Analysis Overview
score
7/10
SHA256
220ef32e116ece03f5b8495c29fdb4819a8cfef70861bc5a32f8fc56ab513683
Threat Level: Shows suspicious behavior
The file 93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops Chrome extension
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-04 06:59
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
147s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4764 wrote to memory of 4884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4764 wrote to memory of 4884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4764 wrote to memory of 4884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4884 -ip 4884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3920 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
99s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 1396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3048 wrote to memory of 1396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3048 wrote to memory of 1396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 224
Network
N/A
Files
N/A
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
152s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2748 wrote to memory of 5076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2748 wrote to memory of 5076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2748 wrote to memory of 5076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
155s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3328 wrote to memory of 2796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3328 wrote to memory of 2796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3328 wrote to memory of 2796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
109s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1124 wrote to memory of 876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1124 wrote to memory of 876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1124 wrote to memory of 876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240220-en
Max time kernel
121s
Max time network
125s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
156s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4584 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4584 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4584 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 224
Network
N/A
Files
N/A
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240221-en
Max time kernel
121s
Max time network
124s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 220
Network
N/A
Files
N/A
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
130s
Command Line
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\OCSetupHlp.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\ = "OCVBValidateLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 904 wrote to memory of 3524 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 904 wrote to memory of 3524 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 904 wrote to memory of 3524 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
97s
Command Line
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} = "ividi Toolbar" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\ProgID | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd\CLSID\ = "{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1\CLSID\ = "{211B330A-499B-415E-B1F1-B7132A8751D2}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\bh\\ividi.dll" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\ffxInstl = "all" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd\CurVer\ = "ividi.ivididskBnd.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\bh\\ividi.dll" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A} | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\newTab = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiEng.dll\\2" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ = "IxpEmphszr" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc\ = "escrtSrvc Object" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ = "Ixtrnlmain" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dpk = "0a3f53c980904b9b590ec6231e2c0bf8" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ = "IesrvXtrnl" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\dfltLng\dfltLng | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32\ThreadingModel = "apartment" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe"
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.228:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | 228.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsx3394.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsx3394.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsx3394.tmp\chrmPref.dll
| MD5 | b2bff24dcb4606c6c8474f979bfb4858 |
| SHA1 | 5671b867df8ce726d1075909cd40f3934d680da6 |
| SHA256 | 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af |
| SHA512 | e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874 |
C:\Users\Admin\AppData\Local\Temp\nsx3394.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll
| MD5 | db4961bbb3c1cf487904b15ea5b5884b |
| SHA1 | d1c23d22e93d3f9b268f99519d38d010ff99ea6c |
| SHA256 | 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12 |
| SHA512 | 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d |
memory/4728-46-0x0000000002740000-0x00000000027DE000-memory.dmp
memory/4728-43-0x0000000002740000-0x00000000027DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsx3394.tmp\mt.dll
| MD5 | 4fae8b7d6c73ca9e5fc4fe8d96c14583 |
