Malware Analysis Report

2025-01-18 22:05

Sample ID 240504-t3rjtaec83
Target 1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118
SHA256 202a0f062a55dff3f26247077837a870d128d4ce6a32b9ee8faf06b2db353f20
Tags
adware discovery spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

202a0f062a55dff3f26247077837a870d128d4ce6a32b9ee8faf06b2db353f20

Threat Level: Shows suspicious behavior

The file 1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer upx

Reads user/profile data of web browsers

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

UPX packed file

Checks installed software on the system

Drops Chrome extension

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-04 16:35

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} = "ividi Toolbar" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1\CLSID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1\ = "escrtSrvc Object" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\tlbrId = "base" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\run4ie = "end" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\Instl C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0 C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\ffxUnstlRst = "false" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd.1\CLSID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ = "IxpEmphszr" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\ = "escrtAx Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\AppID = "{905E34C2-F4EB-49BE-A36B-47692CF957A8}" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\ProgID\ = "ividi.ividiappCore.1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\ = "escorTlbr 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd.1 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\VersionIndependentProgID\ = "ividi.ividiappCore" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dsIE C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\CLSID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\newTab = "false" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\run4ie = "start" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1 C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32 C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiApp.dll" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\ProgID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividisrv.exe" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\CLSID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\ProgID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ProgID\ = "ividi.ividiHlpr.1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2140 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2140 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2140 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2140 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2140 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe"

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe"

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.112:443 www.bing.com tcp
US 8.8.8.8:53 112.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.228:80 reports.montiera.com tcp
US 8.8.8.8:53 228.230.16.69.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\chrmPref.dll

MD5 b2bff24dcb4606c6c8474f979bfb4858
SHA1 5671b867df8ce726d1075909cd40f3934d680da6
SHA256 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af
SHA512 e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874

C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll

MD5 db4961bbb3c1cf487904b15ea5b5884b
SHA1 d1c23d22e93d3f9b268f99519d38d010ff99ea6c
SHA256 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12
SHA512 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d

memory/2140-52-0x00000000027A0000-0x000000000283E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\mt.dll

MD5 4fae8b7d6c73ca9e5fc4fe8d96c14583
SHA1 10865e388f36174297ec4ecdafd6265b331bfdcd
SHA256 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f
SHA512 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

memory/2140-45-0x00000000027A0000-0x000000000283E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nse7812.tmp

MD5 f4c67df51bc663d0fe796da555808daf
SHA1 401b211bb00735844e776c42808584a68644a82e
SHA256 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187
SHA512 a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsj7833.tmp

MD5 55e77d60d71bb65a8fca04818df04968
SHA1 0d40f3710f9d137b2bdc4c725d2953ad84e5778e
SHA256 2f7e1067489437ae1d4ee047aa7f3800c44754f59a2b555a5a02a61163548ae2
SHA512 89d0efee4f55e5a93caece636c36702aad71bb2c9ba6dba4147d325131ad4214d6c192df3e2ae4963278eb394dcf61e746d6d6bd61771cc9f25eee240e09bbac

C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2140-279-0x0000000002740000-0x0000000002752000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

MD5 690df0811fc73ff2219183e5d80d824b
SHA1 a720126932f65de281c6f34c5512be8f787f7161
SHA256 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd
SHA512 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe

MD5 abbbe3516d8a6280b94e78ea7060e9c4
SHA1 a2f22d9dc3db1f10a44902e5cdfd7431b27a8671
SHA256 63601ef9667c037dc62dc92c7b389edfb4191cde9063d1059996b93f035f454f
SHA512 2ce546ef005dd07b5022fb524107c07693dbd58c21a2808060958baa7b968064c4e855d41c52f25ed89a3026460a6c9d413481e1d55f678ebf2cd5d170faf549

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll

MD5 57543e6554f60bd4082306d26245bfe5
SHA1 70d4b021173c42dc82d40073fabe7fc0c28ebdde
SHA256 7838055c1f0aabe6df5b5fb3c6db737936eeee6d2314339082a7586414ae81b2
SHA512 317557cddf5d666c2ed677619d9b98424cadc624e1e31067403ab7646008ce5496687e46fb07b4c61d0aa967bd0b3ac144acc3672c64ed66c1b3dd0d23938399

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsa7A64.tmp

MD5 325303182a07217d0890fdea1efd43c1
SHA1 493d230cead6a1da017f243586a2a1edbaae21e9
SHA256 bad545db476a9e0ac68aa3d494444a4252e1aa7d1c47daf285b3afe06ab8da84
SHA512 25bc073bd61b3c347e2e9ac22e9bc8bc4629ee50e3cd42b7887f59361ab0839836f4af2423ba832eaf840ef835ee2f82cdb6eb8fb1c56f3032639c2f4bd49f1b

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsv7A95.tmp

MD5 d36d04e1f35367b94d436efdb8744fd0
SHA1 d11e1634b8cd94487ea32f26f82fce48328099f5
SHA256 8d909223f064038bf4983e13f4cca5bd7233948ef5e5fa65aa7998df0012b664
SHA512 ac1c296f72cbd60c40ebdc35602457e35021c4af8a96b378a5f4c263575788793a371fdfce8d59a9f6f6df169bef2f5acad335f98d34ad34837ef361476f3f09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js

