinsturl langid=en -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE37 ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "DriverReviverSetup_b44_5.27.0.22.exe" with commandline "\DriverReviverSetup_b44_5.27.0.22.exe /BUILD_ID="44"" (Show Process)
Spawned process "ga_utility.exe" with commandline "-install_start -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" -lan ..." (Show Process)
Spawned process "ns309C.tmp" with commandline ""%PROGRAMFILES%\ReviverSoft\Driver Reviver\binary_archive_conver ..." (Show Process), Spawned process "binary_archive_converter.exe" with commandline "/lcipath="%PROGRAMFILES%\ReviverSoft\Driver Reviver\lci.lci"" (Show Process), Spawned process "ReviverSoftSmartMonitorSetup.exe" (Show Process), Spawned process "ReviverSoft Smart Monitor Service.exe" with commandline "/Service" (Show Process), Spawned process "sc.exe" with commandline "sc start "ReviverSoft Smart Monitor Service"" (Show Process), Spawned process "DriverReviver.exe" with commandline "install lang=English -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370 ..." (Show Process)
Spawned process "DriverReviver.exe" with commandline "-build_id 44 -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370"" (Show Process)
Spawned process "ga_utility.exe" with commandline "-install_success -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" -l ..." (Show Process)
Spawned process "DriverReviver.exe" with commandline "-no_update -scan -first_start_after_install -guid "CC169AEA-EF66 ..." (Show Process), Spawned process "DriverReviver.exe" with commandline "-osource """ (Show Process), Spawned process "DriverReviver.exe" with commandline "openinsturl langid=en -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE37 ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=CA, S=Ontario, L=Ottawa, O=Corel Corporation, CN=Corel Corporation" (SHA1: 56:0F:D9:81:FC:D9:84:99:9B:3A:FC:01:4D:07:CC:40:2B:88:63:E9: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" (SHA1: 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA" (SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"DriverReviverSetup_ppc4.exe" connecting to "\ThemeApiPort"
"DriverReviverSetup_b44_5.27.0.22.exe" connecting to "\ThemeApiPort"
"ReviverSoftSmartMonitorSetup.exe" connecting to "\ThemeApiPort"
"ReviverSoft Smart Monitor Service.exe" connecting to "\ThemeApiPort"
"DriverReviver.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"DriverReviver.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Start Driver Reviver for HAPUBWS-PC@HAPUBWS_logon_.job" has type "VAX-order 68k Blit mpx/mux executable"
"ReviverSoftSmartMonitorSetup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"linker.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Driver Reviver.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Tue Oct 16 15:30:50 2018 mtime=Mon Feb 4 06:45:00 2019 atime=Tue Oct 16 15:30:50 2018 length=29643048 window=hide"
"ga_utility.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"nsSessionSIDW.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"DriverReviverUpdater.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"notifier.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"DriverReviverSetup_b44_5.27.0.22.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"SystemInfo-vc100-mt.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"tray.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"ReviverSoftSmartMonitor.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"nsProcess.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"execDos.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"Uninstall.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Tue Oct 16 15:30:52 2018 mtime=Mon Feb 4 06:49:00 2019 atime=Tue Oct 16 15:30:52 2018 length=503232 window=hide"
"nsEnvVariables.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsExec.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"DriverReviverSetup_ppc4.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"DriverReviverSetup_ppc4.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"DriverReviverSetup_ppc4.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"DriverReviverSetup_ppc4.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000012.db"
"DriverReviverSetup_ppc4.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"DriverReviverSetup_ppc4.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"DriverReviverSetup_ppc4.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"DriverReviverSetup_ppc4.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000012.db"
"DriverReviverSetup_b44_5.27.0.22.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"DriverReviverSetup_b44_5.27.0.22.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"DriverReviverSetup_b44_5.27.0.22.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"DriverReviverSetup_b44_5.27.0.22.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000012.db"