| SHA1 | 10865e388f36174297ec4ecdafd6265b331bfdcd |
| SHA256 | 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f |
| SHA512 | 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1 |
C:\Users\Admin\AppData\Local\Temp\nsx3394.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nss34B1.tmp
| MD5 | c1f678982f2e14ee43ab9e25d6d4dc1b |
| SHA1 | 283c5f9db053718e4f5f9c572f18502b9ff1e6e6 |
| SHA256 | f853acf4b930763ba2fb5c782bad9ee8c5d36dc3b9774998462e792eb4da747f |
| SHA512 | 03ff3be160581617af8e67164e92de4f012dbc6841928a229a6e487489c71e1b04e4ec180a0bfb9b8109c3cff3f5fb2b52df9c6f721b2b8cc92dcd897f9d99e0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js
| MD5 | d5da78293d8383edaca2745be2bab8a8 |
| SHA1 | 970ce7995a15f9fc39f0829126c6a4cfa547da15 |
| SHA256 | f778a088ece5db5be81b5a5edf81e1efa2fd778823b7ab655cca6da0b772f73a |
| SHA512 | 9f31cbb2d5ef23491af9b6c62665ca40b078e83c4c5836f5eba74cdffd97eb1478b0ad889dac8227c309c09d652ade015c924d6a3dcbcb630085e46169da824c |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsn34E1.tmp
| MD5 | 55e77d60d71bb65a8fca04818df04968 |
| SHA1 | 0d40f3710f9d137b2bdc4c725d2953ad84e5778e |
| SHA256 | 2f7e1067489437ae1d4ee047aa7f3800c44754f59a2b555a5a02a61163548ae2 |
| SHA512 | 89d0efee4f55e5a93caece636c36702aad71bb2c9ba6dba4147d325131ad4214d6c192df3e2ae4963278eb394dcf61e746d6d6bd61771cc9f25eee240e09bbac |
C:\Users\Admin\AppData\Local\Temp\nsx3394.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/4728-279-0x0000000002740000-0x0000000002752000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
| MD5 | 690df0811fc73ff2219183e5d80d824b |
| SHA1 | a720126932f65de281c6f34c5512be8f787f7161 |
| SHA256 | 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd |
| SHA512 | 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
| MD5 | abbbe3516d8a6280b94e78ea7060e9c4 |
| SHA1 | a2f22d9dc3db1f10a44902e5cdfd7431b27a8671 |
| SHA256 | 63601ef9667c037dc62dc92c7b389edfb4191cde9063d1059996b93f035f454f |
| SHA512 | 2ce546ef005dd07b5022fb524107c07693dbd58c21a2808060958baa7b968064c4e855d41c52f25ed89a3026460a6c9d413481e1d55f678ebf2cd5d170faf549 |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll
| MD5 | 57543e6554f60bd4082306d26245bfe5 |
| SHA1 | 70d4b021173c42dc82d40073fabe7fc0c28ebdde |
| SHA256 | 7838055c1f0aabe6df5b5fb3c6db737936eeee6d2314339082a7586414ae81b2 |
| SHA512 | 317557cddf5d666c2ed677619d9b98424cadc624e1e31067403ab7646008ce5496687e46fb07b4c61d0aa967bd0b3ac144acc3672c64ed66c1b3dd0d23938399 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js
| MD5 | 083c167b42953943affe6c7317ff1c14 |
| SHA1 | 7aa2d406e06cccd648b4d070ed2a2829b3d86395 |
| SHA256 | 5c1ddcfe2f3b4d73afe9730a592244500a321fde7f3783409b99948f3eaba45a |
| SHA512 | d96ffe8f32bd03eb548d2551e57ee0d94df95733490b3fdbd0eb3672f3e636b98b27598b506742477da3d014618e8320aa979db99f78f3cb1be2bd04043736e3 |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll
| MD5 | 1989cd78346c1f430484236daca1c2cc |
| SHA1 | 9d9eaece8fe80dd400a1af12595a5a32e931abfe |
| SHA256 | 2d8ab3f2dfec1393b75e1ba8d12148ab5b5e334d1b071754e08f7087b22cdcc2 |
| SHA512 | 00aaf06bc2a092ce3d9b8d95e685a9fd0b61a8a5afb23910bdeb43a82bb294f54ce21a05823cdca28aa67b520dfb4091c847f4ae2ea211156441dd3e5a50205a |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsz37DF.tmp
| MD5 | 1e9dc38dcc30cc4d093054571e45aebd |
| SHA1 | 7e16e394ef3b862cc60f5dd119cc0797e5035acd |
| SHA256 | 270d886443f1dfa53592285e46007d9ed75dde6e1055723d4bcbb457897148f0 |
| SHA512 | 0d243b4b4e23af1ccc3d781bab0dd92add22b1621d897dedefd3d7893679202023ae816e8603f0e38c6109e238da3fa1e470c38ced0ce0d9060219fb7cc27e0a |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso37EF.tmp
| MD5 | 21f672f140698e080526bc63061b9cba |
| SHA1 | 3ed90246cc106163afddf19b21c027a76a5f9915 |
| SHA256 | 10c6dc3559e567aeb41bfaae74afc40c811e04594de6bd775f1b5898440d3b06 |
| SHA512 | 0e7c877c0d649a01cdcd0c80deba9a87bbea3789a4f9f3799e01fb33f671d861d41f41827d31e66d50f051e223bbab7fec15c3beb40c687ee261fe859d50e43e |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsu3810.tmp
| MD5 | 7fee77dc42bc0e9932c8cf5de520065a |
| SHA1 | b0d968e089b4bee2dae923ff4908ee3665dea3c3 |
| SHA256 | c1e0eeb8fdca8d7cb23d96b62a52c3dfab18ed2a4f208bc829b161841cdf8a45 |
| SHA512 | 00e0018c2980283f31e2a812beaa16a418ecc81fd7583f7897dfaec86a9e0b5e2b2a23bf3ebbecbd45081b5a568bde5e39d5220effc5b4f1d5adf41159d4517f |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsz3830.tmp
| MD5 | 128f8c6f064b182389b43b938844802d |
| SHA1 | 9dfb4a5b7e90dfaeed3c7a736884b6105ecf0e49 |
| SHA256 | 39aa3452071d872a134dfdac8fafb00e1ebe3e8f7b8050268d27218852798c61 |
| SHA512 | abca45c3052b84fb045d99c40d6836ce1b9ec77877d20a2acf03891895889382a47a52f27ed8512e0d5c3a57eb8226b9191b622d6fc8dfa800b3b4a1ae1db657 |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll
| MD5 | 8a7e5619cbb2c659b3dd2d9c4a09db98 |
| SHA1 | a7eb94c32ca25dc1a9eb461d2d97d48475e010b4 |
| SHA256 | eae253b5691720fadd70083ed874b53929287a3d93834a3206f78ddf8fab1201 |
| SHA512 | 14f126006dccead7a344e69e6f21de15bddc6ed30fc248df4043838edd6ed838eae2db0f9ea1204584064a4426d610aeb34f268e37a98f54f274029763a146c1 |
C:\Users\Admin\AppData\Local\Temp\nso3700.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
memory/2372-1094-0x00000000021A0000-0x00000000021A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsu3860.tmp
| MD5 | e64478690b9927e62a8a3f274ab3290a |
| SHA1 | 5fe8501173beb2a9bf355e500aa65381f65838be |
| SHA256 | b9aa5b0e0f8c44eed89ec8003a3153c1a67837cf55a221ea2dde66cc7549f437 |
