Analysis Overview
SHA256
202a0f062a55dff3f26247077837a870d128d4ce6a32b9ee8faf06b2db353f20
Threat Level: Shows suspicious behavior
The file 1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
UPX packed file
Checks installed software on the system
Drops Chrome extension
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-04 16:35
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
108s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} = "ividi Toolbar" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1\CLSID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1\ = "escrtSrvc Object" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\tlbrId = "base" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\run4ie = "end" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\Instl | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\ffxUnstlRst = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd.1\CLSID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ = "IxpEmphszr" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\ = "escrtAx Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\AppID = "{905E34C2-F4EB-49BE-A36B-47692CF957A8}" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\ProgID\ = "ividi.ividiappCore.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\ = "escorTlbr 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd.1 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\VersionIndependentProgID\ = "ividi.ividiappCore" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dsIE | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ = "IwebAtrbts" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\CLSID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\newTab = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\run4ie = "start" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ = "IwebAtrbts" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiApp.dll" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\ProgID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividisrv.exe" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\CLSID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\ProgID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ProgID\ = "ividi.ividiHlpr.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe"
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.112:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 112.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.228:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | 228.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\chrmPref.dll
| MD5 | b2bff24dcb4606c6c8474f979bfb4858 |
| SHA1 | 5671b867df8ce726d1075909cd40f3934d680da6 |
| SHA256 | 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af |
| SHA512 | e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874 |
C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll
| MD5 | db4961bbb3c1cf487904b15ea5b5884b |
| SHA1 | d1c23d22e93d3f9b268f99519d38d010ff99ea6c |
| SHA256 | 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12 |
| SHA512 | 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d |
memory/2140-52-0x00000000027A0000-0x000000000283E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\mt.dll
| MD5 | 4fae8b7d6c73ca9e5fc4fe8d96c14583 |
| SHA1 | 10865e388f36174297ec4ecdafd6265b331bfdcd |
| SHA256 | 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f |
| SHA512 | 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1 |
C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
memory/2140-45-0x00000000027A0000-0x000000000283E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nse7812.tmp
| MD5 | f4c67df51bc663d0fe796da555808daf |
| SHA1 | 401b211bb00735844e776c42808584a68644a82e |
| SHA256 | 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187 |
| SHA512 | a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsj7833.tmp
| MD5 | 55e77d60d71bb65a8fca04818df04968 |
| SHA1 | 0d40f3710f9d137b2bdc4c725d2953ad84e5778e |
| SHA256 | 2f7e1067489437ae1d4ee047aa7f3800c44754f59a2b555a5a02a61163548ae2 |
| SHA512 | 89d0efee4f55e5a93caece636c36702aad71bb2c9ba6dba4147d325131ad4214d6c192df3e2ae4963278eb394dcf61e746d6d6bd61771cc9f25eee240e09bbac |
C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2140-279-0x0000000002740000-0x0000000002752000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
| MD5 | 690df0811fc73ff2219183e5d80d824b |
| SHA1 | a720126932f65de281c6f34c5512be8f787f7161 |
| SHA256 | 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd |
| SHA512 | 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
| MD5 | abbbe3516d8a6280b94e78ea7060e9c4 |
| SHA1 | a2f22d9dc3db1f10a44902e5cdfd7431b27a8671 |
| SHA256 | 63601ef9667c037dc62dc92c7b389edfb4191cde9063d1059996b93f035f454f |
| SHA512 | 2ce546ef005dd07b5022fb524107c07693dbd58c21a2808060958baa7b968064c4e855d41c52f25ed89a3026460a6c9d413481e1d55f678ebf2cd5d170faf549 |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll
| MD5 | 57543e6554f60bd4082306d26245bfe5 |
| SHA1 | 70d4b021173c42dc82d40073fabe7fc0c28ebdde |
| SHA256 | 7838055c1f0aabe6df5b5fb3c6db737936eeee6d2314339082a7586414ae81b2 |
| SHA512 | 317557cddf5d666c2ed677619d9b98424cadc624e1e31067403ab7646008ce5496687e46fb07b4c61d0aa967bd0b3ac144acc3672c64ed66c1b3dd0d23938399 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsa7A64.tmp
| MD5 | 325303182a07217d0890fdea1efd43c1 |
| SHA1 | 493d230cead6a1da017f243586a2a1edbaae21e9 |
| SHA256 | bad545db476a9e0ac68aa3d494444a4252e1aa7d1c47daf285b3afe06ab8da84 |