MD5 759820a479e8f3bf68a08f33c2b3f461
SHA1 46f8a7f09d5c1784861b67f2d3d4f45c6882088a
SHA256 a2d778cd04a5016954748f136baaa6c2f3838bd9732763dbdeb2b00178dcad02
SHA512 f0dd3d642378a920d6cde8a7f54dd537c69f7381ac9f8e50d63950d38f92084463ee8845664950e064d70261cdba42c21c044ca6ea6ace3b904ce5499608d522

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsa7B05.tmp

MD5 e3d54cde89c8ab0876a4109d21f8d26f
SHA1 fd9378ab062980502eb1e86b1817db8c54340632
SHA256 4458efb2a28b969284d5f36e60e34acdbcc5a5082c68c540c9b2cee987f1db6e
SHA512 117c62a82334748242549477f057979fae42260dc777f5df7bb1915fd407a165094a14c72cf8d8c59f21d929ec216db2cd3bfdb57a88bb17e55efe3f1e62557f

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll

MD5 1989cd78346c1f430484236daca1c2cc
SHA1 9d9eaece8fe80dd400a1af12595a5a32e931abfe
SHA256 2d8ab3f2dfec1393b75e1ba8d12148ab5b5e334d1b071754e08f7087b22cdcc2
SHA512 00aaf06bc2a092ce3d9b8d95e685a9fd0b61a8a5afb23910bdeb43a82bb294f54ce21a05823cdca28aa67b520dfb4091c847f4ae2ea211156441dd3e5a50205a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js

MD5 be4a589752add2d5b2065a973159ac63
SHA1 c48bc6a40d59d5fe84f87d580301401946230006
SHA256 2237ac1569faaf930aed01e818e2be6b2a590584488f1a56f6842acf8af60dfc
SHA512 9a8d7e91c49a6ebb8905e5e6152541d379e7208f9920fb3cd9332af120e3db1d698749825d128ebfa60e54f9299863f1d63e45b655b787609fdf6c16ebe0543c

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll

MD5 8a7e5619cbb2c659b3dd2d9c4a09db98
SHA1 a7eb94c32ca25dc1a9eb461d2d97d48475e010b4
SHA256 eae253b5691720fadd70083ed874b53929287a3d93834a3206f78ddf8fab1201
SHA512 14f126006dccead7a344e69e6f21de15bddc6ed30fc248df4043838edd6ed838eae2db0f9ea1204584064a4426d610aeb34f268e37a98f54f274029763a146c1

C:\Users\Admin\AppData\Local\Temp\nsp7A23.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsg7B77.tmp

MD5 1ec769319be356f3ffd4d668c65bc780
SHA1 166358735cab88609b24b30458681369b83729d0
SHA256 b5684bb04516e7ae32dbc1f0ee685f32e1f804092720fd1906aac9d2cd0dbaa4
SHA512 ea9641ca1993be9630121acea8afbf1ff89753254375c87a10292879111f5534cfea3d4090de0fcee216d4721e756212895e5a9f70c5d7ada1de6c0de34bf63d

memory/2380-1362-0x00000000021A0000-0x00000000021A9000-memory.dmp

memory/2380-1358-0x00000000021A0000-0x00000000021A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsl7B97.tmp

MD5 e80bec59cc69018fa2611b0332ce693f
SHA1 bd5c460aec1b279d15e4d615cccad578c42a29a8
SHA256 72edbc3d6c0d77da280d417d332cf2857721c97e3ca3d062739a9914b68b8caa
SHA512 27689dc0599b1a5fba495529ad80fdcd487c251b90f76846bea03f6138a83fa204cb4a0aa08101517d5df9351906632340d76a25c33504254586a96627f8d226

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsv7BD6.tmp

MD5 bd60b66d19936c06e557f01970291e6e
SHA1 cf9c5e24c9f626d391dc2ffa3d0056bff48ecab8
SHA256 1191f5d3aae21a366bf5c49d806b82ed41790f8435735b133990479dabe09bfb
SHA512 4d84c3d2f09805ca63aea4ae2c1abd5002a3624a1c8cb609a6bb656111264b8e39316ff421d1358258099ded65dfabd7e0d3b85ed4e050f7fc2ae1b28bcd276e

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsb7BF7.tmp

MD5 4f2526f34f8d8798b8b60273e99982b7
SHA1 b95f98c4d73d28c230866e752c458c558bd93ba0
SHA256 ab3f364cc33799a64a253094c59b26e1801b2251c9752dbdbaf7a5cbc2943937
SHA512 76e9291f5f078c6a795b2ca7a09eb21de79439b1dbd7dc2f5fd7e0d8a0891af51e55576565e816dd83b2444127d923d4bad03c8ff527d7adcbee1843a5ad78b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js

MD5 2eafbc7df7baca57e262cf9dbb497a2c
SHA1 ac1f5d4a17cfb359f3d4b8043ed453190e1c997f
SHA256 75ae48e791d7a4fb2d8729bdf4bdb74dae9ae5c43783c41e4381d4e89a45d1ce
SHA512 ee99d39ee8ac10776003b4b10518890bb0837e31d2b02dab46d312f20f1c8c7f110105e246309837c2e37670afd5c93391dee029677e5102eb9da93616799c75

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsw7C78.tmp

MD5 d1f3b4a8a846541d1bc9abcf43df4f57
SHA1 f5548c75823f138204d681cefde21090b5315480
SHA256 d00d077b39df4b4c5973e131fb18b36473d8e6572024d310539ac9b07781a9fd
SHA512 61809a5aabf4d109f5bf1d0f3f67ef90ab45c093b42f4aff5bfb4c7c679e650846730b4f71010d91e11671443f6f7093225758f12b078fa637b991b20524baa7

