zloader | 6baa99b3494c8c8f8f0d2a76be07a4d602e81e412b8ecc5dfa49564a7bb30eda

Analysis

max time kernel
545s
max time network
469s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ViviSetup.exe
Size

113.1MB
MD5

913b1ade3be9997e30b3dfeab8f733c4
SHA1

c5046c370170b2b565f1341e192a7406238fb949
SHA256

6baa99b3494c8c8f8f0d2a76be07a4d602e81e412b8ecc5dfa49564a7bb30eda
SHA512

6e5d7700b5329dd7c963dfd31ec56fd78bf7c04136023455b751294affe9e2dea42edbcbe22e1024dea8420570b22331955cd1332a707d461a01f49f7218d477
SSDEEP

3145728:RifO83mHhj4NXbxNndXjNLYymIRJDe0/3rF:1AmB8NrrndJuEJDe0PrF

Score

10^/10

zloader botnet discovery evasion persistence ransomware trojan upx

Malware Config

Extracted

Path

C:\Program Files\Vivi Corporation\Vivi\LICENSES.chromium.html

Ransom Note

<!doctype html> <html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="color-scheme" content="light dark"> <title>Credits</title> <link rel="stylesheet" href="chrome://resources/css/text_defaults.css"> <link rel="stylesheet" href="chrome://credits/credits.css"> </head> <body> <span class="page-title" style="float:left;">Credits</span> <a id="print-link" href="#" style="float:right;" hidden>Print</a> <div style="clear:both; overflow:auto;"> <div class="product"> <span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span> <span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span> <input type="checkbox" hidden id="0"> <label class="show" for="0" tabindex="0"></label> <div class="licence"> <pre>Copyright(C) 1997,2001 Takuya OOURA (email: ooura@kurims.kyoto-u.ac.jp). You may use, copy, modify this code for any purpose and without fee. You may distribute this ORIGINAL package. </pre> </div> </div> <div class="product"> <span class="title">Abseil</span> <span class="homepage"><a href="https://github.com/abseil/abseil-cpp">homepage</a></span> <input type="checkbox" hidden id="1"> <label class="show" for="1" tabindex="0"></label> <div class="licence"> <pre> Apache License Version 2.0, January 2004 https://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. </pre> </div> </div> <div class="product"> <span class="title">Accessibility Audit library, from Accessibility Developer Tools</span> <span class="homepage"><a href="https://raw.githubusercontent.com/GoogleChrome/accessibility-developer-tools/master/dist/js/axs_testing.js">homepage</a></span> <input type="checkbox" hidden id="2"> <label class="show" for="2" tabindex="0"></label> <div class="licence"> <pre> Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, in

Emails

ooura@kurims.kyoto-u.ac.jp

<jserv@0xlab.org&gt

<tholo@sigmasoft.com&gt

<dm@uun.org&gt

<djm@openbsd.org&gt

<markus@openbsd.org&gt

<Todd.Miller@courtesan.com&gt

<wes@softweyr.com&gt

<mike@FreeBSD.org&gt

<kostik@iclub.nsu.ru&gt

<das@FreeBSD.ORG&gt

<otto@drijf.net&gt

<millert@openbsd.org&gt

<das@FreeBSD.org&gt

<ed@FreeBSD.org&gt

<theraven@FreeBSD.org&gt

<mpi@openbsd.org&gt

<ajacoutot@openbsd.org&gt

<deraadt@openbsd.org&gt

<beck@obtuse.com&gt

URLs

https://www.apache.org/licenses/

https://www.apache.org/licenses/LICENSE-2.0

http://www.apache.org/licenses/

http://www.apache.org/licenses/LICENSE-2.0

http://code.google.com/p/y2038

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/getentropy.2

http://mozilla.org/MPL/2.0/

http://www.torchmobile.com/

https://cla.developers.google.com/clas

http://www.openssl.org/)&quot

https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS

http://www.opensource.apple.com/apsl/

https://github.com/typetools/jdk

https://github.com/typetools/stubparser

https://github.com/typetools/annotation-tools

https://github.com/plume-lib/

http://www.mozilla.org/MPL/

http://source.android.com/

http://source.android.com/compatibility

http://www.apple.com/legal/guidelinesfor3rdparties.html

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Drops file in Drivers directory 6 IoCs

Processes:

DrvInst.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SETC0E0.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SETC0E0.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\vhhcd.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETDC3C.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SETDC3C.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\vhhub.sys	DrvInst.exe

Executes dropped EXE 14 IoCs

Processes:

MSIF82B.tmpMSIFCFE.tmpMSIFE27.tmpViviDisplaySetup64.exeviviusb64.exevhdrivers.exedpinsts.exeviviusb64.exeviviusb64.exeVivi.exeVivi.exeVivi.exeVivi.exeVivi.exe

pid	process
1256	MSIF82B.tmp
1472	MSIFCFE.tmp
1352	MSIFE27.tmp
392	ViviDisplaySetup64.exe
1972	viviusb64.exe
1984	vhdrivers.exe
1716	dpinsts.exe
2024	viviusb64.exe
2004	viviusb64.exe
1652	Vivi.exe
1932	Vivi.exe
1732	Vivi.exe
1212	Vivi.exe
1100	Vivi.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

576 netsh.exe

pid	process
576	netsh.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1972-149-0x0000000140000000-0x000000014153D000-memory.dmp	upx
behavioral1/memory/1972-156-0x0000000140000000-0x000000014153D000-memory.dmp	upx
behavioral1/memory/2024-158-0x0000000140000000-0x000000014153D000-memory.dmp	upx
behavioral1/memory/2004-159-0x0000000140000000-0x000000014153D000-memory.dmp	upx
behavioral1/memory/2024-160-0x0000000140000000-0x000000014153D000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vivi.exeVivi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	Vivi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	Vivi.exe

Loads dropped DLL 64 IoCs

Processes:

ViviSetup.exeMsiExec.exeMsiExec.exeMsiExec.exemsiexec.exevhdrivers.exeviviusb64.exeDrvInst.exedpinsts.exeDrvInst.exeDrvInst.exeVivi.exeVivi.exeVivi.exeVivi.exeVivi.exe