| SHA512 | 25bc073bd61b3c347e2e9ac22e9bc8bc4629ee50e3cd42b7887f59361ab0839836f4af2423ba832eaf840ef835ee2f82cdb6eb8fb1c56f3032639c2f4bd49f1b |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsv7A95.tmp
| MD5 | d36d04e1f35367b94d436efdb8744fd0 |
| SHA1 | d11e1634b8cd94487ea32f26f82fce48328099f5 |
| SHA256 | 8d909223f064038bf4983e13f4cca5bd7233948ef5e5fa65aa7998df0012b664 |
| SHA512 | ac1c296f72cbd60c40ebdc35602457e35021c4af8a96b378a5f4c263575788793a371fdfce8d59a9f6f6df169bef2f5acad335f98d34ad34837ef361476f3f09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js
| MD5 | 759820a479e8f3bf68a08f33c2b3f461 |
| SHA1 | 46f8a7f09d5c1784861b67f2d3d4f45c6882088a |
| SHA256 | a2d778cd04a5016954748f136baaa6c2f3838bd9732763dbdeb2b00178dcad02 |
| SHA512 | f0dd3d642378a920d6cde8a7f54dd537c69f7381ac9f8e50d63950d38f92084463ee8845664950e064d70261cdba42c21c044ca6ea6ace3b904ce5499608d522 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsa7B05.tmp
| MD5 | e3d54cde89c8ab0876a4109d21f8d26f |
| SHA1 | fd9378ab062980502eb1e86b1817db8c54340632 |
| SHA256 | 4458efb2a28b969284d5f36e60e34acdbcc5a5082c68c540c9b2cee987f1db6e |
| SHA512 | 117c62a82334748242549477f057979fae42260dc777f5df7bb1915fd407a165094a14c72cf8d8c59f21d929ec216db2cd3bfdb57a88bb17e55efe3f1e62557f |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll
| MD5 | 1989cd78346c1f430484236daca1c2cc |
| SHA1 | 9d9eaece8fe80dd400a1af12595a5a32e931abfe |
| SHA256 | 2d8ab3f2dfec1393b75e1ba8d12148ab5b5e334d1b071754e08f7087b22cdcc2 |
| SHA512 | 00aaf06bc2a092ce3d9b8d95e685a9fd0b61a8a5afb23910bdeb43a82bb294f54ce21a05823cdca28aa67b520dfb4091c847f4ae2ea211156441dd3e5a50205a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js
| MD5 | be4a589752add2d5b2065a973159ac63 |
| SHA1 | c48bc6a40d59d5fe84f87d580301401946230006 |
| SHA256 | 2237ac1569faaf930aed01e818e2be6b2a590584488f1a56f6842acf8af60dfc |
| SHA512 | 9a8d7e91c49a6ebb8905e5e6152541d379e7208f9920fb3cd9332af120e3db1d698749825d128ebfa60e54f9299863f1d63e45b655b787609fdf6c16ebe0543c |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll
| MD5 | 8a7e5619cbb2c659b3dd2d9c4a09db98 |
| SHA1 | a7eb94c32ca25dc1a9eb461d2d97d48475e010b4 |
| SHA256 | eae253b5691720fadd70083ed874b53929287a3d93834a3206f78ddf8fab1201 |
| SHA512 | 14f126006dccead7a344e69e6f21de15bddc6ed30fc248df4043838edd6ed838eae2db0f9ea1204584064a4426d610aeb34f268e37a98f54f274029763a146c1 |
C:\Users\Admin\AppData\Local\Temp\nsp7A23.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsg7B77.tmp
| MD5 | 1ec769319be356f3ffd4d668c65bc780 |
| SHA1 | 166358735cab88609b24b30458681369b83729d0 |
| SHA256 | b5684bb04516e7ae32dbc1f0ee685f32e1f804092720fd1906aac9d2cd0dbaa4 |
| SHA512 | ea9641ca1993be9630121acea8afbf1ff89753254375c87a10292879111f5534cfea3d4090de0fcee216d4721e756212895e5a9f70c5d7ada1de6c0de34bf63d |
memory/2380-1362-0x00000000021A0000-0x00000000021A9000-memory.dmp
memory/2380-1358-0x00000000021A0000-0x00000000021A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsl7B97.tmp
| MD5 | e80bec59cc69018fa2611b0332ce693f |
| SHA1 | bd5c460aec1b279d15e4d615cccad578c42a29a8 |
| SHA256 | 72edbc3d6c0d77da280d417d332cf2857721c97e3ca3d062739a9914b68b8caa |
| SHA512 | 27689dc0599b1a5fba495529ad80fdcd487c251b90f76846bea03f6138a83fa204cb4a0aa08101517d5df9351906632340d76a25c33504254586a96627f8d226 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsv7BD6.tmp
| MD5 | bd60b66d19936c06e557f01970291e6e |
| SHA1 | cf9c5e24c9f626d391dc2ffa3d0056bff48ecab8 |
| SHA256 | 1191f5d3aae21a366bf5c49d806b82ed41790f8435735b133990479dabe09bfb |
| SHA512 | 4d84c3d2f09805ca63aea4ae2c1abd5002a3624a1c8cb609a6bb656111264b8e39316ff421d1358258099ded65dfabd7e0d3b85ed4e050f7fc2ae1b28bcd276e |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsb7BF7.tmp
| MD5 | 4f2526f34f8d8798b8b60273e99982b7 |
| SHA1 | b95f98c4d73d28c230866e752c458c558bd93ba0 |
| SHA256 | ab3f364cc33799a64a253094c59b26e1801b2251c9752dbdbaf7a5cbc2943937 |
| SHA512 | 76e9291f5f078c6a795b2ca7a09eb21de79439b1dbd7dc2f5fd7e0d8a0891af51e55576565e816dd83b2444127d923d4bad03c8ff527d7adcbee1843a5ad78b9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js
| MD5 | 2eafbc7df7baca57e262cf9dbb497a2c |
| SHA1 | ac1f5d4a17cfb359f3d4b8043ed453190e1c997f |
| SHA256 | 75ae48e791d7a4fb2d8729bdf4bdb74dae9ae5c43783c41e4381d4e89a45d1ce |
| SHA512 | ee99d39ee8ac10776003b4b10518890bb0837e31d2b02dab46d312f20f1c8c7f110105e246309837c2e37670afd5c93391dee029677e5102eb9da93616799c75 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsw7C78.tmp
| MD5 | d1f3b4a8a846541d1bc9abcf43df4f57 |
| SHA1 | f5548c75823f138204d681cefde21090b5315480 |
| SHA256 | d00d077b39df4b4c5973e131fb18b36473d8e6572024d310539ac9b07781a9fd |
| SHA512 | 61809a5aabf4d109f5bf1d0f3f67ef90ab45c093b42f4aff5bfb4c7c679e650846730b4f71010d91e11671443f6f7093225758f12b078fa637b991b20524baa7 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsg7C67.tmp
| MD5 | c84a16af0856ffd5249c0c3b02909fcc |
| SHA1 | 4d9d8a03ed6f1a9ef23af80a394248d9c76584bc |
| SHA256 | 22af796285e034a4047c745fca4888a23451a981d14f95d26df292c25ec4cac8 |
| SHA512 | 4b05bcac91da1a570d6e69e0d21bed2119017802f37b7de2388d52f11f9e8765e6b2c1f30725585ddb4c505d293677c6b5344e3fc45ec03676f93f55db250098 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsl7C89.tmp
| MD5 | 225b47bae47c484c3d6f7acec582f952 |
| SHA1 | 12dbbd1c0a9ae1f44def753c6232cf120b626cba |
| SHA256 | 641e038ee5abf15dee64c1a3552e776aba7b3fab5c440a4707bda98e13d5bc5d |
| SHA512 | 0f8e74410b382685c5a3b28762fa6c9d63e70accb4e365fd68fb89245c86037bd77afa93ba2d853324f719ada82eb889fc23429aa7f7facea45b9bc67097c230 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsb7C9A.tmp