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsg7C67.tmp

MD5 c84a16af0856ffd5249c0c3b02909fcc
SHA1 4d9d8a03ed6f1a9ef23af80a394248d9c76584bc
SHA256 22af796285e034a4047c745fca4888a23451a981d14f95d26df292c25ec4cac8
SHA512 4b05bcac91da1a570d6e69e0d21bed2119017802f37b7de2388d52f11f9e8765e6b2c1f30725585ddb4c505d293677c6b5344e3fc45ec03676f93f55db250098

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsl7C89.tmp

MD5 225b47bae47c484c3d6f7acec582f952
SHA1 12dbbd1c0a9ae1f44def753c6232cf120b626cba
SHA256 641e038ee5abf15dee64c1a3552e776aba7b3fab5c440a4707bda98e13d5bc5d
SHA512 0f8e74410b382685c5a3b28762fa6c9d63e70accb4e365fd68fb89245c86037bd77afa93ba2d853324f719ada82eb889fc23429aa7f7facea45b9bc67097c230

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsb7C9A.tmp

MD5 317e32805dd685797a18e6e58bf6f027
SHA1 9b9ec33bf94f8b97491f434ca289f964afa7ef4f
SHA256 0399881e1940ef5ce62daa7dba3c5fc3da815b9a9b9a764890679c6c257c662d
SHA512 fb35f570be7e27212e6fa13c8577f7df2449d8388eb5f89c8dfd97d4d2d6343644ab1b04abcef8e444bce1de98ea8724b89d145873033df59477db78cfa069f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js

MD5 15e275167fd01bfc184946c5c4dfc3c4
SHA1 365595bcb3e246ce897f4afdd339a4fe4f629f55
SHA256 dce9080e2b3f87e733177dfa95e683034c454d857efcd8da2177982ff9c30a37
SHA512 d8c613c183af67826cc44e8f41bdf24cb4f5478b65fd18c1e296a2de456e964bb1e821baadbbe8db14b7062f134a594506c1be3670a752363c415d74783ac5cb

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsq7CAB.tmp

MD5 0bcd1d50639522e5238356b28c025b89
SHA1 61c7291d035dd5cf4c0bf57137d5e06e47e944e5
SHA256 cb7bd3381412ef71a191d9607cd9f97f91a9e22007132457f1455ef926ee7fb0
SHA512 60bcdf0a96e9a05a81e5b6532d750b3fea21bffa377cf5f77bb5d5b357d4e21609bab16f362ee8c05d8e1f48fe9d4752162ee6c14b692f4538a54f313988c02b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js

MD5 360a67cf27048a41ecf124620632f254
SHA1 838bed30d0e20eb75ac41004260395f6203c8277
SHA256 8053ec73773af6e4d7af5707095bc3d8e19352643bed81708c2b43d8c3824872
SHA512 52950d86db7b32641014dd3912ab5a2f149f6eb71d7c933756064d13d821c0f9aad68404e13a646d1c8c47cc8cf4c10b8ec192c60ee464c16bd163cb375e4fc4

memory/2140-2659-0x0000000002D50000-0x0000000002D62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js

MD5 a4a7bfa4da5370ae1e91023bd218f05d
SHA1 d66d83f9ed8bcaaf85a2feb5ca0a39c628827301
SHA256 ae9a8abf1fba0d561477cb60c00590cb66b5a410275d52d2bde1bebaa59cbeed
SHA512 2d239d8fa32ec3e7085ecdf784285f744ab7ca44ffce3b98f97c8e58e222d37f457245f636fd31dd162db7012925b6cc1d71341ec240468ef90b74c60cdd503d

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsb7D41.tmp

MD5 8b139505a7960d49892ab5f01d0c35aa
SHA1 8ea1a16ffa9a34b27734a4ebd9a437ec7d3e236c
SHA256 8406dfbfc00b6f2b0c779c207ef4b79669016fa729ff60d97e33e13f9eda0ecf
SHA512 1ff03b28f7a60c0f66c20efcd6bfc55997b0099d2d29baa2bebd9a0179c96057f2dba9c2e49bf846dc546b62600b9bb6521ecde17bce3a0c71e9ddf937526ca8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js

MD5 16f2c6f017471518a9e1202da38392d5
SHA1 5234d1b4e0f9f300102cc202721f689e079ab0c6
SHA256 9277b891c79128db4293329d010eca1c8e9962627677f4de1cfcd3ee1daba98e
SHA512 3f48ad7225c00b127d9320ee101cbbd65f820ab0a16ecb88c82f529215444e42170493c551e0089d2c07579f6ea8487e5c7e48a13ac6278780fc5afa951fb974

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js

MD5 69ab6e2065a6a4251313585bd141a828
SHA1 bc23cfaead8196d2948f8b3d09a7f23b0342f42b
SHA256 88bbfb7d74010b75845fb462a727d917ac86ffb355471f32af75dbcd24fb3f64
SHA512 bc6b469f07a99a0bef6bc5e1b86fcda7993f6fad53ddbe3bd03552304a127926d0bd2d581808336f1b04ecd35f0cdb43788d668b5dd21f4c742a32eca931c6b7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js