pid	process
1224	ViviSetup.exe
1224	ViviSetup.exe
268	MsiExec.exe
268	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
776	MsiExec.exe
776	MsiExec.exe
776	MsiExec.exe
776	MsiExec.exe
776	MsiExec.exe
1224	ViviSetup.exe
1228	msiexec.exe
1228	msiexec.exe
1984	vhdrivers.exe
1972	viviusb64.exe
360	DrvInst.exe
360	DrvInst.exe
1716	dpinsts.exe
1716	dpinsts.exe
1932	DrvInst.exe
1932	DrvInst.exe
188	DrvInst.exe
188	DrvInst.exe
188	DrvInst.exe
1716	dpinsts.exe
1716	dpinsts.exe
2016	MsiExec.exe
2016	MsiExec.exe
2016	MsiExec.exe
1652	Vivi.exe
2016	MsiExec.exe
1932	Vivi.exe
1732	Vivi.exe
1212	Vivi.exe
1932	Vivi.exe
1932	Vivi.exe
1932	Vivi.exe
1100	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe
1212	Vivi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Vivi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Vivi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\electron.app.Vivi = "C:\\Program Files\\Vivi Corporation\\Vivi\\Vivi.exe --was-opened-at-login"	Vivi.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ViviSetup.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	ViviSetup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	ViviSetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	ViviSetup.exe
File opened (read-only)	\??\X:	ViviSetup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	ViviSetup.exe
File opened (read-only)	\??\O:	ViviSetup.exe
File opened (read-only)	\??\Z:	ViviSetup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	ViviSetup.exe
File opened (read-only)	\??\T:	ViviSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	ViviSetup.exe
File opened (read-only)	\??\E:	ViviSetup.exe
File opened (read-only)	\??\H:	ViviSetup.exe
File opened (read-only)	\??\S:	ViviSetup.exe
File opened (read-only)	\??\V:	ViviSetup.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	ViviSetup.exe
File opened (read-only)	\??\L:	ViviSetup.exe
File opened (read-only)	\??\W:	ViviSetup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	ViviSetup.exe
File opened (read-only)	\??\P:	ViviSetup.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	ViviSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	ViviSetup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	ViviSetup.exe
File opened (read-only)	\??\N:	ViviSetup.exe

Drops file in System32 directory 49 IoCs

Processes:

DrvInst.exeDrvInst.exedpinsts.exeDrvInst.exeDrvInst.exeviviusb64.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\SETBA3C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\vhhub.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\vhhcd.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	dpinsts.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\SETBA4C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vhhub.inf_amd64_neutral_1a3c52656d767b6c\vhhub.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\SET407D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\vhhcd.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\vhhcd.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\SETC110.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\SET406B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\SETBA5E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	dpinsts.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\SETBA3C.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\WdfCoInstaller01009.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\SET406C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vhhub.inf_amd64_neutral_1a3c52656d767b6c\vhhub.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	dpinsts.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\vvu22ED.tmp	viviusb64.exe
File created	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\SETBA4C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\vhhub.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\SETBA5D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\system32\SETC110.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\SET406C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\SET408D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vhhcd.inf_amd64_neutral_f894f75020ec4dc6\vhhcd.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\SETBA5D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\SETBA5E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{02990fd2-0a10-48ee-994a-435f2bacb548}\vhhub.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\SET406B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\SET407D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vhhcd.inf_amd64_neutral_f894f75020ec4dc6\vhhcd.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\SET408D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}	DrvInst.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exedpinsts.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Program Files\Vivi Corporation\Vivi\extend\amd64\ViviDisplayDriver1_0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\chrome_200_percent.pak	msiexec.exe
File created	C:\PROGRA~1\DIFX\240F8689802EBDDD\dpinsts.exe	dpinsts.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\cs.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\it.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\ru.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\uk.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\gio-2.0-0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\gobject-2.0-0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\gstrtp-1.0-0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\pangowin32-1.0-0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\node_modules\@abandonware\bluetooth-hci-socket\build\Release\bluetooth_hci_socket.node	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\bn.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\et.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\hu.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\robot_pen.node	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\gstreamer-1.0-0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\libexpat-1.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\streamer.node	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\ca.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\en-GB.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\ms.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\sv.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\librsvg-2-2.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\z-1.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\mr.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\extend\ViviDisplay.inf	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\extend\amd64\ViviDisplayDriver1_2.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\harfbuzz.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\th.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\chrome_100_percent.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\gstcontroller-1.0-0.dll	msiexec.exe
File opened for modification	C:\Program Files\Vivi Corporation\Vivi\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\libcroco-0.6-3.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\lt.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\libtiff-5.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\de.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\orc-0.4-0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\LICENSES.chromium.html	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\vi.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\kn.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\zh-TW.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\usb\viviusb32.exe	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\pl.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\extend\x86\ViviDisplayDriver1_0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\swiftshader\libGLESv2.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\gstvideo-1.0-0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\intl-8.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\v8_context_snapshot.bin	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\gmodule-2.0-0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\gstaudio-1.0-0.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\libfreetype-6.dll	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\fa.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\ml.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\sl.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\zh-CN.pak	msiexec.exe
File opened for modification	C:\Program Files\Vivi Corporation\Vivi\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\sr.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\tr.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\insomnia.node	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\resources\app.asar.unpacked\build\Release\robot_touch.node	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\fil.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\locales\ko.pak	msiexec.exe
File created	C:\Program Files\Vivi Corporation\Vivi\extend\ViviDisplaySetup64.exe	msiexec.exe

Drops file in Windows directory 50 IoCs

Processes:

DrvInst.exeDrvInst.exeDrvInst.exemsiexec.exeviviusb64.exeDrvInst.exedpinsts.exeDrvInst.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIBA0D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB17.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEA1.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	viviusb64.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIFCFE.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.PNF	dpinsts.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIF82B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE27.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	dpinsts.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dpinsts.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIBF6D.tmp	msiexec.exe
File created	C:\Windows\Installer\6db914.ipi	msiexec.exe
File created	C:\Windows\Installer\{D26B5D86-EEF5-417D-A1C8-012A72C62C40}\icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D26B5D86-EEF5-417D-A1C8-012A72C62C40}\icon.exe	msiexec.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinsts.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIBFEA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF75F.tmp	msiexec.exe
File created	C:\Windows\Installer\6db916.msi	msiexec.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\6db913.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6db913.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6db914.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

dpinsts.exeDrvInst.exerundll32.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeviviusb64.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	dpinsts.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	dpinsts.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	dpinsts.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	dpinsts.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000c05cee4a5cd7d801	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	viviusb64.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000060fbeb4a5cd7d801	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000c05cee4a5cd7d801	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	dpinsts.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	dpinsts.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	dpinsts.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	dpinsts.exe

Modifies registry class 36 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\Version = "50528258"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\SourceList\PackageName = "ViviSetup.x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Vivi Corporation\\Vivi 3.3.2\\install\\2C62C40\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vivi\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vivi	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\vivi\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\vivi	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vivi\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vivi\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68D5B62D5FEED7141A8C10A2276CC204	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\24A02147101AFB741AB52686001D5225\68D5B62D5FEED7141A8C10A2276CC204	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vivi\ = "URL:Vivi Protocol"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vivi\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68D5B62D5FEED7141A8C10A2276CC204\A918597FE054CCCB65ABDBA0AD8F63C	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vivi\shell\open\command\ = "C:\\Program Files\\Vivi Corporation\\Vivi\\Vivi.exe %1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\ProductName = "Vivi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\ProductIcon = "C:\\Windows\\Installer\\{D26B5D86-EEF5-417D-A1C8-012A72C62C40}\\icon.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\vivi\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68D5B62D5FEED7141A8C10A2276CC204\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Vivi Corporation\\Vivi 3.3.2\\install\\2C62C40\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\24A02147101AFB741AB52686001D5225	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\vivi\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\PackageCode = "1984F8A087F69A44BBE4394BA2A2ED1E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68D5B62D5FEED7141A8C10A2276CC204\Assignment = "1"	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Vivi.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Vivi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Vivi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Vivi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Vivi.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