"DriverReviverSetup_b44_5.27.0.22.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"DriverReviverSetup_b44_5.27.0.22.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"DriverReviverSetup_b44_5.27.0.22.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"DriverReviverSetup_b44_5.27.0.22.exe" touched file "C:\Windows\System32\en-US\user32.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "S.ZWl/[I"
Heuristic match: "OwkOrU.tr"
Heuristic match: "$Me}`.cU"
Pattern match: "www.digicert.com110/"
Pattern match: "http://crl3.digicert.com/sha2-assured-cs-g1.crl05"
Pattern match: "http://crl4.digicert.com/sha2-assured-cs-g1.crl0L"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://ocsp.digicert.com0N"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0"
Pattern match: "www.digicert.com1$0"
Pattern match: "http://ocsp.digicert.com0C"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O"
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "o.ss2.us"
Heuristic match: "GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.ss2.us"
Heuristic match: "ocsp.rootg2.amazontrust.com"
Heuristic match: "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.rootg2.amazontrust.com"
Heuristic match: "ocsp.rootca1.amazontrust.com"
Heuristic match: "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.rootca1.amazontrust.com"
Heuristic match: "crl.rootg2.amazontrust.com"
Heuristic match: "GET /rootg2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.rootg2.amazontrust.com"
Heuristic match: "crl.rootca1.amazontrust.com"
Heuristic match: "GET /rootca1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.rootca1.amazontrust.com"
Heuristic match: "ocsp.sca1b.amazontrust.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAtddVZejBYhWliYrrhkNzQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.sca1b.amazontrust.com"
Heuristic match: "crl.sca1b.amazontrust.com"
Heuristic match: "GET /sca1b.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.sca1b.amazontrust.com"
Heuristic match: "api.reviversoft.com"
Heuristic match: "update.reviversoft.com"
Pattern match: "soft.com/action/?product=DR&LinkType=Support&Language={{langid}}&BuildID={{buildid}}&OSource={{osource}}&t={{trackid}}&UID={{uid"
Pattern match: "www.reviversoft.com/support/driver-reviver/"
Pattern match: "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIG"
Pattern match: "http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCGdPLQ2NqQ"
Pattern match: "http://crl.pki.goog/GTSGIAG3.crl" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
-
"DriverReviver.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"ga_utility.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"DriverReviverSetup_ppc4.exe" opened "\Device\KsecDD"
"DriverReviverSetup_b44_5.27.0.22.exe" opened "\Device\KsecDD"
"ReviverSoftSmartMonitorSetup.exe" opened "\Device\KsecDD"
"ReviverSoft Smart Monitor Service.exe" opened "\Device\KsecDD"
"DriverReviver.exe" opened "\Device\KsecDD"
"ga_utility.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"ga_utility.exe" was detected as "VC8 -> Microsoft Corporation"
"nsSessionSIDW.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"DriverReviverUpdater.exe" was detected as "VC8 -> Microsoft Corporation"
"tray.exe" was detected as "VC8 -> Microsoft Corporation"
"nsEnvVariables.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"Uninstall.exe" was detected as "Nullsoft PiMP Stub -> SFX"
"binary_archive_converter.exe" was detected as "VC8 -> Microsoft Corporation"
"ReviverSoft Smart Monitor Service.exe" was detected as "Visual C++ 2005 Release -> Microsoft" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
DriverReviverSetup_ppc4.exe
- Filename
- DriverReviverSetup_ppc4.exe
- Size
- 17MiB (18187464 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 5cab84082a8c9a3be7da6b03fe9a4c4ecb3f40c40d67d72879143b68f03ac3db
- MD5
- 7427ee5b26666ece398ba0441945b379
- SHA1
- 08feb067caf061346a300c04f6f25dd60045c42f
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.5% (.EXE) DOS Executable Generic
File Certificates
Certificate chain was successfully validated.
Download Certificate File (3.3KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=CA, S=Ontario, L=Ottawa, O=Corel Corporation, CN=Corel Corporation | C=CA, S=Ontario, L=Ottawa, O=Corel Corporation, CN=Corel Corporation Serial: 0d3390d3727c6a96446cf7cb86beb519 |
01/04/2018 01:00:00 01/09/2020 13:00:00 |
56:0F:D9:81:FC:D9:84:99:9B:3A:FC:01:4D:07:CC:40:2B:88:63:E9: (1.2.840.113549.1.1.11) |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA Serial: 0409181b5fd5bb66755343b56f955008 |
10/22/2013 13:00:00 10/22/2028 13:00:00 |
92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6: (1.2.840.113549.1.1.11) |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA Serial: 0ce7e0e517d846fe8fe560fc1bf03039 |
11/10/2006 01:00:00 11/10/2031 01:00:00 |
05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 14 processes in total (System Resource Monitor).