MD5 699624e96974fdb9f1e70d4d94f65e81
SHA1 5562182dd1f360131c1a01a2d9c5b9211faf5739
SHA256 ae44146662cebd974eca9aa599e57699d13d1a68955b4ab5ea1dd985dcb4e10d
SHA512 253e4e3a89802f6715425d52fbeec6aab556018b6aa04dd10fb135c4d7e3d70ee66a7a341a2e5f2433cec5d46701f99ea8d4d049ddcd1f58bd8f686d90a7180f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js

MD5 1136732008268e68b9e90c5ea5a93609
SHA1 b623c2d9c65e17c639411f0b1e9baaf67c5ed5b7
SHA256 595628fed16eaa87a8d05f2c661d32e70ad748986e357fa57007ecc9c3fea15c
SHA512 e21ecc34d31dc09b15ae64b9fd590b8f7cc0b923ee8e8a57c688f6f8dde62cfc81989dfa8dd0a082b7eaf44ca95a158740ff204fac4fe2e0bf3d1b353b397130

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js

MD5 bf1b3a8867c8d94acc351ad370ec57eb
SHA1 3947c05af8f5dff4ea4b165df80a6907aa49aa1f
SHA256 aef8e68185b490d553bccbb142b44e6b6ad3ac5800d6436d739872d4071fbf0b
SHA512 1bb6e448c674c815a449576b773e5c923f5279c3b00455fbd49c5ecf4394ed6137e5a4872395041c5ae6dd45ceb3a1dd1ed0dc5029e123a864c1df1fd1a17d68

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js

MD5 fde344b64ff65dc90d266603fa9efdf5
SHA1 b17cfa0923a3b0960c8408484e6635e67786566c
SHA256 677d7039e5feb0e3fde6627a6dccbe28525097fe41f4f80da65114a79454c61e
SHA512 a180816b9e26dfe3e4b16d424d55fa306bd7adf8d5027ad0ccb7a6c93b0ec88675b75480519288a9bf990f02e75af53779dca760c526a996ba68cde4e4eda2c3

C:\Users\Admin\AppData\Local\Temp\nst7734.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

129s

Max time network

151s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "ILiteColumn" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\NumMethods\ = "10" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\NumMethods\ = "11" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\ = "LiteStatement Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ = "ILiteParameter" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ = "ILargeInteger" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\ = "LargeInteger Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection.1\CLSID\ = "{3E22694D-7B92-42A1-89A7-668E2F7AA107}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\ = "ILiteColumns" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ = "ILiteBusy" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CLSID\ = "{3E22694D-7B92-42A1-89A7-668E2F7AA107}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\NumMethods\ = "9" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$APPDATA\\Unitech LLC\\sqlite3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\ = "LITEXLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID\ = "LiteX.LargeInteger" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 1040 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4400 wrote to memory of 1040 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4400 wrote to memory of 1040 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1040-0-0x0000000010000000-0x000000001009E000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 3388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1804 wrote to memory of 3388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1804 wrote to memory of 3388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3388 -ip 3388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

133s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4172 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4172 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4172 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

141s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.ividi.org udp
DE 159.69.186.9:80 dl.ividi.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 9.186.69.159.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 152.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd3672.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nsd3672.tmp\IS.dll

MD5 c31b97adf54bdd6ac6d19ab85cc6bc57
SHA1 7e458577b1fe49885c21f38ba981f77b00bdd59b
SHA256 2e5af5577044835e7d1c526b1ef11dddbf660dbf265f3c8b533cbfcfd2a8b57a
SHA512 9178ba7bfd3851b9622ffa7f5981f43b4ca654e3f85113f7c91ebd2ce417c1acb718e73737838c61496a255cee1f5ad9873ea88bce78a0cfe67bd2cfb1e71790

C:\Users\Admin\AppData\Local\Temp\nsd3672.tmp\nsJSON.dll

MD5 78b913fcd04259634a5e901c616e6074
SHA1 ad5e1c651851a1125bcad79b01ccdcfa45df4799
SHA256 e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59
SHA512 cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5

C:\Users\Admin\AppData\Local\Temp\nsd3672.tmp\NET.dll

MD5 9adaffc2a1b579115e40407733d94dde
SHA1 866bbb0dbbd217aa287fe3324ecaa828e8d7b622
SHA256 b31d4e8af5d38991c692f219130fdfa92762a9a77e04e7ab05e44603af578555
SHA512 214eedc4b314b48c192d3a847a64807bf41481e5cd06b1a627bad048dbac14a2c0d6b5b3c992616e18ec9f59f4107d68e57b8c4fd9da01e0695824ffc8030619

memory/2068-21-0x0000000074810000-0x000000007481A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd3672.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

128s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4660 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4660 wrote to memory of 2044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2044 -ip 2044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ = "ILiteRow" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\NumMethods\ = "21" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\ = "LargeInteger Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement\ = "LiteStatement Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ = "ILiteParameters" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ = "ILiteConnection" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\ = "LiteConnection Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\NumMethods\ = "11" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ = "ILiteStatement" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CurVer\ = "LiteX.LargeInteger.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$APPDATA\\Unitech LLC\\sqlite3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\ProgID\ = "LiteX.LargeInteger.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\ = "LiteStatement Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2100 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2100 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2100 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2100 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2100 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2100 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2100 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

Network

N/A

Files

memory/2100-0-0x0000000010000000-0x000000001009E000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

136s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 163.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240220-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 224

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

132s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3900 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3900 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3900 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 852 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 852 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 852 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 163.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 220

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 688 -ip 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 224

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

135s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3520 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3520 wrote to memory of 4952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 224