MsiExec.exemsiexec.exepowershell.exepowershell.exepowershell.exeVivi.exe

pid process

2016 MsiExec.exe
1228 msiexec.exe
1228 msiexec.exe
2272 powershell.exe
2352 powershell.exe
2420 powershell.exe
1652 Vivi.exe
1652 Vivi.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

1948 msiexec.exe

pid	process
2016	MsiExec.exe
1228	msiexec.exe
1228	msiexec.exe
2272	powershell.exe
2352	powershell.exe
2420	powershell.exe
1652	Vivi.exe
1652	Vivi.exe

pid	process
1948	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeViviSetup.exe

description	pid	process
Token: SeRestorePrivilege	1228	msiexec.exe
Token: SeTakeOwnershipPrivilege	1228	msiexec.exe
Token: SeSecurityPrivilege	1228	msiexec.exe
Token: SeCreateTokenPrivilege	1224	ViviSetup.exe
Token: SeAssignPrimaryTokenPrivilege	1224	ViviSetup.exe
Token: SeLockMemoryPrivilege	1224	ViviSetup.exe
Token: SeIncreaseQuotaPrivilege	1224	ViviSetup.exe
Token: SeMachineAccountPrivilege	1224	ViviSetup.exe
Token: SeTcbPrivilege	1224	ViviSetup.exe
Token: SeSecurityPrivilege	1224	ViviSetup.exe
Token: SeTakeOwnershipPrivilege	1224	ViviSetup.exe
Token: SeLoadDriverPrivilege	1224	ViviSetup.exe
Token: SeSystemProfilePrivilege	1224	ViviSetup.exe
Token: SeSystemtimePrivilege	1224	ViviSetup.exe
Token: SeProfSingleProcessPrivilege	1224	ViviSetup.exe
Token: SeIncBasePriorityPrivilege	1224	ViviSetup.exe
Token: SeCreatePagefilePrivilege	1224	ViviSetup.exe
Token: SeCreatePermanentPrivilege	1224	ViviSetup.exe
Token: SeBackupPrivilege	1224	ViviSetup.exe
Token: SeRestorePrivilege	1224	ViviSetup.exe
Token: SeShutdownPrivilege	1224	ViviSetup.exe
Token: SeDebugPrivilege	1224	ViviSetup.exe
Token: SeAuditPrivilege	1224	ViviSetup.exe
Token: SeSystemEnvironmentPrivilege	1224	ViviSetup.exe
Token: SeChangeNotifyPrivilege	1224	ViviSetup.exe
Token: SeRemoteShutdownPrivilege	1224	ViviSetup.exe
Token: SeUndockPrivilege	1224	ViviSetup.exe
Token: SeSyncAgentPrivilege	1224	ViviSetup.exe
Token: SeEnableDelegationPrivilege	1224	ViviSetup.exe
Token: SeManageVolumePrivilege	1224	ViviSetup.exe
Token: SeImpersonatePrivilege	1224	ViviSetup.exe
Token: SeCreateGlobalPrivilege	1224	ViviSetup.exe
Token: SeCreateTokenPrivilege	1224	ViviSetup.exe
Token: SeAssignPrimaryTokenPrivilege	1224	ViviSetup.exe
Token: SeLockMemoryPrivilege	1224	ViviSetup.exe
Token: SeIncreaseQuotaPrivilege	1224	ViviSetup.exe
Token: SeMachineAccountPrivilege	1224	ViviSetup.exe
Token: SeTcbPrivilege	1224	ViviSetup.exe
Token: SeSecurityPrivilege	1224	ViviSetup.exe
Token: SeTakeOwnershipPrivilege	1224	ViviSetup.exe
Token: SeLoadDriverPrivilege	1224	ViviSetup.exe
Token: SeSystemProfilePrivilege	1224	ViviSetup.exe
Token: SeSystemtimePrivilege	1224	ViviSetup.exe
Token: SeProfSingleProcessPrivilege	1224	ViviSetup.exe
Token: SeIncBasePriorityPrivilege	1224	ViviSetup.exe
Token: SeCreatePagefilePrivilege	1224	ViviSetup.exe
Token: SeCreatePermanentPrivilege	1224	ViviSetup.exe
Token: SeBackupPrivilege	1224	ViviSetup.exe
Token: SeRestorePrivilege	1224	ViviSetup.exe
Token: SeShutdownPrivilege	1224	ViviSetup.exe
Token: SeDebugPrivilege	1224	ViviSetup.exe
Token: SeAuditPrivilege	1224	ViviSetup.exe
Token: SeSystemEnvironmentPrivilege	1224	ViviSetup.exe
Token: SeChangeNotifyPrivilege	1224	ViviSetup.exe
Token: SeRemoteShutdownPrivilege	1224	ViviSetup.exe
Token: SeUndockPrivilege	1224	ViviSetup.exe
Token: SeSyncAgentPrivilege	1224	ViviSetup.exe
Token: SeEnableDelegationPrivilege	1224	ViviSetup.exe
Token: SeManageVolumePrivilege	1224	ViviSetup.exe
Token: SeImpersonatePrivilege	1224	ViviSetup.exe
Token: SeCreateGlobalPrivilege	1224	ViviSetup.exe
Token: SeCreateTokenPrivilege	1224	ViviSetup.exe
Token: SeAssignPrimaryTokenPrivilege	1224	ViviSetup.exe
Token: SeLockMemoryPrivilege	1224	ViviSetup.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

ViviSetup.exemsiexec.exedinotify.exeVivi.exe

pid	process
1224	ViviSetup.exe
1948	msiexec.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
1948	msiexec.exe
1652	Vivi.exe
1652	Vivi.exe
980	dinotify.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

dinotify.exeVivi.exe

pid	process
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
980	dinotify.exe
1652	Vivi.exe
1652	Vivi.exe
980	dinotify.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

viviusb64.exeviviusb64.exeviviusb64.exe

pid process

1972 viviusb64.exe
1972 viviusb64.exe
2024 viviusb64.exe
2024 viviusb64.exe
2004 viviusb64.exe

pid	process
1972	viviusb64.exe
1972	viviusb64.exe
2024	viviusb64.exe
2024	viviusb64.exe
2004	viviusb64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeViviSetup.exeMSIF82B.tmpMSIFCFE.tmpMSIFE27.tmp