-
DriverReviverSetup_ppc4.exe
(PID: 3340)
2/68
-
DriverReviverSetup_b44_5.27.0.22.exe
\DriverReviverSetup_b44_5.27.0.22.exe /BUILD_ID="44"
(PID: 4156)
3/68
- ga_utility.exe -install_start -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" -language "en" -app_version "5.27.0.22" -product_code "DR" -app_name "Driver Reviver" -track_id "UA-66457935-4" (PID: 3896) 3/91
-
ns309C.tmp
"%PROGRAMFILES%\ReviverSoft\Driver Reviver\binary_archive_converter.exe" /lcipath="%PROGRAMFILES%\ReviverSoft\Driver Reviver\lci.lci"
(PID: 4316)
- binary_archive_converter.exe /lcipath="%PROGRAMFILES%\ReviverSoft\Driver Reviver\lci.lci" (PID: 2316)
-
ReviverSoftSmartMonitorSetup.exe
(PID: 4200)
- ReviverSoft Smart Monitor Service.exe /Service (PID: 3524)
- sc.exe sc start "ReviverSoft Smart Monitor Service" (PID: 4368)
- DriverReviver.exe install lang=English -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" (PID: 3904) 1/67
- DriverReviver.exe -build_id 44 -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" (PID: 4624) 1/67
- ga_utility.exe -install_success -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" -language "en" -app_version "5.27.0.22" -product_code "DR" -app_name "Driver Reviver" -track_id "UA-66457935-4" (PID: 4916) 3/91
- DriverReviver.exe -no_update -scan -first_start_after_install -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" (PID: 4756) 1/67
- DriverReviver.exe -osource "" (PID: 4796) 1/67
- DriverReviver.exe openinsturl langid=en -guid "CC169AEA-EF66-487C-A4DC-27CEC5DCE370" (PID: 5456) 1/67
-
DriverReviverSetup_b44_5.27.0.22.exe
\DriverReviverSetup_b44_5.27.0.22.exe /BUILD_ID="44"
(PID: 4156)
3/68
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
api.reviversoft.com
OSINT |
35.170.105.19
TTL: 300 |
1&1 Internet SE
Organization: ReviverSoft Name Server: GORDON.NS.CLOUDFLARE.COM Creation Date: Sat, 25 Jul 2009 00:00:00 GMT |
United States |
crl.pki.goog
OSINT |
172.217.17.67
TTL: 3600 |
- | United States |
crl.rootca1.amazontrust.com
OSINT |
54.230.129.122
TTL: 300 |
MarkMonitor, Inc. | United States |
crl.rootg2.amazontrust.com
OSINT |
54.230.129.149
TTL: 300 |
MarkMonitor, Inc. | United States |
crl.sca1b.amazontrust.com
OSINT |
54.230.129.88
TTL: 300 |
MarkMonitor, Inc. | United States |
o.ss2.us
OSINT |
54.230.129.17
TTL: 300 |
whois.godaddy.com
Name Server: NS-19.AWSDNS-02.COM Creation Date: Thu, 16 Apr 2015 18:03:31 GMT |
United States |
ocsp.pki.goog
OSINT |
172.217.17.67
TTL: 3600 |
- | United States |
ocsp.rootca1.amazontrust.com
OSINT |
54.230.129.107
TTL: 300 |
MarkMonitor, Inc. | United States |
ocsp.rootg2.amazontrust.com
OSINT |
54.230.129.145
TTL: 300 |
MarkMonitor, Inc. | United States |
ocsp.sca1b.amazontrust.com |
54.230.129.188
TTL: 300 |
- | United States |
update.reviversoft.com |
54.85.112.141
TTL: 300 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
54.85.112.141 |
443
TCP |
reviversoft smart monitor service.exe PID: 2436 driverreviver.exe PID: 2692 driverreviver.exe PID: 5480 |
United States |
54.230.129.17 |
80
TCP |
reviversoft smart monitor service.exe PID: 2436 driverreviver.exe PID: 2692 |
United States |
54.230.129.145 |
80
TCP |
reviversoft smart monitor service.exe PID: 2436 driverreviver.exe PID: 2692 driverreviver.exe PID: 5480 |
United States |
54.230.129.107 |
80
TCP |
reviversoft smart monitor service.exe PID: 2436 driverreviver.exe PID: 2692 driverreviver.exe PID: 5480 notifier.exe PID: 6088 |
United States |
54.230.129.149 |
80
TCP |
reviversoft smart monitor service.exe PID: 2436 driverreviver.exe PID: 2692 |
United States |
54.230.129.122 |
80
TCP |
reviversoft smart monitor service.exe PID: 2436 driverreviver.exe PID: 2692 |
United States |
54.230.129.188 |
80
TCP |
reviversoft smart monitor service.exe PID: 2436 driverreviver.exe PID: 2692 driverreviver.exe PID: 5480 notifier.exe PID: 6088 |
United States |