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

132s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3308 wrote to memory of 3704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3308 wrote to memory of 3704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3308 wrote to memory of 3704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 4644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2160 wrote to memory of 4644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2160 wrote to memory of 4644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4644 -ip 4644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 163.61.62.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 4440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3484 wrote to memory of 4440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3484 wrote to memory of 4440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:38

Platform

win7-20240221-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisos.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 228

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240220-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} = "ividi Toolbar" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\TypeLib C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\CLSID\ = "{211B330A-499B-415E-B1F1-B7132A8751D2}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\ = "IEvntCntr" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dpblck C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\hp_chrm = "http://search.ividi.org/?src=tbhp&id=6cb57df7000000000000565622222c98&affilt=orgnl" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96} C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1\CLSID\ = "{8B8B2E80-1444-451D-AC8E-EB9A847F3887}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\ProgID\ = "escort.escortIEPane.1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\dfltLng C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividisrv.exe" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\0 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1 C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ = "IXmlCnfg" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\excTlbr = "false" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1\CLSID C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32\ThreadingModel = "apartment" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\VersionIndependentProgID\ = "i" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ = "IXmlCnfg" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\admin = "false" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ProgID\ = "ividi.ividiHlpr.1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dsFFX = "Search " C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiTlbr.dll" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ = "Ixtrnlmain" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\ffxInstl = "all" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2912 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2912 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2912 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2912 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2912 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2912 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2912 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe"

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe"

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 reports.montiera.com udp
US 69.16.230.228:80 reports.montiera.com tcp

Files

\Users\Admin\AppData\Local\Temp\nst17C6.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nst17C6.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nst17C6.tmp\chrmPref.dll

MD5 b2bff24dcb4606c6c8474f979bfb4858
SHA1 5671b867df8ce726d1075909cd40f3934d680da6
SHA256 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af
SHA512 e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874

\Users\Admin\AppData\Local\Temp\nst17C6.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll

MD5 db4961bbb3c1cf487904b15ea5b5884b
SHA1 d1c23d22e93d3f9b268f99519d38d010ff99ea6c
SHA256 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12
SHA512 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d

memory/2912-38-0x00000000027D0000-0x000000000286E000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst17C6.tmp\mt.dll

MD5 4fae8b7d6c73ca9e5fc4fe8d96c14583
SHA1 10865e388f36174297ec4ecdafd6265b331bfdcd
SHA256 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f
SHA512 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

\Users\Admin\AppData\Local\Temp\nst17C6.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsi1873.tmp

MD5 d3079578282b28ba03ffdd2b6b4e0e1f
SHA1 6fe41d64a9132030121a9fe5cf2850b813767857
SHA256 31a17eeaf1af357533c4bafed56ffdf89b7a9c3b71b7081c3e3fbc01033b7b8b
SHA512 6287fa74ba3add7407ea65c5406e13ef151f778eb0ba1acd76cd32e17da92be5d6ba98c616132730d558026a94241d24036643e2eae35b164e78140869254f50

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsy1884.tmp

MD5 f4c67df51bc663d0fe796da555808daf
SHA1 401b211bb00735844e776c42808584a68644a82e
SHA256 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187
SHA512 a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsd18A4.tmp

MD5 c1f678982f2e14ee43ab9e25d6d4dc1b
SHA1 283c5f9db053718e4f5f9c572f18502b9ff1e6e6
SHA256 f853acf4b930763ba2fb5c782bad9ee8c5d36dc3b9774998462e792eb4da747f
SHA512 03ff3be160581617af8e67164e92de4f012dbc6841928a229a6e487489c71e1b04e4ec180a0bfb9b8109c3cff3f5fb2b52df9c6f721b2b8cc92dcd897f9d99e0

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsd18A5.tmp

MD5 55e77d60d71bb65a8fca04818df04968
SHA1 0d40f3710f9d137b2bdc4c725d2953ad84e5778e
SHA256 2f7e1067489437ae1d4ee047aa7f3800c44754f59a2b555a5a02a61163548ae2
SHA512 89d0efee4f55e5a93caece636c36702aad71bb2c9ba6dba4147d325131ad4214d6c192df3e2ae4963278eb394dcf61e746d6d6bd61771cc9f25eee240e09bbac

\Users\Admin\AppData\Local\Temp\nst17C6.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2912-270-0x0000000000570000-0x0000000000582000-memory.dmp

\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

MD5 690df0811fc73ff2219183e5d80d824b
SHA1 a720126932f65de281c6f34c5512be8f787f7161
SHA256 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd
SHA512 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce

\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe

MD5 abbbe3516d8a6280b94e78ea7060e9c4
SHA1 a2f22d9dc3db1f10a44902e5cdfd7431b27a8671
SHA256 63601ef9667c037dc62dc92c7b389edfb4191cde9063d1059996b93f035f454f
SHA512 2ce546ef005dd07b5022fb524107c07693dbd58c21a2808060958baa7b968064c4e855d41c52f25ed89a3026460a6c9d413481e1d55f678ebf2cd5d170faf549

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1AB6.tmp

MD5 03c1bd0827f5d45d252165a379312a42
SHA1 615080139c3860a6dd984a224e81290357647cd9
SHA256 6c8954c926587b318dc77a62e4a9fbbe75707eb4cc74e23a81404b7572992011
SHA512 77940fe0d248d3868373775a2a3d2bac5e3e4fb676ba82a95cf59617a9a34d4590192e84451edc74e9d48f9ecc5902171f312366c64af36a6874daefffe7aeff