| SHA512 | 578a6cf7b4720c0b46dd83c751b62cf96bf664f973b6c9c25e12478367060867911d445e78ea165764ed170311097c53f35b5063821d1cdb5592f48f0629e0f0 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nse389F.tmp
| MD5 | 850f7695bb6e1609c01691c97d184a03 |
| SHA1 | 3a8f25f5ed6c20d8ed735a4d61baaf927cd3dd83 |
| SHA256 | a2dc6d039a4fd3c14a1dd8fec2a3f8eaf403166edf4a355b66d7960907b6f710 |
| SHA512 | 392e8afa2e45990fe76697082a0398fb8b472d010898b6eaf442690acc00196db1eda7a6b56ac029334b4aed91b80088c65885ba428050cf731fb6055eb6c796 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsz38CF.tmp
| MD5 | 6bcd5e96a78c8fe893ab52c64d73d27a |
| SHA1 | 648cc9d9f8cb72b1c8c02a6a6903acd75ac61f25 |
| SHA256 | a5098f731545d0a5740d657d24652389f23445f2462b5cc9ceb2c6dbb657c34d |
| SHA512 | cabb45c0dca019858fbae93cba7a4c66245bbd3cf37506553958b39bc17dca0c31af864c0dbd5d6a64328943c9b2797988b162800890ceca6b55a9a50263f3ca |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nse38EF.tmp
| MD5 | fba672ec71cd67fbe81a3db15390cd99 |
| SHA1 | 016d0f9d1cdbfbb35c8f4623c4fb4856b8913415 |
| SHA256 | 3bead5e144bdd80426d15bbe375b2ec80778950f57a05f7bb9b84ebe6cd3f799 |
| SHA512 | 3d5e4feb0fd59ee1d1f20d2ee7131f3c061d68da601104134f01084be538909bec1ab6e3ee5d3110a8b8f60d37d40b1b8c79cfd8df378adcf5e8a9f01804eefa |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsz391F.tmp
| MD5 | 3dcd125449a787be527a0a4448417008 |
| SHA1 | be57e70b8c5c0e114e5bd109a03b23160e5a58a4 |
| SHA256 | 14c67a5cbc744e7dd81ef967cbfb602477dd63f84c457603632f1738882f48ab |
| SHA512 | f67a56e3d56725fbda09dc1332b17fd2c52a57ae01fd39fbb1b835cbaee37905c797eac10ca69d7d900699c72bdcb30c814d6b1fbbfdda3b4d3b5628deaca024 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsk39AF.tmp
| MD5 | 6ca17ec7c7fe9e9e64237ab49f94897b |
| SHA1 | bfeeb725940750773053ae9cc153000419ef8ff1 |
| SHA256 | adec271c02494b41f5e5ec0545ebdc4552aac5b51b946c9085609b3966e01734 |
| SHA512 | 5b89af2e29f9fcf71a10f1ffec18edac95700ae51ebef8a85c3ae58e9bef06a52617283f6b895a9a09d7d9028489d7d58fc47df989d14d5f9f829328ef1106ba |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsf398F.tmp
| MD5 | a4ff8d160c828a02982e16dd52ec02d5 |
| SHA1 | 85bfc6d9af59ed9137d66946e0745772d07ba387 |
| SHA256 | af52aa52a6c68121f2108fbaf3b867b4066920ea762d0fa8d0c2f0b22fd52b9b |
| SHA512 | 5ece11c6bdf31645103d3e898f5984272bd18d7ecd5055a33ca8fc75fb1ab20bd8a760604f22c6c53cfadea8b19e9fc9db64d5e761404d2c1a405a129f6c1e71 |
memory/4728-1896-0x0000000002C10000-0x0000000002C22000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | 82dd49d5a0933024094525d5b7c2b670 |
| SHA1 | 958109f609840a2d594691b3b33144a440e109d5 |
| SHA256 | d864a535a939403ace8e7c09c79e4a2c86ce681594ec8dace21e6f7e6b341267 |
| SHA512 | f2ce26e3f95898700af6cb918340496df22ae85ac1eb51657e9269843293cfbe323fcabfb6f09139bb0f001ea3cda1078b383005ae811298782141ce9557dd84 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsp3A71.tmp
| MD5 | 2412b5386151ba18f9ee558f995384d9 |
| SHA1 | ca92b11e7d3ead8c24e98f5aa229ed887f34c7d3 |
| SHA256 | 154b3336103654d2c0dfb981237dc933c95c07b4525835686ee4ee4901fd5e6b |
| SHA512 | 839a76b00667a02aa97887ff939d6cc99fc7e2e5d0e1bdd50b0fdf0ced29382bf0912df60b08ba57dd741a1eff8528e5ff98c2d6e27606b71227de791cdf5d7d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | 1d232e1ec85832ca7f27d407a00c594c |
| SHA1 | 71f6e5b02fb3e18aafb43327dc617d9787b39fd0 |
| SHA256 | b971467781a7a769d1febbabf61dde96ded86abff8fa62533799eda78bbbb35a |
| SHA512 | c36b580c4f2c310cd8f1a491995233da645fb17c9ec34db513f696ebc948fe7244b3eb122d73729802bfe313922aaabd8e35654e227afb2f11bc50a65fd216cd |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsv3A93.tmp
| MD5 | 2aac044549e5f96717462256d47f91c3 |
| SHA1 | b8e7d18b1b502916928dc5fc41301f25c93ca797 |
| SHA256 | 60765066cc92af8cfc07a0e3ce68484983afd4090bccde4aa7136b5916263796 |
| SHA512 | 998b45356d94d5501b165da6412b2943851906df27dbd3041dd6dfbf3e1dfb084b0b79c4820a09a860df59b9b07d1279e993adf476c8a2c9023769bc857e44f0 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsa3B06.tmp
| MD5 | 5a8fce1f4cd8a839573cbe7c790168f9 |
| SHA1 | 08a0a5c9d6a206d34c8fb7cbe0500d83c4b4e4e1 |
| SHA256 | 6d7f221c0ad152e0744d72e4b22280c55bce770e3765f5a2a220889fc42eccba |
| SHA512 | 3c509b2c0d47b85105790f466992d9f1d6d63fb877619f93377c1f9e4f8444730beaecb8490d5c83d29b8611f10bdc88e2fabcc86df359f2722d8c51e7910e99 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | 3d687f83f26456aca0c6505a21495ffd |
| SHA1 | a54fc5e30ba18f1eb1afa17f1146231d6e6e4639 |
| SHA256 | a28c2cb5717bc53a92a37a738da993fee153388d453e67787452937e013f8777 |
| SHA512 | cd79cc6565aa06869bfed0afba70b26d3bf2651f5b2c679c32107b3adc3978480aa05199d284e120018922319869ece536bce7f70dfa4fe59b341ae76dd83fd9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | dec4955d4c0f5b1c331912862464d73d |
| SHA1 | cb6c7ec85f43f469dee48654b8b8bd7b02ae6103 |
| SHA256 | b6f953b1eded26065bf1abc2a2bfede49f6234eec699ba0ef97fa7c3a06891fb |
| SHA512 | 7c07bec44b7b59523096bbcec5b8a85dd077c5f325fdcc89cc0f1c37437e5c398b6fc440756780b9ae6757ce1a6113cb5fdea03a41e7a0ea3ebf02dd813fddfd |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsf3BC6.tmp
| MD5 | 95aebdea23a1e2b451e6b61c78921a9d |
| SHA1 | ff7f838efb3e0e2dbc32595e8a013748eddbcdce |
| SHA256 | 7f23839b3271a2678af2ecb588ab2c97181efcf786159d839fef672159754fc2 |
| SHA512 | e00edd5ea7b0607c134eba200fc161500b9e8038e2823a97aaa7a3cc2aebd181d0d698ba5f914bd82dd91006cd8143dd1615b9bb6c8e3bf8a458df331b7bba98 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js
| MD5 | 400d6e9e457f562c937084149a23353e |
| SHA1 | fb24968518d78003dc258f2f2626a3d8d79c7efa |
| SHA256 | 33748d978580a7b7bb13159fee778bcb4b5979dca24c4e3a4ee58a48f4d8dea7 |