54.230.129.88 |
80
TCP |
reviversoft smart monitor service.exe PID: 2436 driverreviver.exe PID: 2692 |
United States |
172.217.17.104 |
443
TCP |
driverreviver.exe PID: 3904 driverreviver.exe PID: 2692 |
United States |
172.217.17.67 |
80
TCP |
driverreviver.exe PID: 3904 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
54.230.129.17:80 (o.ss2.us) | GET | o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.ss2.us More Details |
54.230.129.145:80 (ocsp.rootg2.amazontrust.com) | GET | ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKw... | GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.rootg2.amazontrust.com More Details |
54.230.129.107:80 (ocsp.rootca1.amazontrust.com) | GET | ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd... | GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.rootca1.amazontrust.com More Details |
54.230.129.149:80 (crl.rootg2.amazontrust.com) | GET | crl.rootg2.amazontrust.com/rootg2.crl | GET /rootg2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.rootg2.amazontrust.com More Details |
54.230.129.122:80 (crl.rootca1.amazontrust.com) | GET | crl.rootca1.amazontrust.com/rootca1.crl | GET /rootca1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.rootca1.amazontrust.com More Details |
54.230.129.188:80 (ocsp.sca1b.amazontrust.com) | GET | ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAtddVZejBYhWliYrrhkNzQ... | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAtddVZejBYhWliYrrhkNzQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.sca1b.amazontrust.com More Details |
54.230.129.88:80 (crl.sca1b.amazontrust.com) | GET | crl.sca1b.amazontrust.com/sca1b.crl | GET /sca1b.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.sca1b.amazontrust.com More Details |
172.217.17.67:80 (ocsp.pki.goog) | GET | ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D | GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.pki.goog More Details |
172.217.17.67:80 (ocsp.pki.goog) | GET | ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCGdPLQ2NqQ9M | GET /GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCGdPLQ2NqQ9M HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.pki.goog More Details |
172.217.17.67:80 (crl.pki.goog) | GET | crl.pki.goog/GTSGIAG3.crl | GET /GTSGIAG3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.pki.goog More Details |
54.230.129.17:80 (o.ss2.us) | GET | o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.ss2.us More Details |
54.230.129.145:80 (ocsp.rootg2.amazontrust.com) | GET | ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKw... | GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.rootg2.amazontrust.com More Details |
54.230.129.107:80 (ocsp.rootca1.amazontrust.com) | GET | ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd... | GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.rootca1.amazontrust.com More Details |
54.230.129.107:80 (ocsp.rootca1.amazontrust.com) | GET | ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd... | GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.rootca1.amazontrust.com More Details |
54.230.129.188:80 (ocsp.sca1b.amazontrust.com) | GET | ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAtddVZejBYhWliYrrhkNzQ... | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAtddVZejBYhWliYrrhkNzQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.sca1b.amazontrust.com More Details |
54.230.129.188:80 (ocsp.sca1b.amazontrust.com) | GET | ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAtddVZejBYhWliYrrhkNzQ... | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAtddVZejBYhWliYrrhkNzQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.sca1b.amazontrust.com More Details |
Extracted Strings
Extracted Files
Displaying 42 extracted file(s). The remaining 97 file(s) are available in the full version and XML/JSON reports.