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1AC6.tmp

MD5 40c4cf19fabd38737dabf2971f6e4c36
SHA1 bf92605d8801032b9750982fcf9de38402d1ef46
SHA256 023c9c799ab44461afa2c8bee81f33c0086230128dcbccff3842d1ac9db52796
SHA512 7adfc12b4f906d81ea57b95d28038909b61e8296bcd48e517d9279a37a1c644cdbf6492c83ffe4ba1e16e3cc350c7adf56dbc9169af46b032f567a455e897cb4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\user.js

MD5 3a2c21148c9891ed26f9c4536669e0c2
SHA1 7eecf5af8e858bfac28b8f0832511d2b48b5fa72
SHA256 5f4ade8b37e2961818db033f06a0877a7a560a1c1121df75cc4ab1eea9d89a99
SHA512 9eb17e54d837470bf313822c21d38821217edcb74eca974eeec47b6d8f3b738ba28a8f2298e672bb87da0f9e164a0cc55244490843a9f59e363de3009481bbcd

memory/452-823-0x00000000003F0000-0x00000000003F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst1A36.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe

MD5 351707305245428eae73bc1add4e1e43
SHA1 a7c2eaa393ff9a96bf040a9f942b5a26807253f7
SHA256 c61eb0ab6df8f89573a9caa6876743f1fb7dde313f322df5ee8bb0e2fe07b00a
SHA512 00d766f16eeec9e6171dce6966a0729c43e0e14ab5f405672e1eddc764485aae12fb2d47ee842743df6d70728f703c65def81ba8cbb3cbcf3244ee1d63e4db63

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\user.js

MD5 1857ffa310a89162745e2d7229a2bf69
SHA1 9e8ca7b812c2024e3eff1ef53d87847755cf33b1
SHA256 919fbe7df05b3db17e768ecbf446de2b41cc7ca0330163978706f66bd37b9caa
SHA512 c3d9ba6e1588208a0e85c066607f11763edf2e7e319dfe34a30be85d0d08567f93c8de617a7f9c0f7f85c2015c189c397c578cd49da78725ca9de72126333715

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1B66.tmp

MD5 99f04e47feafbf8ebfc3d42989c9abe5
SHA1 e64bf2615afdf9cf4b9e0965d654c2b8f097c36d
SHA256 0a174321eec789e21b5c85583be4d958004e018ab5eb1e3c75ea302c44714388
SHA512 c1207355811daebb2604b007448c7a704aa0bfd933ea14e2807b60289032977579dad23ceae492cb7cbf2280ab4d5242868f92cbda9810b2e14955d4a819a961

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1BA6.tmp

MD5 5f9da0d5d4d7c9594282adf23d4ee084
SHA1 96869b9f7e5e695d25a0091b66fcd8291ed1f637
SHA256 91b51788e2fe4ff4b8957dec6d3f5115f299246d22dd342f9f5cf85a25b09ca4
SHA512 532e0cf0fec58924948e947a935349708ecc8e291a62084e9f1831b6ef9a7ea611590467cde028ba42b711f2677934daca9e645bd02ad0950b6f65741c7b04c1

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1BF5.tmp

MD5 faa7d4b8118e1aeefe8a7517ca541f2c
SHA1 55214d20c11829204b17c31fde07ac1bd010a43a
SHA256 5743d243d380b76b006f00b5e774c2a09c1f3d59e42f6034481c0de180db4513
SHA512 f5ac71080d512b7d08535ad3653171ad76154f2c6dde479d9b6ff6af44ad51799b25587aa716b3359a0b126613bd783fc73b454f02182de7f7c4adcef0e5abee

memory/2912-1202-0x00000000005D0000-0x00000000005E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1C44.tmp

MD5 cfe51bbcf1ff1fa7b5177c6466bc9e37
SHA1 78436a7cfd1f503f5c871155282de865e977e82a
SHA256 569656ce1940331bc8deb2bb000d897cb4ee3eadd5a9215672dd6d36dd393f62
SHA512 10321e61df96b9d33ce12d34905e5240861f9bc62c3762d54f0ed6935eda2cacc39ea5509ec2094efa35138b41ba2517e4ee1ae90edf24eae5c0fa5c66f7b9c4

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1CA2.tmp

MD5 9f7a396100ffa5ddf33259e306534291
SHA1 8ba62352da920ab726339ef98d8d27f15d83c151
SHA256 3ab5297a3c788b19f2f997c4d0dbed27b1f86f4dfa13d98f9c541f7575426b55
SHA512 9371d753254c36b8560375d89a78242fc877af885496646ba4f69417c52f195dab6b366341f5714b3a86b63b6b4236628a49a54e1901e3b844517b2c637df98b

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1CF1.tmp

MD5 59682c097c82d5f2ed500f76684c5397
SHA1 9d04e1afd88cf41459f2deb2cbf23a3f33cfe3d0
SHA256 ecbc3420952d2965ed7e683894bdd871d89b97700908a81efa82a01c241ad62b
SHA512 0e7c4cb630d607e6148bcb57562d47ccd54210de16a80b1a8868e92b48ab2db114f7e5306106cb5aa14e060b7608401f41fd57f55b1e94a1c39378be1bb68b71

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\user.js

MD5 e873c389dcd0f0abd1c523d0429de3a5
SHA1 98fe8252b9fd5f6f206a304943fa01bae5585cb3
SHA256 b48660e6f293a4a6878a891d49f84ad3f6b92ee011a8b324c5760c5e535dc77f
SHA512 7b76249a83867b6a63ca151e101883712fea33436d83952d9e95bf1788090af7a4641591d822a480a8fb8486a45416b1687091b5959bba2048bd4c7928d260bb