description	pid	process	target process
PID 1228 wrote to memory of 268	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 268	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 268	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 268	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 268	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 268	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 268	1228	msiexec.exe	MsiExec.exe
PID 1224 wrote to memory of 1948	1224	ViviSetup.exe	msiexec.exe
PID 1224 wrote to memory of 1948	1224	ViviSetup.exe	msiexec.exe
PID 1224 wrote to memory of 1948	1224	ViviSetup.exe	msiexec.exe
PID 1224 wrote to memory of 1948	1224	ViviSetup.exe	msiexec.exe
PID 1224 wrote to memory of 1948	1224	ViviSetup.exe	msiexec.exe
PID 1224 wrote to memory of 1948	1224	ViviSetup.exe	msiexec.exe
PID 1224 wrote to memory of 1948	1224	ViviSetup.exe	msiexec.exe
PID 1228 wrote to memory of 2016	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 2016	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 2016	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 2016	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 2016	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 2016	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 2016	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 776	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 776	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 776	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 776	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 776	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 776	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 776	1228	msiexec.exe	MsiExec.exe
PID 1228 wrote to memory of 1256	1228	msiexec.exe	MSIF82B.tmp
PID 1228 wrote to memory of 1256	1228	msiexec.exe	MSIF82B.tmp
PID 1228 wrote to memory of 1256	1228	msiexec.exe	MSIF82B.tmp
PID 1228 wrote to memory of 1256	1228	msiexec.exe	MSIF82B.tmp
PID 1228 wrote to memory of 1256	1228	msiexec.exe	MSIF82B.tmp
PID 1228 wrote to memory of 1256	1228	msiexec.exe	MSIF82B.tmp
PID 1228 wrote to memory of 1256	1228	msiexec.exe	MSIF82B.tmp
PID 1256 wrote to memory of 576	1256	MSIF82B.tmp	netsh.exe
PID 1256 wrote to memory of 576	1256	MSIF82B.tmp	netsh.exe
PID 1256 wrote to memory of 576	1256	MSIF82B.tmp	netsh.exe
PID 1256 wrote to memory of 576	1256	MSIF82B.tmp	netsh.exe
PID 1228 wrote to memory of 1472	1228	msiexec.exe	MSIFCFE.tmp
PID 1228 wrote to memory of 1472	1228	msiexec.exe	MSIFCFE.tmp
PID 1228 wrote to memory of 1472	1228	msiexec.exe	MSIFCFE.tmp
PID 1228 wrote to memory of 1472	1228	msiexec.exe	MSIFCFE.tmp
PID 1228 wrote to memory of 1472	1228	msiexec.exe	MSIFCFE.tmp
PID 1228 wrote to memory of 1472	1228	msiexec.exe	MSIFCFE.tmp
PID 1228 wrote to memory of 1472	1228	msiexec.exe	MSIFCFE.tmp
PID 1472 wrote to memory of 1516	1472	MSIFCFE.tmp	certutil.exe
PID 1472 wrote to memory of 1516	1472	MSIFCFE.tmp	certutil.exe
PID 1472 wrote to memory of 1516	1472	MSIFCFE.tmp	certutil.exe
PID 1472 wrote to memory of 1516	1472	MSIFCFE.tmp	certutil.exe
PID 1228 wrote to memory of 1352	1228	msiexec.exe	MSIFE27.tmp
PID 1228 wrote to memory of 1352	1228	msiexec.exe	MSIFE27.tmp
PID 1228 wrote to memory of 1352	1228	msiexec.exe	MSIFE27.tmp
PID 1228 wrote to memory of 1352	1228	msiexec.exe	MSIFE27.tmp
PID 1228 wrote to memory of 1352	1228	msiexec.exe	MSIFE27.tmp
PID 1228 wrote to memory of 1352	1228	msiexec.exe	MSIFE27.tmp
PID 1228 wrote to memory of 1352	1228	msiexec.exe	MSIFE27.tmp
PID 1352 wrote to memory of 1692	1352	MSIFE27.tmp	certutil.exe
PID 1352 wrote to memory of 1692	1352	MSIFE27.tmp	certutil.exe
PID 1352 wrote to memory of 1692	1352	MSIFE27.tmp	certutil.exe
PID 1352 wrote to memory of 1692	1352	MSIFE27.tmp	certutil.exe
PID 1228 wrote to memory of 392	1228	msiexec.exe	ViviDisplaySetup64.exe
PID 1228 wrote to memory of 392	1228	msiexec.exe	ViviDisplaySetup64.exe
PID 1228 wrote to memory of 392	1228	msiexec.exe	ViviDisplaySetup64.exe

C:\Users\Admin\AppData\Local\Temp\ViviSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ViviSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\ViviSetup.x64.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ViviSetup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1664817213 "
2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 63C0ADCE8676E199AAD98181FC17275E C
2⤵
- Loads dropped DLL
PID:268

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5F2965A408A7BA17E9FCE9EDF157595C C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DCC15EDC7A31A55B43B20F054D8515B1
2⤵
- Loads dropped DLL
PID:776

C:\Windows\Installer\MSIF82B.tmp
"C:\Windows\Installer\MSIF82B.tmp" /RunAsAdmin /HideWindow C:\Windows\System32\netsh.exe advfirewall firewall add rule name="Vivi" program="C:\Program Files\Vivi Corporation\Vivi\Vivi.exe" enable=yes dir=in action=allow
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Vivi" program="C:\Program Files\Vivi Corporation\Vivi\Vivi.exe" enable=yes dir=in action=allow
3⤵
- Modifies Windows Firewall
PID:576

C:\Windows\Installer\MSIFCFE.tmp
"C:\Windows\Installer\MSIFCFE.tmp" /RunAsAdmin /HideWindow C:\Windows\System32\certutil.exe -f -delstore root b031f460609536ff63d97d0f2a0a56857c83cbdd
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe" -f -delstore root b031f460609536ff63d97d0f2a0a56857c83cbdd
3⤵
PID:1516

C:\Windows\Installer\MSIFE27.tmp
"C:\Windows\Installer\MSIFE27.tmp" /RunAsAdmin /HideWindow C:\Windows\System32\certutil.exe -f -delstore root baca91c082eebcd0f90e96313fbf2ae55802557d
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe" -f -delstore root baca91c082eebcd0f90e96313fbf2ae55802557d
3⤵
PID:1692

C:\Program Files\Vivi Corporation\Vivi\extend\ViviDisplaySetup64.exe
"C:\Program Files\Vivi Corporation\Vivi\extend\ViviDisplaySetup64.exe" install
2⤵
- Executes dropped EXE
PID:392

C:\Program Files\Vivi Corporation\Vivi\usb\viviusb64.exe
"C:\Program Files\Vivi Corporation\Vivi\usb\viviusb64.exe" --install-drivers
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Users\Admin\AppData\Local\Temp\vhdrivers.exe
"C:\Users\Admin\AppData\Local\Temp\vhdrivers.exe" /T:"C:\Users\Admin\AppData\Local\Temp\vhdrivers" /C
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984

C:\Users\Admin\AppData\Local\Temp\vhdrivers\dpinsts.exe
"C:\Users\Admin\AppData\Local\Temp\vhdrivers\dpinsts.exe" /SW
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1716

C:\Program Files\Vivi Corporation\Vivi\usb\viviusb64.exe
"C:\Program Files\Vivi Corporation\Vivi\usb\viviusb64.exe" --install-service-na --redirect=NUL
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1584

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003EC" "0000000000000494"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1596

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6c108a01-7b0c-6645-9758-334925e39a62}\vhhcd.inf" "9" "68e10879b" "00000000000003EC" "WinSta0\Default" "00000000000003B4" "208" "c:\users\admin\appdata\local\temp\vhdrivers"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1204