-
Malicious 5
-
-
DriverReviverUpdater.exe
- Size
- 112KiB (114472 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Gen:Variant.Razy" (10/67)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 5776accecb222e24566b82b2b906ef65
- SHA1
- 24f7cc1405b6039a152cbc451a6d1b8eb41bd32a
- SHA256
- 9f135e593fafbada83b8e3dd284b9d06a565c920aa087372ac9dd75af19cbcd4
-
notifier.exe
- Size
- 2.1MiB (2175272 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "PUP.Optional" (2/70)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- d9357aa1731245673a5bfe0384c4c6e9
- SHA1
- 00a55c7e42a9641b2a3ad32e9853c02f63de53f9
- SHA256
- aa7bdd308975709612879077f30efbab9615a6580e059c202571247d733cf0d5
-
tray.exe
- Size
- 838KiB (858408 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "PUP.Optional" (3/68)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 6494b5c5121d8e1b32ca3ec841d95ba0
- SHA1
- cab3294547810bc2b5950ffb9eb1a2e2f54937b5
- SHA256
- 34ab65064600268be8aa18c80406adc6de44832130f6cb278462067df54b3189
-
Uninstall.exe
- Size
- 491KiB (503232 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "PUP.Optional" (1/70)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 565118deb125e3d73fe484e6702b59ad
- SHA1
- e46a3ff601428ec1b390a3e5266b0eb30026ab30
- SHA256
- 88d74600d9cc030c2934760ae8e24e8196c90c94e9579f0734d228dd61993159
-
ga_utility.exe
- Size
- 400KiB (409600 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "malicious.moderate.ml" (3/91)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 25415220457bbb87e44bc7d18aa904a8
- SHA1
- 2172970ae4220784849f42221cb9eb3559c13205
- SHA256
- 4918b4e6e07392dc34c5221bf28d61b52b18797b894cbd46613f8816a3d5881e
-
-
Clean 13
-
-
binary_archive_converter.exe
- Size
- 654KiB (669696 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 9373ae4034b44eba5e7835c63d3e8bf0
- SHA1
- d598f4eb30eddc34168c772d019bb9b6673b2c72
- SHA256
- 493851eaea727f80a4ef891e3c34362ac0c6e6552e1f9b263de9bf164774e836
-
ReviverSoft Smart Monitor Service.exe
- Size
- 722KiB (739112 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- ReviverSoftSmartMonitorSetup.exe (PID: 4200)
- MD5
- 6da0a5838486b2fd53a3dcc75c1ee2b1
- SHA1
- ccf044393075d8c5c4649f7c037db3cc774291c0
- SHA256
- b16f4cf04f392f5cfd1e6c025c667d76cfda9044e6318f6b861158f1fb1f41b7
-
ReviverSoftSmartMonitor.exe
- Size
- 2.6MiB (2738472 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/88
- Runtime Process
- ReviverSoftSmartMonitorSetup.exe (PID: 4200)
- MD5
- 71ccffb438bc94db39627e55f0e789aa
- SHA1
- 72129e86fd6ecb363debf81e93346149663f223f
- SHA256
- d10d5694ea0051b72c861905fa107820c638364c28d708600b3ebfa31ac462fb
-
SystemInfo-vc100-mt.dll
- Size
- 1.6MiB (1727272 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- ReviverSoftSmartMonitorSetup.exe (PID: 4200)
- MD5
- 28a0003792593c618fc7f58848358abb
- SHA1
- 7f99675086bf7129ba291a41ed2e513d706d83dd
- SHA256
- e4c8cfb315a3ddd97703de1df14c32ab0ed5d8e3131ffdbebbef4506fa298f5b
-
InstallOptions.dll
- Size
- 15KiB (15360 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 67d8f4d5acdb722e9cb7a99570b3ded1
- SHA1
- f4a729ba77332325ea4dbdeea98b579f501fd26f