| MD5 | 317e32805dd685797a18e6e58bf6f027 |
| SHA1 | 9b9ec33bf94f8b97491f434ca289f964afa7ef4f |
| SHA256 | 0399881e1940ef5ce62daa7dba3c5fc3da815b9a9b9a764890679c6c257c662d |
| SHA512 | fb35f570be7e27212e6fa13c8577f7df2449d8388eb5f89c8dfd97d4d2d6343644ab1b04abcef8e444bce1de98ea8724b89d145873033df59477db78cfa069f6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | 15e275167fd01bfc184946c5c4dfc3c4 |
| SHA1 | 365595bcb3e246ce897f4afdd339a4fe4f629f55 |
| SHA256 | dce9080e2b3f87e733177dfa95e683034c454d857efcd8da2177982ff9c30a37 |
| SHA512 | d8c613c183af67826cc44e8f41bdf24cb4f5478b65fd18c1e296a2de456e964bb1e821baadbbe8db14b7062f134a594506c1be3670a752363c415d74783ac5cb |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsq7CAB.tmp
| MD5 | 0bcd1d50639522e5238356b28c025b89 |
| SHA1 | 61c7291d035dd5cf4c0bf57137d5e06e47e944e5 |
| SHA256 | cb7bd3381412ef71a191d9607cd9f97f91a9e22007132457f1455ef926ee7fb0 |
| SHA512 | 60bcdf0a96e9a05a81e5b6532d750b3fea21bffa377cf5f77bb5d5b357d4e21609bab16f362ee8c05d8e1f48fe9d4752162ee6c14b692f4538a54f313988c02b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | 360a67cf27048a41ecf124620632f254 |
| SHA1 | 838bed30d0e20eb75ac41004260395f6203c8277 |
| SHA256 | 8053ec73773af6e4d7af5707095bc3d8e19352643bed81708c2b43d8c3824872 |
| SHA512 | 52950d86db7b32641014dd3912ab5a2f149f6eb71d7c933756064d13d821c0f9aad68404e13a646d1c8c47cc8cf4c10b8ec192c60ee464c16bd163cb375e4fc4 |
memory/2140-2659-0x0000000002D50000-0x0000000002D62000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | a4a7bfa4da5370ae1e91023bd218f05d |
| SHA1 | d66d83f9ed8bcaaf85a2feb5ca0a39c628827301 |
| SHA256 | ae9a8abf1fba0d561477cb60c00590cb66b5a410275d52d2bde1bebaa59cbeed |
| SHA512 | 2d239d8fa32ec3e7085ecdf784285f744ab7ca44ffce3b98f97c8e58e222d37f457245f636fd31dd162db7012925b6cc1d71341ec240468ef90b74c60cdd503d |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsb7D41.tmp
| MD5 | 8b139505a7960d49892ab5f01d0c35aa |
| SHA1 | 8ea1a16ffa9a34b27734a4ebd9a437ec7d3e236c |
| SHA256 | 8406dfbfc00b6f2b0c779c207ef4b79669016fa729ff60d97e33e13f9eda0ecf |
| SHA512 | 1ff03b28f7a60c0f66c20efcd6bfc55997b0099d2d29baa2bebd9a0179c96057f2dba9c2e49bf846dc546b62600b9bb6521ecde17bce3a0c71e9ddf937526ca8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | 16f2c6f017471518a9e1202da38392d5 |
| SHA1 | 5234d1b4e0f9f300102cc202721f689e079ab0c6 |
| SHA256 | 9277b891c79128db4293329d010eca1c8e9962627677f4de1cfcd3ee1daba98e |
| SHA512 | 3f48ad7225c00b127d9320ee101cbbd65f820ab0a16ecb88c82f529215444e42170493c551e0089d2c07579f6ea8487e5c7e48a13ac6278780fc5afa951fb974 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js
| MD5 | 69ab6e2065a6a4251313585bd141a828 |
| SHA1 | bc23cfaead8196d2948f8b3d09a7f23b0342f42b |
| SHA256 | 88bbfb7d74010b75845fb462a727d917ac86ffb355471f32af75dbcd24fb3f64 |
| SHA512 | bc6b469f07a99a0bef6bc5e1b86fcda7993f6fad53ddbe3bd03552304a127926d0bd2d581808336f1b04ecd35f0cdb43788d668b5dd21f4c742a32eca931c6b7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js
| MD5 | 699624e96974fdb9f1e70d4d94f65e81 |
| SHA1 | 5562182dd1f360131c1a01a2d9c5b9211faf5739 |
| SHA256 | ae44146662cebd974eca9aa599e57699d13d1a68955b4ab5ea1dd985dcb4e10d |
| SHA512 | 253e4e3a89802f6715425d52fbeec6aab556018b6aa04dd10fb135c4d7e3d70ee66a7a341a2e5f2433cec5d46701f99ea8d4d049ddcd1f58bd8f686d90a7180f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js
| MD5 | 1136732008268e68b9e90c5ea5a93609 |
| SHA1 | b623c2d9c65e17c639411f0b1e9baaf67c5ed5b7 |
| SHA256 | 595628fed16eaa87a8d05f2c661d32e70ad748986e357fa57007ecc9c3fea15c |
| SHA512 | e21ecc34d31dc09b15ae64b9fd590b8f7cc0b923ee8e8a57c688f6f8dde62cfc81989dfa8dd0a082b7eaf44ca95a158740ff204fac4fe2e0bf3d1b353b397130 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | bf1b3a8867c8d94acc351ad370ec57eb |
| SHA1 | 3947c05af8f5dff4ea4b165df80a6907aa49aa1f |
| SHA256 | aef8e68185b490d553bccbb142b44e6b6ad3ac5800d6436d739872d4071fbf0b |
| SHA512 | 1bb6e448c674c815a449576b773e5c923f5279c3b00455fbd49c5ecf4394ed6137e5a4872395041c5ae6dd45ceb3a1dd1ed0dc5029e123a864c1df1fd1a17d68 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | fde344b64ff65dc90d266603fa9efdf5 |
| SHA1 | b17cfa0923a3b0960c8408484e6635e67786566c |
| SHA256 | 677d7039e5feb0e3fde6627a6dccbe28525097fe41f4f80da65114a79454c61e |
| SHA512 | a180816b9e26dfe3e4b16d424d55fa306bd7adf8d5027ad0ccb7a6c93b0ec88675b75480519288a9bf990f02e75af53779dca760c526a996ba68cde4e4eda2c3 |
C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
129s
Max time network
151s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "ILiteColumn" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\NumMethods\ = "10" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\NumMethods\ = "11" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\ = "LiteStatement Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ = "ILiteParameter" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ = "ILargeInteger" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\ = "LargeInteger Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection.1\CLSID\ = "{3E22694D-7B92-42A1-89A7-668E2F7AA107}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\ = "ILiteColumns" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ = "ILiteBusy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CLSID\ = "{3E22694D-7B92-42A1-89A7-668E2F7AA107}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\NumMethods\ = "9" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$APPDATA\\Unitech LLC\\sqlite3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\ = "LITEXLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID\ = "LiteX.LargeInteger" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4400 wrote to memory of 1040 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4400 wrote to memory of 1040 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4400 wrote to memory of 1040 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1040-0-0x0000000010000000-0x000000001009E000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