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{0cfee302-e2c9-2ce2-893e-cd2c6d5dc519} Global\{6fad56fc-714a-36c3-c55a-ee3a1b9a9159} C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\vhhcd.inf C:\Windows\System32\DriverStore\Temp\{168c30c4-0b6b-4aac-c9e2-e22c166e1f30}\vhhcd.cat
2⤵
- Modifies data under HKEY_USERS
PID:1968

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{121e8ad1-15b6-702c-9d7f-555e1b4e671b}\vhhub.inf" "9" "698545f3f" "00000000000003B4" "WinSta0\Default" "0000000000000338" "208" "c:\users\admin\appdata\local\temp\vhdrivers"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1092

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\USB\0000" "C:\Windows\INF\oem2.inf" "vhhcd.inf:Standard.NTamd64:vh_Device:21.41.2.515:root\vhhcd" "636397d67" "00000000000003B4" "00000000000005C4" "000000000000032C"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:360

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{834e9d43-4201-4f92-862c-97667f8b1f0e} "(null)"
1⤵
PID:1088

C:\Windows\System32\dinotify.exe
"C:\Windows\System32\dinotify.exe" pnpui.dll,SimplifiedDINotification
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:980

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "USB\VHHUB\1&2b53a856&0" "" "" "659d82cdf" "0000000000000000" "000000000000059C" "00000000000005B4"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1932

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "USB\VHHUB\1&2B53A856&0" "C:\Windows\INF\oem3.inf" "vhhub.inf:Standard.NTamd64:vh_Device:21.41.2.531:usb\vhhub" "647274277" "00000000000003EC" "00000000000005AC" "00000000000005D4"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:360

C:\Program Files\Vivi Corporation\Vivi\usb\viviusb64.exe
"C:\Program Files\Vivi Corporation\Vivi\usb\viviusb64.exe" -n -e
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Program Files\Vivi Corporation\Vivi\Vivi.exe
"C:\Program Files\Vivi Corporation\Vivi\Vivi.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1652

C:\Program Files\Vivi Corporation\Vivi\Vivi.exe
"C:\Program Files\Vivi Corporation\Vivi\Vivi.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Vivi" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1004 --field-trial-handle=1068,i,14747955334949605771,9245645625611735644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932

C:\Program Files\Vivi Corporation\Vivi\Vivi.exe
"C:\Program Files\Vivi Corporation\Vivi\Vivi.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Vivi" --mojo-platform-channel-handle=1304 --field-trial-handle=1068,i,14747955334949605771,9245645625611735644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732

C:\Program Files\Vivi Corporation\Vivi\Vivi.exe
"C:\Program Files\Vivi Corporation\Vivi\Vivi.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Vivi" --app-user-model-id=electron.app.Vivi --app-path="C:\Program Files\Vivi Corporation\Vivi\resources\app.asar" --no-sandbox --no-zygote --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=1496 --field-trial-handle=1068,i,14747955334949605771,9245645625611735644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\windows\sysnative\reg QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
3⤵
PID:2236

C:\windows\system32\reg.exe
C:\windows\sysnative\reg QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
4⤵
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c "Get-CimInstance -Class CIM_Processor | Select-Object -Property AddressWidth,MaxClockSpeed,Name,NumberOfCores | Format-List"
3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c "Get-CimInstance -Class Win32_PhysicalMemoryArray | Select-Object -Property MaxCapacity | Format-List"
3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c "Get-CimInstance -Class CIM_OperatingSystem | Select-Object -Property Caption,Organization,OSArchitecture,Version | Format-List"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "ver"
3⤵
PID:2488

C:\Program Files\Vivi Corporation\Vivi\Vivi.exe
"C:\Program Files\Vivi Corporation\Vivi\Vivi.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Vivi" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=1004 --field-trial-handle=1068,i,14747955334949605771,9245645625611735644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI32D4.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI341D.tmp
Filesize
929KB

MD5
7b28f3f2c070210ee4b1059a6fc6a3a4

SHA1
a22cfe1e151e02dbfeb4ce532999e0f70f7ba7a5

SHA256
c3151770c17340ee8e5281db2c3f7fc218733781dab474094a31ed046a923f3f

SHA512
36ddcc74a254bdb922b9f130d21c83dcc8a1ab2324223a1eab9839b846c8d5abf1bad69498be396b0f6a9a04621e1e6562787144df38901140a6a9c3c89f0ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3757.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI41F7.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4284.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI42F3.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI455C.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI49EF.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4A5D.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4B09.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4BB6.tmp
Filesize
929KB

MD5
7b28f3f2c070210ee4b1059a6fc6a3a4

SHA1
a22cfe1e151e02dbfeb4ce532999e0f70f7ba7a5

SHA256
c3151770c17340ee8e5281db2c3f7fc218733781dab474094a31ed046a923f3f

SHA512
36ddcc74a254bdb922b9f130d21c83dcc8a1ab2324223a1eab9839b846c8d5abf1bad69498be396b0f6a9a04621e1e6562787144df38901140a6a9c3c89f0ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\LICENSES.chromium.html
Filesize
5.3MB

MD5
dfa12f4edccb902d7d3b07fae219f176

SHA1
c2073440a5add265b4143de05e6864fed2c3b840

SHA256
501f0b7ebf0be7ed8702d317332a0f8820af837c0a2a1d7645ba04352270e2b8

SHA512
eee3a8e0eeae139ddd9369d0869c29c91007bf6c5b0d7982918d5a013214a9e80b9233e7c1ccb43124152f684f0b782831b0a6b3d126558261dd161230004e50

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\Vivi.exe
Filesize
122.5MB

MD5
270115cb8571601ccff3b5eccecb066a

SHA1
a831b89de23b57d220f103c0cab568ae9efd4f56

SHA256
c5a0b0e07c06bfe803b88b734cfdbe7f3b69926eaab0b0e546ede801370db617

SHA512
2d9997c69c0ab85a489f22fc76c7513cd138a87fdab1868acd9492019f72c7eb2851914ec425d54a0f1af956e9b931fe0584c63c567eee1617d5ad65b86ef175

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\ViviSetup.x64.msi
Filesize
4.1MB

MD5
7110ace6bca530005253b57499cc237d

SHA1
bfbe93e43843d970639928bde7d15fa02fba6fac

SHA256
625ba209ffac90cb578f890245f36d4007fa161d630011c15b078650d2a5426c

SHA512
c1d2b6e3cfba7a9b6b1ab078ccadee58cfb3c3e267afce075bd674d553930727c074f1f60d68c500350e3a9a551914776836ad861d33f8ecee8c2f5d43a5bae3

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\d3dcompiler_47.dll
Filesize
3.5MB

MD5
2f2e363c9a9baa0a9626db374cc4e8a4

SHA1
17f405e81e5fce4c5a02ca049f7bd48b31674c8f

SHA256
2630f4188bd2ea5451ca61d83869bf7068a4f0440401c949a9feb9fb476e15df

SHA512
e668a5d1f5e6f821ebfa0913e201f0dfd8da2f96605701f8db18d14ea4fdeac73aeb9b4fe1f22eaeffcdd1c0f73a6701763727d5b09775666f82b678404e4924