- SHA256
- fa8de036b1d9bb06be383a82041966c73473fc8382d041fb5c1758f991afeae7
-
ReviverSoftSmartMonitorSetup.exe
- Size
- 3.9MiB (4128272 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 27f6fe14765c212dffd8460014935524
- SHA1
- 39ee1cbbf3818264e340671310d41d2a44f8287b
- SHA256
- b89f1b1d24f67e4890badf888d5e02885c0ecea2ee7821d37fe975b6b05403b1
-
linker.dll
- Size
- 7.5KiB (7680 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/88
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 0d5cf965fafcb11f8744d0dc729339da
- SHA1
- ccfeb09534dce671a3fcd216606d7ee572a0341e
- SHA256
- 02ee7e90b9379827cb186df48db5b412aaf800196d6967762fb513b9143cd1ef
-
nsEnvVariables.dll
- Size
- 41KiB (41984 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 29924ed9ad063b5fda86aaf08dd3227f
- SHA1
- f2628d325dd17c1dcc8edd167e2417d7c582f5c5
- SHA256
- 083cbb8fdd692134bb80b6d12c0fcd71ede5444064d226b6d747e3227995e045
-
nsExec.dll
- Size
- 6KiB (6144 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/92
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 08e9796ca20c5fc5076e3ac05fb5709a
- SHA1
- 07971d52dcbaa1054060073571ced046347177f7
- SHA256
- 8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
-
nsProcess.dll
- Size
- 4.5KiB (4608 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/91
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- f0438a894f3a7e01a4aae8d1b5dd0289
- SHA1
- b058e3fcfb7b550041da16bf10d8837024c38bf6
- SHA256
- 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
-
nsSessionSIDW.dll
- Size
- 59KiB (59904 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- ffc7b8a247e0830c004b6c8baa45b2cd
- SHA1
- 79cce9d080d025caabd8b5f16ed0bcd4b57f6b16
- SHA256
- c720cdef4a716df09c51ef95d1913462492038c383a2c27a4f12a6350d6e3438
-
System.dll
- Size
- 11KiB (11264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 959ea64598b9a3e494c00e8fa793be7e
- SHA1
- 40f284a3b92c2f04b1038def79579d4b3d066ee0
- SHA256
- 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
-
execDos.dll
- Size
- 5.5KiB (5632 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- ReviverSoftSmartMonitorSetup.exe (PID: 4200)
- MD5
- 0deb397ca1e716bb7b15e1754e52b2ac
- SHA1
- fbb9bcf872c5dbb4ca4c80fb21d41519bc273ef5
- SHA256
- 720be35cd1b4a333264713dc146b4ad024f3a7ad0644c2d8c6fcedd3c30e8a1f
-
-
Informative Selection 1
-
-
DriverReviverSetup_b44_5.27.0.22.exe
- Size
- 5MiB (5210112 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 9076d31831731f0cc2c9eb9de9a166b0
- SHA1
- 0227d4a60d5a52d83c7a815488a0edc994c35f70
- SHA256
- 39b495dc47aca08c18f8e4dbf0e36a549e153b6f2e63d989b706bed3ca8613cb
-
-
Informative 23
-
-
Uninstall.lnk
- Size
- 1.2KiB (1204 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Oct 16 15:30:52 2018, mtime=Mon Feb 4 06:49:00 2019, atime=Tue Oct 16 15:30:52 2018, length=503232, window=hide
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 946cbe83b5dc11a5e741363ce52aff93
- SHA1
- 889e9e2b35bd87bf34debac5fd6995989fe816f4
- SHA256
- 289b754041b5057610cf1b5cf7237974380a4a44417b77da1b94a36e43a4b69c
-
CommonSettings.xml
- Size
- 426B (426 bytes)
- Runtime Process
- DriverReviver.exe (PID: 4624)