| SHA512 | a6f6ac8785c2de77b32f28fe775265b0d66e6f4dfc7c091aa71ee9825a56f8d89e7bcada977a2b01fb1d875ec4d63c0e7fbfe6378af21dcb5cd039f93bcf856c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\user.js
| MD5 | 9c99b67e06ced85238663fa5b542f92a |
| SHA1 | aef339825e1380ac01a8912d71341705deb647c4 |
| SHA256 | 8d052258af979e4318eaaf2280157ffc523d7ff7a33ebea8c4fdb310da692ba4 |
| SHA512 | 95bfd134dfbd2847544a8fdb90aa59e9b1d1667c126f81217c9d82e6f728eaf124a83adc2c675a9cdd9ea1ec78c9905a594982195f2a52f944e1e36310319eb4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | 4ffe4cd511e594c2c64f1dc8cf82b358 |
| SHA1 | 5a031b789b7fec2e06f96edc17ab4e1a4d1aa4e8 |
| SHA256 | b4af5db3433e0cc059608c7e17fede36dbbf1db2ef72bc333120634af4a3ef3c |
| SHA512 | f9cbe9b0b94c31217035caebd296f1619edd83723ecc2545abf43b765707f935181abe204c161a18a84968152ca06160ed5069aed59ac13edcff4185176727c9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | ed5387a2a6176ee75b452e8922aeb2ea |
| SHA1 | eef94bcd8b1d355b91e88008ee81576ebfb73e11 |
| SHA256 | 41cd52d54a830576a78fe0b0fd5b6684b4374d79e031d898b29a5bd6aae6de23 |
| SHA512 | 29ccf84b3a6b10cb49ae7b8352cca0797acd951e9eab9c2d9f2cc507f6d6e1d946898958e53d0b0c6f6977ea12461b39cf28b0af660aafe16cbc3aba5cbd17a6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\user.js
| MD5 | 9a37a5cbeca6b5772a34a6dd9ba2abee |
| SHA1 | a444b98b9ced418bb33dc9c428f89d8fd0031b2e |
| SHA256 | 8e09aae602a8445e6da55635b085ba766555e5745b5a9a5c309b7cf6668f293c |
| SHA512 | 0c9debafb1c753de03f3376e9b835a7eab647e97aa85f5549be0ee234ec3cb3a59e6893f9404b208aec72b7a2ed7e36aef6bf61e8090540e7c42554ad8f49f8b |
C:\Users\Admin\AppData\Local\Temp\nsx3394.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 224
Network
N/A
Files
N/A
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240221-en
Max time kernel
122s
Max time network
128s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 228
Network
N/A
Files
N/A
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
109s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2916 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2916 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1696 -ip 1696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
N/A
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
131s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4160 wrote to memory of 1492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4160 wrote to memory of 1492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4160 wrote to memory of 1492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240426-en
Max time kernel
90s
Max time network
143s
Command Line
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ = "ILiteParameters" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$APPDATA\\Unitech LLC" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ = "ILiteProgress" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\VersionIndependentProgID\ = "LiteX.LiteStatement" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ = "ILiteRows" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\ = "LiteConnection Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\ = "ILiteColumns" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\ProgID\ = "LiteX.LiteStatement.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\NumMethods\ = "11" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\ = "LargeInteger Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ = "ILargeInteger" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "ILiteColumn" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ = "ILiteConnection" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection.1\CLSID\ = "{3E22694D-7B92-42A1-89A7-668E2F7AA107}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 316 wrote to memory of 1428 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 316 wrote to memory of 1428 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 316 wrote to memory of 1428 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/1428-0-0x0000000010000000-0x000000001009E000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240508-en
Max time kernel
117s
Max time network
121s
Command Line
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\OCSetupHlp.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\ = "OCVBValidateLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2116 wrote to memory of 2172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2116 wrote to memory of 2172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2116 wrote to memory of 2172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2116 wrote to memory of 2172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2116 wrote to memory of 2172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2116 wrote to memory of 2172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2116 wrote to memory of 2172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
Network
N/A
Files
N/A
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
104s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 228 wrote to memory of 220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 228 wrote to memory of 220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 228 wrote to memory of 220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 220 -ip 220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
143s
Command Line
"C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe"