134s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1804 wrote to memory of 3388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1804 wrote to memory of 3388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1804 wrote to memory of 3388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3388 -ip 3388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
133s
Max time network
106s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4172 wrote to memory of 1632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4172 wrote to memory of 1632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4172 wrote to memory of 1632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
141s
Max time network
139s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl.ividi.org | udp |
| DE | 159.69.186.9:80 | dl.ividi.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.186.69.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.152:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsd3672.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsd3672.tmp\IS.dll
| MD5 | c31b97adf54bdd6ac6d19ab85cc6bc57 |
| SHA1 | 7e458577b1fe49885c21f38ba981f77b00bdd59b |
| SHA256 | 2e5af5577044835e7d1c526b1ef11dddbf660dbf265f3c8b533cbfcfd2a8b57a |
| SHA512 | 9178ba7bfd3851b9622ffa7f5981f43b4ca654e3f85113f7c91ebd2ce417c1acb718e73737838c61496a255cee1f5ad9873ea88bce78a0cfe67bd2cfb1e71790 |
C:\Users\Admin\AppData\Local\Temp\nsd3672.tmp\nsJSON.dll
| MD5 | 78b913fcd04259634a5e901c616e6074 |
| SHA1 | ad5e1c651851a1125bcad79b01ccdcfa45df4799 |
| SHA256 | e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59 |
| SHA512 | cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5 |
C:\Users\Admin\AppData\Local\Temp\nsd3672.tmp\NET.dll
| MD5 | 9adaffc2a1b579115e40407733d94dde |
| SHA1 | 866bbb0dbbd217aa287fe3324ecaa828e8d7b622 |
| SHA256 | b31d4e8af5d38991c692f219130fdfa92762a9a77e04e7ab05e44603af578555 |
| SHA512 | 214eedc4b314b48c192d3a847a64807bf41481e5cd06b1a627bad048dbac14a2c0d6b5b3c992616e18ec9f59f4107d68e57b8c4fd9da01e0695824ffc8030619 |
memory/2068-21-0x0000000074810000-0x000000007481A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd3672.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
128s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4660 wrote to memory of 2044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4660 wrote to memory of 2044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4660 wrote to memory of 2044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2044 -ip 2044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ = "ILiteRow" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\NumMethods\ = "21" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\ = "LargeInteger Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement\ = "LiteStatement Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ = "ILiteParameters" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ = "ILiteConnection" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\ = "LiteConnection Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\NumMethods\ = "11" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ = "ILiteStatement" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CurVer\ = "LiteX.LargeInteger.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$APPDATA\\Unitech LLC\\sqlite3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\ProgID\ = "LiteX.LargeInteger.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\ = "LiteStatement Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2868 wrote to memory of 2100 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2868 wrote to memory of 2100 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2868 wrote to memory of 2100 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2868 wrote to memory of 2100 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2868 wrote to memory of 2100 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2868 wrote to memory of 2100 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2868 wrote to memory of 2100 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
Network
Files
memory/2100-0-0x0000000010000000-0x000000001009E000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
136s
Max time network
106s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 2928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1720 wrote to memory of 2928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1720 wrote to memory of 2928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2928 -ip 2928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.163:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240220-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 224
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
132s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3900 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3900 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3900 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
134s