- MD5
- 1848f4fd475fdac99db3b350705ce9fb
- SHA1
- 10a755057bcb44e1d3779941c1221f71f4fc30cd
- SHA256
- 84df0f8608448a9fd1d6d7a4b856df1dbaded9fc977e0c02a68e9ae0ec787110
-
Brazilian.xml
- Size
- 33KiB (33713 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- c7a93150fe66f2c28209cfe354ddfe65
- SHA1
- 6d57d2a1313e664c649f2a07fc56bea356356305
- SHA256
- 1f53e5ff737078ffd570336156930372c3274f15e7c07da299fb877b22aa77da
-
Danish.xml
- Size
- 32KiB (32909 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- b6f06de8aeec8bbfe52bba6161885726
- SHA1
- e1090566bca1866eff42ab43ca566b416acad60b
- SHA256
- b017ae7e2cd931f82ebc0c176a56ab09fb14621718d4459c4b12c157bb9f2cf9
-
Dutch.xml
- Size
- 34KiB (34536 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- c17a047b89e81c2f28a0992e3994e2ad
- SHA1
- ec9a0dfd781a9a421457aac25b03d688287b39a6
- SHA256
- 46c845661f07e13c3cce87e47e2ff56a370ba0b62fd914fc8f99670c1919db08
-
English.xml
- Size
- 31KiB (31308 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 94c1b5ebce5271249b5300e2c874cd1f
- SHA1
- 5d280a4bc97b0d513c971b11f816b8c54b75a660
- SHA256
- 2ccc7f81f2a2bae64c08dd2d8dc448b5b2f70778bfb9ea19d223dc5596de5e11
-
Finnish.xml
- Size
- 32KiB (33241 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 068679352bd9122fb3881d698d5a7c9b
- SHA1
- ed956b4f00ca7656b24e411d3e50cb7c6536ad08
- SHA256
- 5640086e5cfffbc8a43550f3674c94233207dd8b62173de2ef8a0fb1dd8228da
-
French.xml
- Size
- 37KiB (37414 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 2a9669452064d0c789492d0ab9e2b4f4
- SHA1
- c494369dac9debdeb3fd307566164a157e54d4a9
- SHA256
- 6ad8487ac4c00298eaa472a010d9469faf44105f5301d1fcd7886f866d3048c9
-
German.xml
- Size
- 35KiB (35756 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 4668914c686b7787b265b63aeff43aae
- SHA1
- 7bc9e5e80c8582d519408c13c9cbc899a29be10a
- SHA256
- 2bf46874e044f9ef1abf166635176f974c25cf471ce1e6c7116b97ccaf76ebf0
-
Italian.xml
- Size
- 33KiB (33805 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- fa37b604d0249c82d22bf323c62129c4
- SHA1
- 5a535c31a256490d8e79d88cc2d1509b34c64857
- SHA256
- 8c07510f6804732132ff06e140bec6762d7861faf1f0fd22d5cd2a220dd7efa3
-
Japanese.xml
- Size
- 39KiB (40360 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- a8eb6f3758fb41b814331e7c7e97de99
- SHA1
- ff0844c1238dc4a7fb08ca6af4ca6330ce0df2c2
- SHA256
- 5f0f624c3b247cc0f6349a63683b69d389574003a8533819eec047d1e52139b8
-
Norwegian.xml
- Size
- 31KiB (32010 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 00492ab263daa1b0fa5c95512d96b9fd
- SHA1
- 54ebaf045766de5e9a549463ef431d933cdc70df
- SHA256
- f3a98e227519352d4792cf184401cf25242fe1fe6a2d179bc1e0c6dc8109e856
-
Russian.xml
- Size
- 50KiB (51248 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- b9824c58f714b0cd014c2d6401baf977
- SHA1
- bb9e16397b12afdaa0742067c466dd8474c78be1
- SHA256
- 7ed8fcdab4cba0d3e4e120022e4f3cd5000892f28711dc3ecdfc14651f41876a
-
Spanish.xml
- Size
- 35KiB (36322 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- c3797336c37fc63025dabcbfe000356e
- SHA1
- f4cf7f763bfaa541a0041326ebc3ac76805923a4
- SHA256