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1E2D.tmp

MD5 c77a982d1fec8809f1f56b2220b98702
SHA1 493ee87b2eaed2f930ddbcdfc0aa08ce01832b14
SHA256 4929dd6438da2eeb48e99926f6347d6bb867fd6136aaa79a439200d39c4b396b
SHA512 354027e6c85d8508c50a886876ee765040aa95487ff10519792ac0ad32892fdb99b4fd03f5f1a9aa8d65c0a374577b4444f1d7a51e6e06e0ed1b255d41c8304e

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1E5D.tmp

MD5 e804b89458e81da2a3952c824abfeb79
SHA1 2582e504caef1225970c9ed6d3bc67eba4998020
SHA256 a04e299b6c931fc662b22992177e86ef257608f1cbe7b23c0836207791207110
SHA512 a9c7ea64ada2ea23c6a029b56d7be15a2a1b49d5ade6bffbe3490f741a6e86303c271ce82d6de04d1abee0bc1262a27e94d98748e7f5531742211fcabdfb8757

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1E9D.tmp

MD5 b8a50d3a85c1ac2005e9a318f5abf254
SHA1 9c64959a5740cceab52b431099ee6bd12f7105b5
SHA256 49f80954ddc5b1008017ca6fc7f11cfabbfacfb2e7fb40a84eeabba3dd78d6cf
SHA512 170ba1cdaeb576da5c77c19d25712fe71f2560c85bcf08238235d5b48eaf8a655ed5e4a34fe5f148ce21e99de6a9f0235a5c4200f42b90a6c0c9e6e3bbd3102b

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1E9E.tmp

MD5 66a549aabfc03a1ec7afb576b0188a29
SHA1 2e3c237b7dfb580ceada69e08b5531c426245103
SHA256 8d543d01769ff2632682320c81ca951d7ba78c6a0be88f20ff39b83325cc198f
SHA512 e606525673b4e54515df024e731efaff341f4a2e243d91488dd8fb285443d4b58e4c24afc8a5e7bcc60b2aa4163b09a2bf96b277b23f1cf1d971ea24d569bc09

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1EAF.tmp

MD5 b4d771b79d764fd215f221b44ec94055
SHA1 af32efa31807236e9d5edcf7ddea72e3cadc3b63
SHA256 51b68b68e91fa9563e3d334e9844cc8ce49b1cb02eb8104878aee2b47e5574ee
SHA512 f50f27c3b9cd7d6c194786c4fac79a320a74678344c42dc3fdffe7644b409070d8a401429adbceaaf49b19264fd0046f6bcd7404bdcce0a0b2893b48ae81a4f1

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1EC0.tmp

MD5 3c7b8424f064f55e80aaf7e28bf37a78
SHA1 98dac18586b59796292e05115e6a33f3bfe52c04
SHA256 99bad23318a9bdcd1005bb3eb289af28ca3f5aeaa39ead9b3ffaac83aecf3883
SHA512 693074dd76397bd008345c94f789cb5a9945760f8d442d314ee29f3b420b00242a386b0eed739b8b5adb030702932b01b09e0e640c30424b2431b82d72a956d4

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1ED0.tmp

MD5 b8492849ef4e7a754ccdccfe45d0f907
SHA1 95dabde944c0887d30649c4be32dbc98be37c463
SHA256 4747d49286dcd3de52b7ec3a3d132ae2cf3b5f814ce7feae0c574886d5b1069b
SHA512 4f4b32c9b5d1731fa2642784df28140fa8041b507d6a8c83b24fc5b01ba181893eab191db7981181a9db719ac70865715d3db6d82eba157215f294b1480ae2a3

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst1EE1.tmp

MD5 e2509218f4d2685c67da7d87a62462d1
SHA1 3d26138b253767a1302b5356243a3c12e5315053
SHA256 46d335a4c5188de444ce6d7100f4ba6a815370ea650747d00f79c5933e762f3a
SHA512 b34520fa836397046b907e572387416b75e6b5743855394bb3514b02a6b3d3e957b7bb8a13b4a1570ce7c095ee138e04557397978b8187150c5760676ffd49bd

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1EF1.tmp

MD5 8671f2a532015f10a6e11bb0ccae3298
SHA1 93e903d01468370214d91619f393a4436e637019
SHA256 a66d5e784598f7291d0c3de1cefe4f5288837ec1218e7c7495380d40360ed80d
SHA512 dc346ee9c5a2bd3b885b27a842179c7968466ffcef9c55ddca399fed6b381d9ac096c4889968ccc1dc6cb62baead4babdb74a7cde1e823e2d65264c7da9fbe9e

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1F02.tmp

MD5 c43c28a65780cb5824789c36dae197f2
SHA1 878dcaf907b78b75588830813d926c547c412f64
SHA256 ed062d760f3140af464088db07e4ecfdd36373342a69230d475bd3f90cd03b9a
SHA512 8e6b6aa7990a19ec82db306e047d0ebc477a3fd0373f87c75c6134729606323813f62e53530fd132f7c328f2b439b25707486df4d6f613960006759ef530053a