Max time network
105s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 852 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 852 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 852 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4952 -ip 4952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.163:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 220
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1628 wrote to memory of 688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1628 wrote to memory of 688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1628 wrote to memory of 688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 688 -ip 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 224
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
135s
Max time network
106s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3520 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3520 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3520 wrote to memory of 4952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4952 -ip 4952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 224
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
132s
Max time network
104s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3308 wrote to memory of 3704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3308 wrote to memory of 3704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3308 wrote to memory of 3704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 220
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
134s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2160 wrote to memory of 4644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2160 wrote to memory of 4644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2160 wrote to memory of 4644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4644 -ip 4644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.163:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.61.62.23.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3484 wrote to memory of 4440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3484 wrote to memory of 4440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3484 wrote to memory of 4440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4440 -ip 4440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 600
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| GB | 142.250.180.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:38
Platform
win7-20240221-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 228
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2600 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2600 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2600 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2600 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2600 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2600 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2600 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240220-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} = "ividi Toolbar" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\TypeLib | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ = "IwebAtrbts" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\CLSID\ = "{211B330A-499B-415E-B1F1-B7132A8751D2}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\ = "IEvntCntr" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dpblck | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\hp_chrm = "http://search.ividi.org/?src=tbhp&id=6cb57df7000000000000565622222c98&affilt=orgnl" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96} | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1\CLSID\ = "{8B8B2E80-1444-451D-AC8E-EB9A847F3887}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\ProgID\ = "escort.escortIEPane.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\dfltLng | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividisrv.exe" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ = "IXmlCnfg" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\excTlbr = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1\CLSID | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32\ThreadingModel = "apartment" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\VersionIndependentProgID\ = "i" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ = "IXmlCnfg" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\admin = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ProgID\ = "ividi.ividiHlpr.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dsFFX = "Search " | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiTlbr.dll" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ = "Ixtrnlmain" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\ffxInstl = "all" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe"
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.228:80 | reports.montiera.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nst17C6.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nst17C6.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nst17C6.tmp\chrmPref.dll
| MD5 | b2bff24dcb4606c6c8474f979bfb4858 |
| SHA1 | 5671b867df8ce726d1075909cd40f3934d680da6 |
| SHA256 | 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af |
| SHA512 | e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874 |
\Users\Admin\AppData\Local\Temp\nst17C6.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll
| MD5 | db4961bbb3c1cf487904b15ea5b5884b |
| SHA1 | d1c23d22e93d3f9b268f99519d38d010ff99ea6c |
| SHA256 | 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12 |
| SHA512 | 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d |
memory/2912-38-0x00000000027D0000-0x000000000286E000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst17C6.tmp\mt.dll
| MD5 | 4fae8b7d6c73ca9e5fc4fe8d96c14583 |
| SHA1 | 10865e388f36174297ec4ecdafd6265b331bfdcd |
| SHA256 | 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f |
| SHA512 | 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1 |
\Users\Admin\AppData\Local\Temp\nst17C6.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsi1873.tmp
| MD5 | d3079578282b28ba03ffdd2b6b4e0e1f |
| SHA1 | 6fe41d64a9132030121a9fe5cf2850b813767857 |
| SHA256 | 31a17eeaf1af357533c4bafed56ffdf89b7a9c3b71b7081c3e3fbc01033b7b8b |
| SHA512 | 6287fa74ba3add7407ea65c5406e13ef151f778eb0ba1acd76cd32e17da92be5d6ba98c616132730d558026a94241d24036643e2eae35b164e78140869254f50 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsy1884.tmp
| MD5 | f4c67df51bc663d0fe796da555808daf |
| SHA1 | 401b211bb00735844e776c42808584a68644a82e |
| SHA256 | 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187 |
| SHA512 | a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsd18A4.tmp
| MD5 | c1f678982f2e14ee43ab9e25d6d4dc1b |
| SHA1 | 283c5f9db053718e4f5f9c572f18502b9ff1e6e6 |
| SHA256 | f853acf4b930763ba2fb5c782bad9ee8c5d36dc3b9774998462e792eb4da747f |
| SHA512 | 03ff3be160581617af8e67164e92de4f012dbc6841928a229a6e487489c71e1b04e4ec180a0bfb9b8109c3cff3f5fb2b52df9c6f721b2b8cc92dcd897f9d99e0 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsd18A5.tmp
| MD5 | 55e77d60d71bb65a8fca04818df04968 |
| SHA1 | 0d40f3710f9d137b2bdc4c725d2953ad84e5778e |
| SHA256 | 2f7e1067489437ae1d4ee047aa7f3800c44754f59a2b555a5a02a61163548ae2 |
| SHA512 | 89d0efee4f55e5a93caece636c36702aad71bb2c9ba6dba4147d325131ad4214d6c192df3e2ae4963278eb394dcf61e746d6d6bd61771cc9f25eee240e09bbac |
\Users\Admin\AppData\Local\Temp\nst17C6.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2912-270-0x0000000000570000-0x0000000000582000-memory.dmp
\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
| MD5 | 690df0811fc73ff2219183e5d80d824b |
| SHA1 | a720126932f65de281c6f34c5512be8f787f7161 |
| SHA256 | 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd |
| SHA512 | 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce |
\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
| MD5 | abbbe3516d8a6280b94e78ea7060e9c4 |
| SHA1 | a2f22d9dc3db1f10a44902e5cdfd7431b27a8671 |
| SHA256 | 63601ef9667c037dc62dc92c7b389edfb4191cde9063d1059996b93f035f454f |
| SHA512 | 2ce546ef005dd07b5022fb524107c07693dbd58c21a2808060958baa7b968064c4e855d41c52f25ed89a3026460a6c9d413481e1d55f678ebf2cd5d170faf549 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1AB6.tmp
| MD5 | 03c1bd0827f5d45d252165a379312a42 |
| SHA1 | 615080139c3860a6dd984a224e81290357647cd9 |
| SHA256 | 6c8954c926587b318dc77a62e4a9fbbe75707eb4cc74e23a81404b7572992011 |
| SHA512 | 77940fe0d248d3868373775a2a3d2bac5e3e4fb676ba82a95cf59617a9a34d4590192e84451edc74e9d48f9ecc5902171f312366c64af36a6874daefffe7aeff |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1AC6.tmp
| MD5 | 40c4cf19fabd38737dabf2971f6e4c36 |
| SHA1 | bf92605d8801032b9750982fcf9de38402d1ef46 |
| SHA256 | 023c9c799ab44461afa2c8bee81f33c0086230128dcbccff3842d1ac9db52796 |
| SHA512 | 7adfc12b4f906d81ea57b95d28038909b61e8296bcd48e517d9279a37a1c644cdbf6492c83ffe4ba1e16e3cc350c7adf56dbc9169af46b032f567a455e897cb4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\user.js
| MD5 | 3a2c21148c9891ed26f9c4536669e0c2 |
| SHA1 | 7eecf5af8e858bfac28b8f0832511d2b48b5fa72 |
| SHA256 | 5f4ade8b37e2961818db033f06a0877a7a560a1c1121df75cc4ab1eea9d89a99 |
| SHA512 | 9eb17e54d837470bf313822c21d38821217edcb74eca974eeec47b6d8f3b738ba28a8f2298e672bb87da0f9e164a0cc55244490843a9f59e363de3009481bbcd |
memory/452-823-0x00000000003F0000-0x00000000003F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nst1A36.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe
| MD5 | 351707305245428eae73bc1add4e1e43 |
| SHA1 | a7c2eaa393ff9a96bf040a9f942b5a26807253f7 |
| SHA256 | c61eb0ab6df8f89573a9caa6876743f1fb7dde313f322df5ee8bb0e2fe07b00a |
| SHA512 | 00d766f16eeec9e6171dce6966a0729c43e0e14ab5f405672e1eddc764485aae12fb2d47ee842743df6d70728f703c65def81ba8cbb3cbcf3244ee1d63e4db63 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\user.js
| MD5 | 1857ffa310a89162745e2d7229a2bf69 |
| SHA1 | 9e8ca7b812c2024e3eff1ef53d87847755cf33b1 |
| SHA256 | 919fbe7df05b3db17e768ecbf446de2b41cc7ca0330163978706f66bd37b9caa |
| SHA512 | c3d9ba6e1588208a0e85c066607f11763edf2e7e319dfe34a30be85d0d08567f93c8de617a7f9c0f7f85c2015c189c397c578cd49da78725ca9de72126333715 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1B66.tmp
| MD5 | 99f04e47feafbf8ebfc3d42989c9abe5 |
| SHA1 | e64bf2615afdf9cf4b9e0965d654c2b8f097c36d |
| SHA256 | 0a174321eec789e21b5c85583be4d958004e018ab5eb1e3c75ea302c44714388 |
| SHA512 | c1207355811daebb2604b007448c7a704aa0bfd933ea14e2807b60289032977579dad23ceae492cb7cbf2280ab4d5242868f92cbda9810b2e14955d4a819a961 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1BA6.tmp
| MD5 | 5f9da0d5d4d7c9594282adf23d4ee084 |
| SHA1 | 96869b9f7e5e695d25a0091b66fcd8291ed1f637 |
| SHA256 | 91b51788e2fe4ff4b8957dec6d3f5115f299246d22dd342f9f5cf85a25b09ca4 |
| SHA512 | 532e0cf0fec58924948e947a935349708ecc8e291a62084e9f1831b6ef9a7ea611590467cde028ba42b711f2677934daca9e645bd02ad0950b6f65741c7b04c1 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1BF5.tmp