- 07ed1e033342d10caee1d3d8bfb9d972f7db570c3754d79a4f2395e05edb1481
-
Swedish.xml
- Size
- 33KiB (33443 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 8e43b7e11888379865811ac1dee87cc1
- SHA1
- 11c1a869e836dd0531ec7d7cb7d1286a4d327b6a
- SHA256
- 43212c5e7a61aab76f60c830f0e92ebaffa70254972cef775e3b17c5d07b75cd
-
TradChinese.xml
- Size
- 30KiB (30290 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 9f69d04f648934d67470cc70ba7100bc
- SHA1
- 5ebc07e3f0019e56c313d1b976b9a702ebf73aa4
- SHA256
- 233048b072bbc7d95e5cd7979f097923b6ae6bc201eb79dd06b5053c2c02d92d
-
Turkish.xml
- Size
- 34KiB (34788 bytes)
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 92320593d55ee80f5adf9d64bcf1d914
- SHA1
- 1bd182fa2468f860810d710b50e2aacdbe5f8c2b
- SHA256
- 72f0b0ee233245f5c0a0528d9fdf4802811776d96b72470ca84ef8595ac45aed
-
app_log.log
- Size
- 3.2KiB (3268 bytes)
- Runtime Process
- DriverReviver.exe (PID: 4624)
- MD5
- b6f5e4f945052a03509b3507bcb4ac64
- SHA1
- 512626d8f13fb956a026a51a98d72812a8c3361a
- SHA256
- 049d784cdcbb2cfa2d6e237a5b5eed72b0f0d4382dc10dc5dd92e36050ae53a2
-
freeDriver
- Size
- 93B (93 bytes)
- Runtime Process
- DriverReviver.exe (PID: 3904)
- MD5
- c9061b84dce44763efaf1e6c7d8f5488
- SHA1
- 3cb959b0939b71f92439367644ba7a109419e637
- SHA256
- cb08adbf95f889180f18d14a436bb318aa1fdc0ba818d104853adf8bc74331dc
-
AppSettings.xml
- Size
- 2KiB (2028 bytes)
- Runtime Process
- DriverReviver.exe (PID: 4624)
- MD5
- 959e2b86086cdb463066e6d2509e9abb
- SHA1
- 8873e833618468a7e26033958a7f6a0f92cca3da
- SHA256
- d7410eca92a0a2f8b6ef1e86f9a1d2e10d4609337d151ed3245ef225347dbdf6
-
DriverReviver.exe
- Size
- 5MiB (5226496 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- d549adc5ffef89c8daf3785e95b18331
- SHA1
- 8883e35cced32bba43531d8fb0c768dc26dac04e
- SHA256
- d06f2b45843da2a4563493564d8c4ba0ab7093bc8ee1aa64e06a46bb44e57dd0
-
Driver Reviver.lnk
- Size
- 1.2KiB (1200 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Oct 16 15:30:50 2018, mtime=Mon Feb 4 06:45:00 2019, atime=Tue Oct 16 15:30:50 2018, length=29643048, window=hide
- Runtime Process
- DriverReviverSetup_b44_5.27.0.22.exe (PID: 4156)
- MD5
- 32f9d620809fb45d1e66420634baea0c
- SHA1
- a50cbb9b6095bef5b2b1f41b79a91f113d2996bf
- SHA256
- c804040e8f479d0e7a306d52ee452f5f00961226a585e4c6b85289c203700e7c
-
Start Driver Reviver for HAPUBWS-PC@HAPUBWS_logon_.job
- Size
- 358B (358 bytes)
- Type
- unknown
- Description
- VAX-order 68k Blit mpx/mux executable
- MD5
- bd7c1d35ed5cb99b3f99109e80294dc3
- SHA1
- d4f08f5d8f1ba965562343400ee862b91170fdb8
- SHA256
- 5ddab5b13ada27f90635500366d71c646aa2c8381e611d12d71ab78fd0a0e2b1
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Network whitenoise filtering was applied
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for sc.exe (PID: 4368)
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-51" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-77" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-1" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "network-0" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Some low-level data is hidden, as this is only a slim report