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4984 wrote to memory of 936 | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | C:\Windows\SysWOW64\RunDll32.exe |
| PID 4984 wrote to memory of 936 | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | C:\Windows\SysWOW64\RunDll32.exe |
| PID 4984 wrote to memory of 936 | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | C:\Windows\SysWOW64\RunDll32.exe |
| PID 4984 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | C:\Windows\SysWOW64\RunDll32.exe |
| PID 4984 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | C:\Windows\SysWOW64\RunDll32.exe |
| PID 4984 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | C:\Windows\SysWOW64\RunDll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe"
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsv2F4E.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 4984,1EE5B8B27E424AEDAE06AB9F3785D903,8017FCCDF90B4E5DACC0A87780A5A9C7,7BCB3CCBEB6C41008A2378AC33528673
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsv2F4E.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 4984,33888F6926D24E259958532D98A646ED,2BF3B8F1BA8C4A9B8D0C1A6D5C7D6875,7BCB3CCBEB6C41008A2378AC33528673
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.opencandy.com | udp |
| US | 8.8.8.8:53 | dl.ividi.org | udp |
| FI | 65.21.240.245:80 | dl.ividi.org | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.240.21.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsv2F4E.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsv2F4E.tmp\OCSetupHlp.dll
| MD5 | 9e4e850e12f2f4f869b2491dbbb17ceb |
| SHA1 | bd89581a89604b601c817ea680c2a224b46737f8 |
| SHA256 | 4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6 |
| SHA512 | 9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5 |
memory/936-13-0x0000000001210000-0x0000000001211000-memory.dmp
memory/2432-15-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsv2F4E.tmp\IS.dll
| MD5 | c31b97adf54bdd6ac6d19ab85cc6bc57 |
| SHA1 | 7e458577b1fe49885c21f38ba981f77b00bdd59b |
| SHA256 | 2e5af5577044835e7d1c526b1ef11dddbf660dbf265f3c8b533cbfcfd2a8b57a |
| SHA512 | 9178ba7bfd3851b9622ffa7f5981f43b4ca654e3f85113f7c91ebd2ce417c1acb718e73737838c61496a255cee1f5ad9873ea88bce78a0cfe67bd2cfb1e71790 |
C:\Users\Admin\AppData\Local\Temp\nsv2F4E.tmp\nsJSON.dll
| MD5 | 78b913fcd04259634a5e901c616e6074 |
| SHA1 | ad5e1c651851a1125bcad79b01ccdcfa45df4799 |
| SHA256 | e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59 |
| SHA512 | cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5 |
memory/4984-33-0x00000000733F0000-0x00000000733FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsv2F4E.tmp\NET.dll
| MD5 | 9adaffc2a1b579115e40407733d94dde |
| SHA1 | 866bbb0dbbd217aa287fe3324ecaa828e8d7b622 |
| SHA256 | b31d4e8af5d38991c692f219130fdfa92762a9a77e04e7ab05e44603af578555 |
| SHA512 | 214eedc4b314b48c192d3a847a64807bf41481e5cd06b1a627bad048dbac14a2c0d6b5b3c992616e18ec9f59f4107d68e57b8c4fd9da01e0695824ffc8030619 |
C:\Users\Admin\AppData\Local\Temp\nsv2F4E.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
memory/936-41-0x0000000001210000-0x0000000001211000-memory.dmp
memory/2432-43-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240508-en
Max time kernel
118s
Max time network
123s
Command Line
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\ProgID\ = "LiteX.LiteConnection.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\NumMethods\ = "10" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CurVer\ = "LiteX.LiteConnection.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ = "ILiteParameter" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\NumMethods\ = "8" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ = "ILargeInteger" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ = "ILiteParameters" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ = "ILiteRows" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\ProgID\ = "LiteX.LargeInteger.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ = "ILiteRows" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\CLSID\ = "{25EE8E01-5237-41F1-B29F-6AF441CF0924}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID\ = "LiteX.LargeInteger" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "ILiteColumn" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement\ = "LiteStatement Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\ = "LargeInteger Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement\CLSID\ = "{453A51CC-F944-4643-9540-A78253B8019C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1444 wrote to memory of 2996 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1444 wrote to memory of 2996 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1444 wrote to memory of 2996 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1444 wrote to memory of 2996 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1444 wrote to memory of 2996 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1444 wrote to memory of 2996 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1444 wrote to memory of 2996 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
Network
N/A
Files
memory/2996-0-0x0000000010000000-0x000000001009E000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240508-en
Max time kernel
121s
Max time network
125s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2244 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2244 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2244 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2244 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2244 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2244 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240419-en