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\ffmpeg.dll
Filesize
2.5MB

MD5
d3ffc36ddd21357320e256314ba0bbed

SHA1
b0aa24771ccea0ffec089cd7aa5a6a2f2203c1f0

SHA256
226b591f952480fda136a0831800417339d5b5786d865278707fd57bc6e099da

SHA512
bf193b2244f18521e8fc548308a64b3018d0838c0664a7620c3c55a100032af8399ad8ba7a6b9d301bd01ac3bb72c8f2d32f516d8296829dbd710fdff8823b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\icudtl.dat
Filesize
9.8MB

MD5
d866d68e4a3eae8cdbfd5fc7a9967d20

SHA1
42a5033597e4be36ccfa16d19890049ba0e25a56

SHA256
c61704cc9cf5797bf32301a2b3312158af3fe86eadc913d937031cf594760c2d

SHA512
4cc04e708b9c3d854147b097e44ff795f956b8a714ab61ddd5434119ade768eb4da4b28938a9477e4cb0d63106cce09fd1ec86f33af1c864f4ea599f8d999b97

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\libEGL.dll
Filesize
365KB

MD5
0387de184059e5aed5b19da1450a40ca

SHA1
75d7e35f4091595cfd68525b8300e33e0a2aed63

SHA256
cc3ffc27c7d079f20795c5e49d0dc9361eaa313c0dc1b8d8cb5b35248cd1d314

SHA512
371825236c4195bf07bdfd72ea09df8b5ae64587499a7f6a32a4ef8a645d17f42899903c7e5c7a502b2d7047a24c844950a97f65d4ce0ccf48bce00a762147e9

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\libGLESv2.dll
Filesize
6.0MB

MD5
690895b04139b3ba5b423bb54ee0ccb7

SHA1
74892cd69ddcd113e0726fcb581c99c3b75129fe

SHA256
4f40ffe4beaf8add8b349287439a2ed4cdd732b508c9812979091d09a7b20915

SHA512
eafd6b6c51890c7e49591e84b0ad98ec7aafb8333df5c2459317af1101bddd0bd50a86b4f2329ce7f5cf96716cd25bd0a503ea0df8d8d6f9cbfa77b0e1e78785

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\am.pak
Filesize
187KB

MD5
a837fba4dfb4d4cd4aee335a1f4283f9

SHA1
c1e18297525d3148b322b344943b786d03bcdc85

SHA256
ffc9f94021d749028db9bcfa7b459cb12f0eafbb0e6c1075384f6e9faf6a4e08

SHA512
6c4f7b110f629f801f1dcbc9081598b87bac16f38746fafa22a5e2c683c8a62c2ac8dacfa609c3ec32262011f232baaa3bcdc0c817182fbd9564e87e3c758515

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\ar.pak
Filesize
194KB

MD5
9b610c0107724603b19893c4ccc551a0

SHA1
37d987196c640861b336628d67e22ef283115e7d

SHA256
f9d96af7d5ef9e0b4f4ef133a98a64b4398c7aef04e20688b523e6ea27c61f15

SHA512
e99c07e474278990027e560d0f0464ed0d59c485226b56c8318470c41b5976602b1d52659996ebeececc3d59927577202ab6312e07f40f71eb39972ae5296bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\bg.pak
Filesize
209KB

MD5
b31d30dc4c35c73b24ff99fca4df2b09

SHA1
218da4f9f6749f4f38d46c6a784164c2fe6e3c77

SHA256
b035d2d6c7f9465d5004ff4c57a986d7b97f117475280c04547aae7b6c061345

SHA512
29344a284ae2732dc274d0b569d5fe59eb483cde0aa7108022efa9c76057fe93f76596029bd5910b6ce467ab74e7cbb093b9514aed24bdb4eccee0dad234320e

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\bn.pak
Filesize
268KB

MD5
ecff6f8dc301b6b435df5e44c2ae8a2a

SHA1
6fdfa4136f3bb5ccd9e4e7b4706db98f17f85c1b

SHA256
3250adece302934b9a78569d72ca70e596d91865455d5274ccf8d651ccac5350

SHA512
c9e22ff9fef3c2eef6b25886e32a27fd19d56c1085c993aea1d5a1528d65735b0628b825a2834a1b8b2512d8abf59cabb3b35044484f566057826eaa3cfa682d

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\ca.pak
Filesize
133KB

MD5
31a034d89075c0660f25d693cb759a36

SHA1
ddbfdb8523f4093797877ea6d587d0b30b8c0d95

SHA256
ba258eaf322bd3c4f473f82249df55e6f5bd55b81d69e98c0afc43127a6b6ce5

SHA512
c8280b7ad8be3ade7ff758168577feeb35cb7d442e074577fd576ce137c2dfa545f3352214e2eb563c2e0ea9e41158070b270e4eb61164a0825216a635b0b0dc

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\cs.pak
Filesize
136KB

MD5
c64366988f8d46b6912f2d6be0120b1a

SHA1
3a33fe58ca30f41ea341cc9b9413a6cbdd6a1e4b

SHA256
30fd14794ee1088d37387f42e5d366f962fa9273eba8ccdd9b950646d2dd6172

SHA512
8990d212aff170a547733b0cd54055ecf6d30319189a7d88cda149b8994986c9ccc899d203fa4cedcdacb3217b2b72e2a9e69aa195b285aa388bf2af125158fe

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\da.pak
Filesize
124KB

MD5
9fb8a421caf18588b494c3f34d8764c6

SHA1
201ac33074c76830893197ab9382ec84553f1794

SHA256
0997be868557f97f013242c066b192e574b4fa553d13f37f97a1de714b95a858

SHA512
59b2fd820f9bd45015444c85fcb55e04027836e62c6a9187e8ce0c2a9aea6e5e626b76627c9601f69e769d4ddd09f6a8ccc2dfdda6835e261b94a5af91d8bbf9

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\de.pak
Filesize
133KB

MD5
a4d8eecec2747ffb12551ab8e93fafdf

SHA1
59aa4c3a7179c46c7699d0d918dd92722a614def

SHA256
d67f95e2982e7debf67741b88ce054f5bb8356021a280e092227b77ec82e298f

SHA512
1de20fa8798d050966c99aa0590c7460a40b6ff41afc36645c1f4655a09f6070530adbd1d6fb5937d1fc9965c7aac932dbb06a0ff47f31bcb6d4717eaa81613e

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\el.pak
Filesize
229KB

MD5
75fb5812110af60093ad07bf9bcde58c

SHA1
6ecd390d353c1100f0eeb35941924704006f9440

SHA256
b5e08b47b4fb44d43c775bbca7e0a311d7a2c976e17f3f0f67c5feccde1a9bab

SHA512
d7747f2670cd8c6edfa4a0a0e1a72ba2d097e48fe9d17643630f7d62e7fe14648cae767a7e56fbd4152c46b901c04b48e238e737ae8f0ec64e49a5943b4121d4