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1F13.tmp

MD5 9df5f6dd29981f2752ce4787dbe7501d
SHA1 e775dfd18905f30153dd533f4d8f5aa0494b0079
SHA256 0213e7e5a772b9441bb25712185b7deb81437440ea5c5bae887c71550ff7f6b2
SHA512 8d5549b83d5da0ac41b17ddf57cf87a9a8d1f694bcd1a77915b89e757f0544d430ced2f871c35f487a11b0e2effd9837ad47647151afa35d33f5d6fccc32b341

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst1F33.tmp

MD5 6886a159a6843ca7ac4f0af41aaa913e
SHA1 f35954ef399f6d5104d10c152e607ba682936111
SHA256 d25e735d48503c336c5341c9ca8c7972f47d6e681f20162807752cf3f2de7c7b
SHA512 6be0112a7de1d6c148acfa9b7945a2cfb8031d66a6ad3cfee11cbc82dc2c46d2c77db38b5b5bc36607bd676fcd880dd6ced22df2a7905b2998e74ec38c68387f

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1F53.tmp

MD5 fe7c8c70f116e1d743702caebb22dcdd
SHA1 0fac992cb59b4f4e87d536e4c9513b7e6e50f721
SHA256 ec0fee61128907f29031e6a134f089315fc38afdd887bc76900418b4b6ce4ac5
SHA512 299e8706f55695f1d4b07235122fad25ed3de67b28df889a4fd5575d8e6c03c27ba9321cabcdba08e7ab955f8c5f21d8e25f731e6cd5ce1adc9309effad3fc2a

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1F64.tmp

MD5 1acc7c8b8a565964036f80eb4c913ca2
SHA1 b994b4549440f96a6965239b647e91eb81d22240
SHA256 60edfb1f614b491f52053db5674d9a3ea6f239419034acaf1dce80a8dcedd456
SHA512 13fd290d718f7c2a4729531f0154b29b7af8df122f40df818869039837bec62c56999d44159f06d209a0c593e9ef0d745f79f22b8492a032d71d5db88a8ac3fc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\user.js

MD5 938c803d721756621e0ede22adb0f5f7
SHA1 b36338d15f4846efa0f970aeed40e9be25e8f19e
SHA256 775ac38f0a1280e781f5ffc10ade9031881e0197bd84f0283b754a4568dff859
SHA512 cf400f274fd4caf3cc5a4d50233beb3e5effa8e969bab60a103c3d073b83c2802ad3a61d56988ddb0e239da8b0387dc10e127f13f41e9adaf96dc5beaa45d887

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1FE4.tmp

MD5 97073c802cd5c037b33a3a79bc6f9aed
SHA1 f0f7d3d68b4042ff95d25c9e1f66b25c8dae1134
SHA256 5ac8aa5919a8ea983a06276ba7c034af830098ee25875273e68b60be93d76f54
SHA512 3ad0090dc2fe065e177ccdd07c11cfc61c441654d2df492779fdf8b6eadf2a01c93073440614f3462392ec342312dd9b9156a4fd39346f59208b73ba8f5841bf

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso2005.tmp

MD5 3039b240ed14a716ee6d3c64fa989180
SHA1 3c11a0a75b84aa69d53688703ddac93ca7ff7c6e
SHA256 0db7dd35f46ee1ecfe8cb0317b8be1a5b9394737c8e9f27fc1216e264ab6946c
SHA512 d64adfd0ea4485107aa7942350bfca72214445b98ac6a03b1177a9efc1d8f8837abaf42292d88c78ae73cb2cc26618fd4c0d39ca9f90c14978bac2d2285400bc

C:\Users\Admin\AppData\Local\Temp\nst17C6.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

130s

Max time network

101s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 224

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2632 -ip 2632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20231129-en

Max time kernel

140s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1393730725ffd27aa0ecaaab6d62a744_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.ividi.org udp
DE 159.69.186.9:80 dl.ividi.org tcp

Files

\Users\Admin\AppData\Local\Temp\nsi935.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

\Users\Admin\AppData\Local\Temp\nsi935.tmp\IS.dll

MD5 c31b97adf54bdd6ac6d19ab85cc6bc57
SHA1 7e458577b1fe49885c21f38ba981f77b00bdd59b
SHA256 2e5af5577044835e7d1c526b1ef11dddbf660dbf265f3c8b533cbfcfd2a8b57a
SHA512 9178ba7bfd3851b9622ffa7f5981f43b4ca654e3f85113f7c91ebd2ce417c1acb718e73737838c61496a255cee1f5ad9873ea88bce78a0cfe67bd2cfb1e71790

\Users\Admin\AppData\Local\Temp\nsi935.tmp\nsJSON.dll

MD5 78b913fcd04259634a5e901c616e6074
SHA1 ad5e1c651851a1125bcad79b01ccdcfa45df4799
SHA256 e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59
SHA512 cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5

\Users\Admin\AppData\Local\Temp\nsi935.tmp\NET.dll

MD5 9adaffc2a1b579115e40407733d94dde
SHA1 866bbb0dbbd217aa287fe3324ecaa828e8d7b622
SHA256 b31d4e8af5d38991c692f219130fdfa92762a9a77e04e7ab05e44603af578555
SHA512 214eedc4b314b48c192d3a847a64807bf41481e5cd06b1a627bad048dbac14a2c0d6b5b3c992616e18ec9f59f4107d68e57b8c4fd9da01e0695824ffc8030619

memory/1848-19-0x0000000074050000-0x000000007405A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsi935.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 220

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20231129-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 240

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-04 16:35

Reported

2024-05-04 16:37

Platform

win7-20240215-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 224

Network

N/A

Files

N/A