Max time kernel
119s
Max time network
122s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 236
Network
N/A
Files
N/A
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240508-en
Max time kernel
117s
Max time network
121s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1792 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1792 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1792 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1792 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1792 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1792 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1792 wrote to memory of 2488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} = "ividi Toolbar" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\i | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\ds_url = "http://search.ividi.org/?q={searchTerms}&src=tbsp&id=5ac85d7f000000000000d20227e6d795&affilt=orgnl&r=744" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\HELPDIR | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ = "IXmlCnfg" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc\ = "escrtSrvc Object" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dsIE | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\TypeLib\ = "{905E34C2-F4EB-49BE-A36B-47692CF957A8}" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\VersionIndependentProgID\ = "escort.escortIEPane" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\VersionIndependentProgID\ = "esrv.ividiESrvc" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ = "IEscortFctry" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\ = "escrtAx Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\ProgID\ = "i" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\bh\\ividi.dll" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\TypeLib | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ = "IIEWndFct" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\newTab = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\FLAGS\ = "0" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\i\ = "escrtAx Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\hp_ffx = "http://search.ividi.org/?src=tbhp&id=5ac85d7f000000000000d20227e6d795&affilt=orgnl" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\tlbrSrchUrl = "http://search.ividi.org/?src=tbsp&id=5ac85d7f000000000000d20227e6d795&affilt=orgnl&q=" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ = "IesrvXtrnl" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe"
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 69.16.230.228:80 | reports.montiera.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nso15D3.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nso15D3.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nso15D3.tmp\chrmPref.dll
| MD5 | b2bff24dcb4606c6c8474f979bfb4858 |
| SHA1 | 5671b867df8ce726d1075909cd40f3934d680da6 |
| SHA256 | 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af |
| SHA512 | e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874 |
\Users\Admin\AppData\Local\Temp\nso15D3.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll
| MD5 | db4961bbb3c1cf487904b15ea5b5884b |
| SHA1 | d1c23d22e93d3f9b268f99519d38d010ff99ea6c |
| SHA256 | 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12 |
| SHA512 | 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d |
C:\Users\Admin\AppData\Local\Temp\nso15D3.tmp\mt.dll
| MD5 | 4fae8b7d6c73ca9e5fc4fe8d96c14583 |
| SHA1 | 10865e388f36174297ec4ecdafd6265b331bfdcd |
| SHA256 | 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f |
| SHA512 | 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1 |
memory/2476-41-0x00000000025F0000-0x000000000268E000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso15D3.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsd1680.tmp
| MD5 | d3079578282b28ba03ffdd2b6b4e0e1f |
| SHA1 | 6fe41d64a9132030121a9fe5cf2850b813767857 |
| SHA256 | 31a17eeaf1af357533c4bafed56ffdf89b7a9c3b71b7081c3e3fbc01033b7b8b |
| SHA512 | 6287fa74ba3add7407ea65c5406e13ef151f778eb0ba1acd76cd32e17da92be5d6ba98c616132730d558026a94241d24036643e2eae35b164e78140869254f50 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsi16A0.tmp
| MD5 | f4c67df51bc663d0fe796da555808daf |
| SHA1 | 401b211bb00735844e776c42808584a68644a82e |
| SHA256 | 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187 |
| SHA512 | a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nso16C1.tmp
| MD5 | c1f678982f2e14ee43ab9e25d6d4dc1b |
| SHA1 | 283c5f9db053718e4f5f9c572f18502b9ff1e6e6 |
| SHA256 | f853acf4b930763ba2fb5c782bad9ee8c5d36dc3b9774998462e792eb4da747f |
| SHA512 | 03ff3be160581617af8e67164e92de4f012dbc6841928a229a6e487489c71e1b04e4ec180a0bfb9b8109c3cff3f5fb2b52df9c6f721b2b8cc92dcd897f9d99e0 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nso16C2.tmp
| MD5 | 55e77d60d71bb65a8fca04818df04968 |
| SHA1 | 0d40f3710f9d137b2bdc4c725d2953ad84e5778e |
| SHA256 | 2f7e1067489437ae1d4ee047aa7f3800c44754f59a2b555a5a02a61163548ae2 |
| SHA512 | 89d0efee4f55e5a93caece636c36702aad71bb2c9ba6dba4147d325131ad4214d6c192df3e2ae4963278eb394dcf61e746d6d6bd61771cc9f25eee240e09bbac |
\Users\Admin\AppData\Local\Temp\nso15D3.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2476-270-0x00000000003E0000-0x00000000003F2000-memory.dmp
\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
| MD5 | 690df0811fc73ff2219183e5d80d824b |