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\en-GB.pak
Filesize
109KB

MD5
998947b55a25776181cc11110902f6d7

SHA1
a93272eb26eb9977833fb809df593759f2533570

SHA256
fcbcdfb71363750a9e404a365a00f196c9ed4fe149532580f149811475b45636

SHA512
a58b9b8bf6c2c2b14f870fdd3557b18aa002f5cc8c270eb0d35a1aab3cb864cf472328f0515039515879c9b355569b7d049ca1a1569304cf347b40b5815b726f

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\en-US.pak
Filesize
110KB

MD5
5cc884bf0ec1c702240173b35a421d1b

SHA1
19bdfb0b31dc4a75e7c135d1a8ef76f5f6cc3a31

SHA256
9f0c75c84381360677055d6197812c7a6c42dbfc6134eb8212d8a60ed1ca1601

SHA512
48772f50f6b0d846084a0cfb0d6433f2fbf73677b557b022d0d73d04790636c0c40ed873c32fd037013e943fb7c24816efdcde38429520895c00c2d85a17ea5c

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\es-419.pak
Filesize
131KB

MD5
10b1d1097987ea050a5791eceb5eabda

SHA1
c0812fbc16592a39cd1600196e62d0000b22bd73

SHA256
04b24396cc017e1dbb0bca7371d7cae10cad2350da661a8a035b572aa76cbd49

SHA512
f2a6767eae2d5eebff35f6b7d3a932ffd797fdfb48023c75b3c98b1ced5b3695ec12e642d68582da1aacac1c59b0d3a2f029c702d0df02d7b08430384d40e178

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\es.pak
Filesize
133KB

MD5
d31e3f8f5ca7069af16e7ff45d98c198

SHA1
fb1c23b5c692fbfcca83118ef813bb1860402c8e

SHA256
ef3357c8b1905ec95a8298dbab05bd9678bdfbdadd92d75c9bc9a014917667fd

SHA512
bceb5ff67036b1b28dd216c4961cae8a5e3d2bd1b3db269dfd99322ec45cd19f2ccbd608ca9b091e1456679b37d6ded80b566bae2989bd300a0aee08a12b6a7d

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\et.pak
Filesize
120KB

MD5
52cf907e12f656dff9ccfe845c22158e

SHA1
4d4de85d8856eed106abfa7e2654b2a0ba808392

SHA256
862905e325a73c4581c346bd61031ffb1d6e8a9e50a8d632150ff3cb41c1b435

SHA512
9b0f484bbe2ea633db353671333d42e9a4e57cff441abab3041465d17ca78c3d51aca2e1f038e7dfd8ec58e20c1dfbaa261069f2e71d3c20c71761c5e3478557

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\fa.pak
Filesize
186KB

MD5
28fd9ef045bf0fad9f69d8b2ab81d64b

SHA1
0f14f0b2ba89bbd848ded10778c989300d964ba8

SHA256
c2554ebcb884a9132aef2470f9eed4effd948105bc14cbe533ec80eeefb4c732

SHA512
6c7def962f89ce0e23b0bffcf70770ce479083febd0e4f3b224ed87fc7d5e0789a019d5ab52f67b11ede4ede23fc2d905248241fd95dd664e32a1303003328ca

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\fi.pak
Filesize
122KB

MD5
dd7e21b02bdced910a171d592fae0b18

SHA1
cc28f1b8f0b06e71dac3802ee26f644837982fa5

SHA256
9e1c20ecdbe9d15386ed493d0ac839612cc91a2284d5a97d9dc38ea2c90a3dc1

SHA512
12b3fd4ba110087074d5bef6237eeba96edefbcc31bb701142da058034af591a627b7b07550670689733a32c747991ae4555884796d29631b7865d06b13e90f7

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\locales\fil.pak
Filesize
137KB

MD5
9f3a970c8fed49ac50bddbf09dd9a950

SHA1
e8b986d42d4a79c513bf2da3d3314fbf55a2a960

SHA256
7a4c4822516f47cdbabc4b9ef45b710b057a056bc29d3a4a270a22e963e257d3

SHA512
4533a05b38e45f8cedffdecefb77ed9af44aba799f030a770b616ec7867fd0d7893de67528a611d1002d18e3ee7f8799944804e008ec8217cbf59e03a19139b5

Download Submit
C:\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\2C62C40\snapshot_blob.bin
Filesize
279KB

MD5
3770fdf26c7f2cf01222618fd56f1336

SHA1
03367c5d6ee7ff282b71417c38bedf82ce6dac21

SHA256
4de608f0a9dda4a10da3cd38f7732b9fcad6b9bf51640a4f766df87aedf4b797

SHA512
f7d6fb1212faa70f81d510075bb289d729983c9f20227a8e5bfc979363c5249e54f6b1292c5eaa741b6b3485bd89f75be1667594bd6005d213d43229c8bea91d

Download Submit
C:\Windows\Installer\MSIBA0D.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\MSIBB17.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\MSIBEA1.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
C:\Windows\Installer\MSIBF6D.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
C:\Windows\Installer\MSIBFEA.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
C:\Windows\Installer\MSIF82B.tmp
Filesize
410KB

MD5
20010f9d322a1260ee0953852264a7cd

SHA1
6ac58fdf5e414bd6396443a420da99b87ee0e0a2

SHA256
d6973be60891c55e0e97d218347dcb2009e2fe687b7df5cfd43536d2af6ea165

SHA512
2f62cb4269d929f8bc97c103156de3588b38e9f4c2776d7441db270b8427c2b47bc8e57d786c06da37455b105b077b789e161b21a145a33e420522864d1f913a

Download Submit
C:\Windows\Installer\MSIFCFE.tmp
Filesize
410KB

MD5
20010f9d322a1260ee0953852264a7cd

SHA1
6ac58fdf5e414bd6396443a420da99b87ee0e0a2

SHA256
d6973be60891c55e0e97d218347dcb2009e2fe687b7df5cfd43536d2af6ea165

SHA512
2f62cb4269d929f8bc97c103156de3588b38e9f4c2776d7441db270b8427c2b47bc8e57d786c06da37455b105b077b789e161b21a145a33e420522864d1f913a

Download Submit
C:\Windows\Installer\MSIFE27.tmp
Filesize
410KB

MD5
20010f9d322a1260ee0953852264a7cd

SHA1
6ac58fdf5e414bd6396443a420da99b87ee0e0a2

SHA256
d6973be60891c55e0e97d218347dcb2009e2fe687b7df5cfd43536d2af6ea165

SHA512
2f62cb4269d929f8bc97c103156de3588b38e9f4c2776d7441db270b8427c2b47bc8e57d786c06da37455b105b077b789e161b21a145a33e420522864d1f913a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI32D4.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI341D.tmp
Filesize
929KB

MD5
7b28f3f2c070210ee4b1059a6fc6a3a4

SHA1
a22cfe1e151e02dbfeb4ce532999e0f70f7ba7a5

SHA256
c3151770c17340ee8e5281db2c3f7fc218733781dab474094a31ed046a923f3f

SHA512
36ddcc74a254bdb922b9f130d21c83dcc8a1ab2324223a1eab9839b846c8d5abf1bad69498be396b0f6a9a04621e1e6562787144df38901140a6a9c3c89f0ae2