| MD5 | faa7d4b8118e1aeefe8a7517ca541f2c |
| SHA1 | 55214d20c11829204b17c31fde07ac1bd010a43a |
| SHA256 | 5743d243d380b76b006f00b5e774c2a09c1f3d59e42f6034481c0de180db4513 |
| SHA512 | f5ac71080d512b7d08535ad3653171ad76154f2c6dde479d9b6ff6af44ad51799b25587aa716b3359a0b126613bd783fc73b454f02182de7f7c4adcef0e5abee |
memory/2912-1202-0x00000000005D0000-0x00000000005E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1C44.tmp
| MD5 | cfe51bbcf1ff1fa7b5177c6466bc9e37 |
| SHA1 | 78436a7cfd1f503f5c871155282de865e977e82a |
| SHA256 | 569656ce1940331bc8deb2bb000d897cb4ee3eadd5a9215672dd6d36dd393f62 |
| SHA512 | 10321e61df96b9d33ce12d34905e5240861f9bc62c3762d54f0ed6935eda2cacc39ea5509ec2094efa35138b41ba2517e4ee1ae90edf24eae5c0fa5c66f7b9c4 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1CA2.tmp
| MD5 | 9f7a396100ffa5ddf33259e306534291 |
| SHA1 | 8ba62352da920ab726339ef98d8d27f15d83c151 |
| SHA256 | 3ab5297a3c788b19f2f997c4d0dbed27b1f86f4dfa13d98f9c541f7575426b55 |
| SHA512 | 9371d753254c36b8560375d89a78242fc877af885496646ba4f69417c52f195dab6b366341f5714b3a86b63b6b4236628a49a54e1901e3b844517b2c637df98b |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1CF1.tmp
| MD5 | 59682c097c82d5f2ed500f76684c5397 |
| SHA1 | 9d04e1afd88cf41459f2deb2cbf23a3f33cfe3d0 |
| SHA256 | ecbc3420952d2965ed7e683894bdd871d89b97700908a81efa82a01c241ad62b |
| SHA512 | 0e7c4cb630d607e6148bcb57562d47ccd54210de16a80b1a8868e92b48ab2db114f7e5306106cb5aa14e060b7608401f41fd57f55b1e94a1c39378be1bb68b71 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\user.js
| MD5 | e873c389dcd0f0abd1c523d0429de3a5 |
| SHA1 | 98fe8252b9fd5f6f206a304943fa01bae5585cb3 |
| SHA256 | b48660e6f293a4a6878a891d49f84ad3f6b92ee011a8b324c5760c5e535dc77f |
| SHA512 | 7b76249a83867b6a63ca151e101883712fea33436d83952d9e95bf1788090af7a4641591d822a480a8fb8486a45416b1687091b5959bba2048bd4c7928d260bb |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1E2D.tmp
| MD5 | c77a982d1fec8809f1f56b2220b98702 |
| SHA1 | 493ee87b2eaed2f930ddbcdfc0aa08ce01832b14 |
| SHA256 | 4929dd6438da2eeb48e99926f6347d6bb867fd6136aaa79a439200d39c4b396b |
| SHA512 | 354027e6c85d8508c50a886876ee765040aa95487ff10519792ac0ad32892fdb99b4fd03f5f1a9aa8d65c0a374577b4444f1d7a51e6e06e0ed1b255d41c8304e |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1E5D.tmp
| MD5 | e804b89458e81da2a3952c824abfeb79 |
| SHA1 | 2582e504caef1225970c9ed6d3bc67eba4998020 |
| SHA256 | a04e299b6c931fc662b22992177e86ef257608f1cbe7b23c0836207791207110 |
| SHA512 | a9c7ea64ada2ea23c6a029b56d7be15a2a1b49d5ade6bffbe3490f741a6e86303c271ce82d6de04d1abee0bc1262a27e94d98748e7f5531742211fcabdfb8757 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1E9D.tmp
| MD5 | b8a50d3a85c1ac2005e9a318f5abf254 |
| SHA1 | 9c64959a5740cceab52b431099ee6bd12f7105b5 |
| SHA256 | 49f80954ddc5b1008017ca6fc7f11cfabbfacfb2e7fb40a84eeabba3dd78d6cf |
| SHA512 | 170ba1cdaeb576da5c77c19d25712fe71f2560c85bcf08238235d5b48eaf8a655ed5e4a34fe5f148ce21e99de6a9f0235a5c4200f42b90a6c0c9e6e3bbd3102b |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1E9E.tmp
| MD5 | 66a549aabfc03a1ec7afb576b0188a29 |
| SHA1 | 2e3c237b7dfb580ceada69e08b5531c426245103 |
| SHA256 | 8d543d01769ff2632682320c81ca951d7ba78c6a0be88f20ff39b83325cc198f |
| SHA512 | e606525673b4e54515df024e731efaff341f4a2e243d91488dd8fb285443d4b58e4c24afc8a5e7bcc60b2aa4163b09a2bf96b277b23f1cf1d971ea24d569bc09 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1EAF.tmp
| MD5 | b4d771b79d764fd215f221b44ec94055 |
| SHA1 | af32efa31807236e9d5edcf7ddea72e3cadc3b63 |
| SHA256 | 51b68b68e91fa9563e3d334e9844cc8ce49b1cb02eb8104878aee2b47e5574ee |
| SHA512 | f50f27c3b9cd7d6c194786c4fac79a320a74678344c42dc3fdffe7644b409070d8a401429adbceaaf49b19264fd0046f6bcd7404bdcce0a0b2893b48ae81a4f1 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1EC0.tmp
| MD5 | 3c7b8424f064f55e80aaf7e28bf37a78 |
| SHA1 | 98dac18586b59796292e05115e6a33f3bfe52c04 |
| SHA256 | 99bad23318a9bdcd1005bb3eb289af28ca3f5aeaa39ead9b3ffaac83aecf3883 |
| SHA512 | 693074dd76397bd008345c94f789cb5a9945760f8d442d314ee29f3b420b00242a386b0eed739b8b5adb030702932b01b09e0e640c30424b2431b82d72a956d4 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1ED0.tmp
| MD5 | b8492849ef4e7a754ccdccfe45d0f907 |
| SHA1 | 95dabde944c0887d30649c4be32dbc98be37c463 |
| SHA256 | 4747d49286dcd3de52b7ec3a3d132ae2cf3b5f814ce7feae0c574886d5b1069b |
| SHA512 | 4f4b32c9b5d1731fa2642784df28140fa8041b507d6a8c83b24fc5b01ba181893eab191db7981181a9db719ac70865715d3db6d82eba157215f294b1480ae2a3 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst1EE1.tmp
| MD5 | e2509218f4d2685c67da7d87a62462d1 |
| SHA1 | 3d26138b253767a1302b5356243a3c12e5315053 |
| SHA256 | 46d335a4c5188de444ce6d7100f4ba6a815370ea650747d00f79c5933e762f3a |
| SHA512 | b34520fa836397046b907e572387416b75e6b5743855394bb3514b02a6b3d3e957b7bb8a13b4a1570ce7c095ee138e04557397978b8187150c5760676ffd49bd |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1EF1.tmp
| MD5 | 8671f2a532015f10a6e11bb0ccae3298 |
| SHA1 | 93e903d01468370214d91619f393a4436e637019 |
| SHA256 | a66d5e784598f7291d0c3de1cefe4f5288837ec1218e7c7495380d40360ed80d |
| SHA512 | dc346ee9c5a2bd3b885b27a842179c7968466ffcef9c55ddca399fed6b381d9ac096c4889968ccc1dc6cb62baead4babdb74a7cde1e823e2d65264c7da9fbe9e |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1F02.tmp
| MD5 | c43c28a65780cb5824789c36dae197f2 |
| SHA1 | 878dcaf907b78b75588830813d926c547c412f64 |
| SHA256 | ed062d760f3140af464088db07e4ecfdd36373342a69230d475bd3f90cd03b9a |