| SHA1 | a720126932f65de281c6f34c5512be8f787f7161 |
| SHA256 | 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd |
| SHA512 | 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce |
\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
| MD5 | abbbe3516d8a6280b94e78ea7060e9c4 |
| SHA1 | a2f22d9dc3db1f10a44902e5cdfd7431b27a8671 |
| SHA256 | 63601ef9667c037dc62dc92c7b389edfb4191cde9063d1059996b93f035f454f |
| SHA512 | 2ce546ef005dd07b5022fb524107c07693dbd58c21a2808060958baa7b968064c4e855d41c52f25ed89a3026460a6c9d413481e1d55f678ebf2cd5d170faf549 |
\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll
| MD5 | 57543e6554f60bd4082306d26245bfe5 |
| SHA1 | 70d4b021173c42dc82d40073fabe7fc0c28ebdde |
| SHA256 | 7838055c1f0aabe6df5b5fb3c6db737936eeee6d2314339082a7586414ae81b2 |
| SHA512 | 317557cddf5d666c2ed677619d9b98424cadc624e1e31067403ab7646008ce5496687e46fb07b4c61d0aa967bd0b3ac144acc3672c64ed66c1b3dd0d23938399 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1910.tmp
| MD5 | 5c60a2d0a5dbae0fa48c5dfc4316e06b |
| SHA1 | f119a999efac05ab2b86665d8eda87016c1523ee |
| SHA256 | 768c2a06ec350516f417af1f440a413f7bed7e6749f26b30856d8c37b8d1c3fa |
| SHA512 | ac21163b5345cf692bd1f10ae9ba7e3a7b65ed37f09171b4b0cfd788be8e9552ebd8683c44c56d27d42ae24735fb2ccb45216b9db7e6df371bcd36d2b77ba1ba |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1921.tmp
| MD5 | 5949f321a4b3647781a7ac49735f1c2d |
| SHA1 | 4595efdc320d5fceab52e8ce0cb4ab60cbaaf00f |
| SHA256 | 1198d63eb4a19448227bd089ca6ce856697b7ffb5f094e9e164f247cae744757 |
| SHA512 | 61bd59f98499ce99ab8a1250e34629a83e8c35e44ac5e8a4308c623e9f74c1a0259a8baccf4aa03d2c16e22180c8f1b0768534ea9b927700016117dae2aa2a86 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1922.tmp
| MD5 | a2cf7d7edcd918753e8af852376d8f86 |
| SHA1 | efd2d2b6bd61be9f363565dbc28b9c1eccacda64 |
| SHA256 | e786c00f19f695531f03d17e474883c387c005d67c1fd42e52cc6103f167773c |
| SHA512 | 4820f2de72ff44b6ce2c45def3f9ddce36b9e35a0671d69547f6cdb6e1ee2e8d4c424dbae17319ccecf0d578bf757927a61afb3f662f6d335abe68faf01277e1 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1942.tmp
| MD5 | 326732c5bc6d1a0a5f8a10dcd0a508ba |
| SHA1 | 95e3c0694b76aa4e1d1c93931d09805b8f155654 |
| SHA256 | 0997a2c67847abd1019bbb114b076d1f8e8270fbb7b586a10227eb6b6679b924 |
| SHA512 | 9a403712fe7f79d1ec3f1bbcb82f194d9b68f899e31c7d80672ea4d33c38abea99ea02c330465a65c191fa079c3bd2fab35cf8418da7cd4f489e2f2b9f9c9c3a |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1962.tmp
| MD5 | ccb3a5f6824d0d0a158492ea6984b929 |
| SHA1 | 795679b6a68c0e64d360f09862802f7ae9555ab3 |
| SHA256 | 4bca545b728d46125939166cda834d306faf05b42a6b5bddc425d71b4a8838e8 |
| SHA512 | 0b07ea9d39e7e30d0b5e3e0e66aad8c9d26bbf4e6dadf61c4760bd0ccc2150c31407ab76394ffb5731b9b732ac75360ce1f7e16a0a16adaaee0d047907691164 |
memory/2988-919-0x00000000003D0000-0x00000000003D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1983.tmp
| MD5 | 6ed2914088edd7dd85c3f1998ff80d97 |
| SHA1 | 99e4e8325cd3268fc25bfacac0fe0e946fc3a821 |
| SHA256 | 943c687024e5c8eef2d5acdc736e9d4ca896ee5cf728d2930768c9fb97dcdf0b |
| SHA512 | d1f4d44c5dd2f79681f4484873c2bd4b607800ca813684b17f1f88678d2fe75cfe38dcfc0f77e0059604ed412dd04dcaee107f089496ff0427f63bc54f968aa6 |
C:\Users\Admin\AppData\Local\Temp\nst1862.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe
| MD5 | 351707305245428eae73bc1add4e1e43 |
| SHA1 | a7c2eaa393ff9a96bf040a9f942b5a26807253f7 |
| SHA256 | c61eb0ab6df8f89573a9caa6876743f1fb7dde313f322df5ee8bb0e2fe07b00a |
| SHA512 | 00d766f16eeec9e6171dce6966a0729c43e0e14ab5f405672e1eddc764485aae12fb2d47ee842743df6d70728f703c65def81ba8cbb3cbcf3244ee1d63e4db63 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.Admin\user.js
| MD5 | 484011e973a5328547fb997b2a97b635 |
| SHA1 | 8d65084dc81780c2061ca32883239bd1222ba373 |
| SHA256 | e23fe951b728ff00a033368e2af18f88403bd52089d8d4158bee89f4ad34b2bf |
| SHA512 | bf5e4d2c8984bd027a9b4d68bfeb8981967b5ceb1135ded9af0d317d10da18e6d03e45bdd95669163b73fd44f933aefba15a4b76954ce249a272e24e821565d8 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst1A40.tmp
| MD5 | 88efaf9899f1cbeccbe9041f6d1f17cb |
| SHA1 | 7c728ec4472421075614aed7f3b10f6635f0acc4 |
| SHA256 | a60b81366d8f2a5c272b06ba5feaa796dedabd81e81f6a15c2fa855d41e307cf |
| SHA512 | aba22041ad8ada8f4f6b16db41681f753c08e4fc968a1d2981af0ef03a535aa0824e1637813832cef059c42d85e5ec438e5a8f56c9d71b566405da2d1bc1d472 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1A70.tmp
| MD5 | 6fe55307ca436ab47a547bdb13e8b7e1 |
| SHA1 | bddcc2b96a0ae418403db1dd6687bd0715573f03 |
| SHA256 | 51c295045907880a9333d23ef1fae568a847cc12cd37007bd135bf5234ab6a51 |
| SHA512 | 0c5c0c2b8e135b70dc781e740cb285ce40120a9df0bf36b917e42387e81ba11bd18c4bafe404bdee8f866e92032fdab0c559505a3732026162cd62ca89f1f5ca |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1ACE.tmp
| MD5 | 6a52f0ae7117dfcfc1be0fc9494abd1d |
| SHA1 | 7914d783a8606c6883af76105ee64642d4fe89f1 |
| SHA256 | e6a8eaf4e230745d6eb150e173ddf2dd370bcaeb25219abca64432c6d84a5c6e |
| SHA512 | c8c6da1d8912e81fd8e6b67890adf86c36d3e2e0aa1e5bfce9ca58d787ffd80b7efdd0a3fab5fc6e06643ee185517cb8c11a6c603ad357b53d9664d20c224f34 |
memory/2476-1398-0x0000000000590000-0x00000000005A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1B3C.tmp
| MD5 | b48544f633db4a6afad3529aa2394115 |
| SHA1 | 2c422b41407368ba997369356ed036245a2be6cb |
| SHA256 | ffa27319a70752329c8a4d1738ddafffa19411fc3f66223292c7d4a2e584cbe4 |
| SHA512 | f821bee38efc4963f09b7b888bc2726269546537563a9248143408b0bf177f7de36be18a316a78bc98c12937c7ad9f492fe61d832b0b9904afe8e50a16612506 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1BBA.tmp