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3757.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI41F7.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4284.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
\Users\Admin\AppData\Local\Temp\MSI42F3.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
\Users\Admin\AppData\Local\Temp\MSI455C.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI49EF.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4A5D.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4B09.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4BB6.tmp
Filesize
929KB

MD5
7b28f3f2c070210ee4b1059a6fc6a3a4

SHA1
a22cfe1e151e02dbfeb4ce532999e0f70f7ba7a5

SHA256
c3151770c17340ee8e5281db2c3f7fc218733781dab474094a31ed046a923f3f

SHA512
36ddcc74a254bdb922b9f130d21c83dcc8a1ab2324223a1eab9839b846c8d5abf1bad69498be396b0f6a9a04621e1e6562787144df38901140a6a9c3c89f0ae2

Download Submit
\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\decoder.dll
Filesize
206KB

MD5
40cea5eb829c3ba2e30ea635006cfeb2

SHA1
6710dfb83c99790ef0f5853c42a08ec09a2111ea

SHA256
1d757c73a19dcc9c36578be99c50624f937aca3ff0cfa82bece6aadbc633f4a7

SHA512
b7a003b14a2680696e7e9f178a345ebbafd7b4f818b8ce3eb681a13c2fb84c0bbb877158114c8c79de396533a2a491b9ee90d9fc434d0c3ff7ccaddbbeedfaa6

Download Submit
\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\decoder.dll
Filesize
206KB

MD5
40cea5eb829c3ba2e30ea635006cfeb2

SHA1
6710dfb83c99790ef0f5853c42a08ec09a2111ea

SHA256
1d757c73a19dcc9c36578be99c50624f937aca3ff0cfa82bece6aadbc633f4a7

SHA512
b7a003b14a2680696e7e9f178a345ebbafd7b4f818b8ce3eb681a13c2fb84c0bbb877158114c8c79de396533a2a491b9ee90d9fc434d0c3ff7ccaddbbeedfaa6

Download Submit
\Users\Admin\AppData\Roaming\Vivi Corporation\Vivi 3.3.2\install\decoder.dll
Filesize
206KB

MD5
40cea5eb829c3ba2e30ea635006cfeb2

SHA1
6710dfb83c99790ef0f5853c42a08ec09a2111ea

SHA256
1d757c73a19dcc9c36578be99c50624f937aca3ff0cfa82bece6aadbc633f4a7

SHA512
b7a003b14a2680696e7e9f178a345ebbafd7b4f818b8ce3eb681a13c2fb84c0bbb877158114c8c79de396533a2a491b9ee90d9fc434d0c3ff7ccaddbbeedfaa6

Download Submit
\Windows\Installer\MSIBA0D.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Windows\Installer\MSIBB17.tmp
Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Windows\Installer\MSIBEA1.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
\Windows\Installer\MSIBF6D.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
\Windows\Installer\MSIBFEA.tmp
Filesize
632KB

MD5
db4e30e47be69408ccdebffc517764c1

SHA1
9ab0db45e9c84670fe8a3181bf38511e8776815f

SHA256
3558203b78ee8ea16f1151cc7034ad9fd4850fce0f948aed4231b870ae51904a

SHA512
a32ed4fec7e381605e8d0fc463bf65140d5dc7a499aced785b4ef644a5bae1a4dc693ba33be8be46b07ccd049fceef95136a8fd852219ff18293c19da5fed129

Download Submit
memory/268-59-0x0000000000000000-mapping.dmp

Download
memory/392-141-0x0000000000000000-mapping.dmp

Download
memory/576-104-0x0000000000000000-mapping.dmp

Download
memory/776-88-0x0000000000000000-mapping.dmp

Download
memory/980-154-0x0000000000000000-mapping.dmp

Download
memory/1100-231-0x0000000000000000-mapping.dmp

Download
memory/1212-199-0x0000000000000000-mapping.dmp

Download
memory/1212-255-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/1212-246-0x000000000D5C0000-0x000000000DD92000-memory.dmp

Filesize
7.8MB

Download
memory/1212-248-0x000000000DDA0000-0x000000000DE90000-memory.dmp

Filesize
960KB

Download
memory/1212-250-0x000000000DE90000-0x000000000E132000-memory.dmp

Filesize
2.6MB

Download
memory/1212-252-0x000000000C720000-0x000000000C753000-memory.dmp

Filesize
204KB

Download
memory/1212-254-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/1224-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1224-55-0x0000000073D41000-0x0000000073D43000-memory.dmp

Filesize
8KB

Download
memory/1228-152-0x0000000140000000-0x000000014153D000-memory.dmp

Filesize
21.2MB

Download
memory/1228-58-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1228-146-0x0000000140000000-0x000000014153D000-memory.dmp

Filesize
21.2MB

Download
memory/1256-101-0x0000000000000000-mapping.dmp

Download
memory/1352-111-0x0000000000000000-mapping.dmp

Download
memory/1472-106-0x0000000000000000-mapping.dmp

Download
memory/1516-109-0x0000000000000000-mapping.dmp

Download
memory/1692-114-0x0000000000000000-mapping.dmp

Download
memory/1716-147-0x0000000000000000-mapping.dmp

Download
memory/1732-194-0x0000000000000000-mapping.dmp

Download
memory/1932-192-0x0000000000000000-mapping.dmp

Download
memory/1948-65-0x0000000000000000-mapping.dmp

Download
memory/1968-150-0x0000000000000000-mapping.dmp

Download
memory/1972-156-0x0000000140000000-0x000000014153D000-memory.dmp

Filesize
21.2MB

Download
memory/1972-149-0x0000000140000000-0x000000014153D000-memory.dmp

Filesize
21.2MB

Download
memory/1972-142-0x0000000000000000-mapping.dmp

Download
memory/1984-144-0x0000000000000000-mapping.dmp

Download
memory/2004-159-0x0000000140000000-0x000000014153D000-memory.dmp

Filesize
21.2MB

Download
memory/2016-68-0x0000000000000000-mapping.dmp

Download
memory/2024-160-0x0000000140000000-0x000000014153D000-memory.dmp

Filesize
21.2MB

Download
memory/2024-158-0x0000000140000000-0x000000014153D000-memory.dmp

Filesize
21.2MB

Download
memory/2024-157-0x0000000000000000-mapping.dmp

Download
memory/2236-235-0x0000000000000000-mapping.dmp

Download
memory/2260-236-0x0000000000000000-mapping.dmp

Download
memory/2272-237-0x0000000000000000-mapping.dmp

Download
memory/2352-239-0x0000000000000000-mapping.dmp

Download
memory/2352-241-0x0000000071B60000-0x000000007210B000-memory.dmp

Filesize
5.7MB

Download
memory/2420-242-0x0000000000000000-mapping.dmp

Download
memory/2420-244-0x0000000072110000-0x00000000726BB000-memory.dmp

Filesize
5.7MB

Download
memory/2488-245-0x0000000000000000-mapping.dmp

Download