| SHA512 | 8e6b6aa7990a19ec82db306e047d0ebc477a3fd0373f87c75c6134729606323813f62e53530fd132f7c328f2b439b25707486df4d6f613960006759ef530053a |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1F13.tmp
| MD5 | 9df5f6dd29981f2752ce4787dbe7501d |
| SHA1 | e775dfd18905f30153dd533f4d8f5aa0494b0079 |
| SHA256 | 0213e7e5a772b9441bb25712185b7deb81437440ea5c5bae887c71550ff7f6b2 |
| SHA512 | 8d5549b83d5da0ac41b17ddf57cf87a9a8d1f694bcd1a77915b89e757f0544d430ced2f871c35f487a11b0e2effd9837ad47647151afa35d33f5d6fccc32b341 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst1F33.tmp
| MD5 | 6886a159a6843ca7ac4f0af41aaa913e |
| SHA1 | f35954ef399f6d5104d10c152e607ba682936111 |
| SHA256 | d25e735d48503c336c5341c9ca8c7972f47d6e681f20162807752cf3f2de7c7b |
| SHA512 | 6be0112a7de1d6c148acfa9b7945a2cfb8031d66a6ad3cfee11cbc82dc2c46d2c77db38b5b5bc36607bd676fcd880dd6ced22df2a7905b2998e74ec38c68387f |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1F53.tmp
| MD5 | fe7c8c70f116e1d743702caebb22dcdd |
| SHA1 | 0fac992cb59b4f4e87d536e4c9513b7e6e50f721 |
| SHA256 | ec0fee61128907f29031e6a134f089315fc38afdd887bc76900418b4b6ce4ac5 |
| SHA512 | 299e8706f55695f1d4b07235122fad25ed3de67b28df889a4fd5575d8e6c03c27ba9321cabcdba08e7ab955f8c5f21d8e25f731e6cd5ce1adc9309effad3fc2a |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1F64.tmp
| MD5 | 1acc7c8b8a565964036f80eb4c913ca2 |
| SHA1 | b994b4549440f96a6965239b647e91eb81d22240 |
| SHA256 | 60edfb1f614b491f52053db5674d9a3ea6f239419034acaf1dce80a8dcedd456 |
| SHA512 | 13fd290d718f7c2a4729531f0154b29b7af8df122f40df818869039837bec62c56999d44159f06d209a0c593e9ef0d745f79f22b8492a032d71d5db88a8ac3fc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\user.js
| MD5 | 938c803d721756621e0ede22adb0f5f7 |
| SHA1 | b36338d15f4846efa0f970aeed40e9be25e8f19e |
| SHA256 | 775ac38f0a1280e781f5ffc10ade9031881e0197bd84f0283b754a4568dff859 |
| SHA512 | cf400f274fd4caf3cc5a4d50233beb3e5effa8e969bab60a103c3d073b83c2802ad3a61d56988ddb0e239da8b0387dc10e127f13f41e9adaf96dc5beaa45d887 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1FE4.tmp
| MD5 | 97073c802cd5c037b33a3a79bc6f9aed |
| SHA1 | f0f7d3d68b4042ff95d25c9e1f66b25c8dae1134 |
| SHA256 | 5ac8aa5919a8ea983a06276ba7c034af830098ee25875273e68b60be93d76f54 |
| SHA512 | 3ad0090dc2fe065e177ccdd07c11cfc61c441654d2df492779fdf8b6eadf2a01c93073440614f3462392ec342312dd9b9156a4fd39346f59208b73ba8f5841bf |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso2005.tmp
| MD5 | 3039b240ed14a716ee6d3c64fa989180 |
| SHA1 | 3c11a0a75b84aa69d53688703ddac93ca7ff7c6e |
| SHA256 | 0db7dd35f46ee1ecfe8cb0317b8be1a5b9394737c8e9f27fc1216e264ab6946c |
| SHA512 | d64adfd0ea4485107aa7942350bfca72214445b98ac6a03b1177a9efc1d8f8837abaf42292d88c78ae73cb2cc26618fd4c0d39ca9f90c14978bac2d2285400bc |
C:\Users\Admin\AppData\Local\Temp\nst17C6.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
130s
Max time network
101s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2768 wrote to memory of 2012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2768 wrote to memory of 2012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2768 wrote to memory of 2012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 224
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win10v2004-20240419-en
Max time kernel
134s
Max time network
107s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1104 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1104 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1104 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2632 -ip 2632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20231129-en
Max time kernel
140s
Max time network
140s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl.ividi.org | udp |
| DE | 159.69.186.9:80 | dl.ividi.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsi935.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
\Users\Admin\AppData\Local\Temp\nsi935.tmp\IS.dll
| MD5 | c31b97adf54bdd6ac6d19ab85cc6bc57 |
| SHA1 | 7e458577b1fe49885c21f38ba981f77b00bdd59b |
| SHA256 | 2e5af5577044835e7d1c526b1ef11dddbf660dbf265f3c8b533cbfcfd2a8b57a |
| SHA512 | 9178ba7bfd3851b9622ffa7f5981f43b4ca654e3f85113f7c91ebd2ce417c1acb718e73737838c61496a255cee1f5ad9873ea88bce78a0cfe67bd2cfb1e71790 |
\Users\Admin\AppData\Local\Temp\nsi935.tmp\nsJSON.dll
| MD5 | 78b913fcd04259634a5e901c616e6074 |
| SHA1 | ad5e1c651851a1125bcad79b01ccdcfa45df4799 |
| SHA256 | e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59 |
| SHA512 | cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5 |
\Users\Admin\AppData\Local\Temp\nsi935.tmp\NET.dll
| MD5 | 9adaffc2a1b579115e40407733d94dde |
| SHA1 | 866bbb0dbbd217aa287fe3324ecaa828e8d7b622 |
| SHA256 | b31d4e8af5d38991c692f219130fdfa92762a9a77e04e7ab05e44603af578555 |
| SHA512 | 214eedc4b314b48c192d3a847a64807bf41481e5cd06b1a627bad048dbac14a2c0d6b5b3c992616e18ec9f59f4107d68e57b8c4fd9da01e0695824ffc8030619 |
memory/1848-19-0x0000000074050000-0x000000007405A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsi935.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1884 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1884 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 220
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20231129-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2548 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 240
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-04 16:35
Reported
2024-05-04 16:37
Platform
win7-20240215-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 224