| MD5 | f5b71b7f7201f4256b2dfb9d4811e1a3 |
| SHA1 | 561232f2aabb0c226ddb9aba2e68c8bbc86a36a6 |
| SHA256 | 09638b8e0172942a69bdebebecf6cc0e5d7c73890d698322152eff09ae740f9b |
| SHA512 | 68936120bfdbc99a7a7d255a4870edbfb815e9ea8d94f222743c9a6655e97240be1c8d891e07de1157e34625344ce8feebd5dfb5b78dd39ecb8894050aa8689d |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst1C19.tmp
| MD5 | 722f999f084eb914bc5fe175c7f09928 |
| SHA1 | 72daab090c24c0454d1372d3c20684e42c8758ed |
| SHA256 | 4503e4be9b312a7369c3873226638bd1d079fa1439359746c3cbcbc1159ba340 |
| SHA512 | 2d080c1c34330d7a8defeb40b761fe5b2014d08b268739ae6a4a4b37e310e58227dfea6efe46563c720d1321d11076a7e73c8811aa618b4a6161674241e40b9a |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1C98.tmp
| MD5 | 02008939bc19e2aee5e91eb6e06d30e8 |
| SHA1 | dc88ec6783f67ee0b7e75027df3024e079f9251b |
| SHA256 | d376997548877620f0d1956d2eb4843f61503bd150730f37177d6bc0a9869fff |
| SHA512 | 9df493b53f33b6fb2da94573da0e408fece0661ec8a684e73294532eeeb82289f4790c07761e647d9cfaf36012066a910d26529567d47cf2a286c8f856d76436 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1CC7.tmp
| MD5 | d743ffec707047fcc77cd89af7de5dee |
| SHA1 | 49546625c0fbf74daecc1b45528a1791aad136cd |
| SHA256 | 56945faba243279b4c11c8a09d2a8daec7f66c19593c0dd2dd0942a91bdfda5c |
| SHA512 | 291a635853c3fe220c0b0e6094074d8736dac5c4a6b4b23525bf4bd1197a262169dcbaf18aa79b3a21ecc2007784ebec1cbd5e00f3adfe8e5dd5d7c7cd63873a |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1CF8.tmp
| MD5 | e94515893f37cd6790e915fcbd180aba |
| SHA1 | 26920dff84d3cdd91a1cc2ce182227ae09a03ba4 |
| SHA256 | 7018ed087244b84326c1a48fc852096758d2a912bbafb06d2ab93fb0e05f01a0 |
| SHA512 | f364136bfeb5a51f0162642c9899c74833f902373a5a5358451f138ed449db2eba91eaa4e124971eee20e987aca553a975bf213450653f9deaf383a192b05256 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1CF9.tmp
| MD5 | d0d81bd4b1741f1b5c8e6233d0e20f12 |
| SHA1 | 52863a13d34a49581797ece9e8f9143079ea96b3 |
| SHA256 | 7b786e1270b2eb762f6353847c94e694b8c769f9f306ebd93e9a39ac5cb20ee7 |
| SHA512 | 8e489ee08da88ec3b7c6c99d309a13d75fe88a93a9d9ce35cce9f809ff8f3be37f7a8db218f8d650c833d9d55c3cb1ccfb1990e8354210e9a9e339cdf928ad34 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst1D0A.tmp
| MD5 | db76b485d369a24e24238b672d73241d |
| SHA1 | 248d5075f1287a9e1610b5dcb75236468bb6df65 |
| SHA256 | 866ab79fb3f27607eb35a5ffe1218ac93e729ade7e10ebbd49fc67124fcbad31 |
| SHA512 | 74b16355c238ad33dfd80250c65da44851f29db76d0a0bed4bf38b0440108f9737d37a271d5f026680da1f43586e2556e08c441efe85c03615702a8513cd9406 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1D1A.tmp
| MD5 | 9cbb5862dafe4c23ec2931498e43e936 |
| SHA1 | 6857a925290275b80db2e8fb9c22fb0459391fd6 |
| SHA256 | e2f11eff6ad384c75b0d7823c53db249c0db966a6d85364e7b39ad73fefb2ee6 |
| SHA512 | 8d75e9e1a500dd9896c033ae73e21f7837d4f07d0faadbdacd0b58fda06fb57c3679fbd5d66dc6138dd2ab02e3f440b68337eff387a7dc8e48843ccade656f41 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1D2B.tmp
| MD5 | 881aa400e1627ab73248231c37687da3 |
| SHA1 | c3127087aa8ff2134a13f49c945bceee7bbdce2d |
| SHA256 | 191284ffcc134f64b65ef238aad6b9995c4ae6e8f0846564b4ef9110a8d8d488 |
| SHA512 | ca38136e9f4b040a4a4a7540050efc0793e4b7113e89d3b826572c62ca6ed07d85c6e69138f303cf3d1c761b3c8d13acc5aeeafb71aaa7fa55ea6ebfd5eedf50 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1D3C.tmp
| MD5 | 8c0b110ff53b70ff80ebad2e2ced725a |
| SHA1 | f32683dc5a67e2996aa26395ea055b562b85d472 |
| SHA256 | 1bf4d2902a3b0e1cb5284997a51010285b0b57d08857aa73f6c4309c81c62085 |
| SHA512 | b507d87a8d99a96164837c103fce144ea01eed3836542bf7edb8638e55bd5e4f5fec1b10136dc387aa714dc25ef0f89c4e053c9b279ce1497310469543d0f5b4 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd1D4C.tmp
| MD5 | 8ecf2ff0d60883905cc799b11eb58196 |
| SHA1 | 83000b579f53726cd9c7c96497aaf1082eb3de05 |
| SHA256 | d7fcef7b2f3ad3ff16021869c34359e1b87fd0cd6ccc665a3bdf201c3c97a9a5 |
| SHA512 | 9a1931a06c093f34a04f78f4dd156a9cadee0f13ca08a9d6bdcb6ddb92fd619366d85fe52d6d99ec7143c04ddc022587740c4d7ed7b60b03a45e0ecf70fbe62f |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst1D5D.tmp
| MD5 | bc0e69736515c069bd0cfbefdbb6e0e4 |
| SHA1 | 7e9c45e45148e0362ccdd48f77b775c66dce3f24 |
| SHA256 | 5dba51405ac9fffe1054d54da38dcca16bb3d5fc199b8d1db79d5a202207a716 |
| SHA512 | 31a6c8eb1e88b000ac776a0ce9e0be0be9ff3e6dbd3c3ed31104b48dc1220aca8000d6431550981480a723c5ee02aec25b8323c15667dc3b59128c7bc4fde424 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1D6D.tmp
| MD5 | 9d573b5218a609bedbdf21b7d7a93691 |
| SHA1 | 4ca4e59de714161f051e86e6a6e7907baf811258 |
| SHA256 | ab5c363df6fbd9143ebba720514fe5086e6f70df6f5961c9bdd222d7269d7851 |
| SHA512 | ecb73be97cba61228e2fc1345612a1e09fabb64a5fb38d5791da18a4642a6da508f51900d7645a5101147e033766b85874470205248624bb9a516af1b3c3bacf |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy1D7E.tmp
| MD5 | 9cc67fa79632efa44cab157c4be845db |
| SHA1 | f4a46197cf36b436645f627dc6845f809bf6ee64 |
| SHA256 | 29c975968b4a051f3a8c43efe36b6f6a1e92411f7d45ed69fa94e503a99f8604 |
| SHA512 | 45d66373c75db866dc6eb70ed81d14bf44a22d49905e0fdd0cdc4da06ac216b0856adc2cfb629f20ce526f987d7139ce19bef4eb9de410f30b8632933ebcfd9c |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1D8F.tmp
| MD5 | ae180ac2142aa89e5640d841e4150758 |
| SHA1 | 6d6e3036d509e819a7975afdbd0a37ee341be502 |
| SHA256 | 345288c2cf764baa3d806c7ef64dc1598cd593a7f33c7426af901dd52e41fe6e |
| SHA512 | f0f12b94f6cef699fe9a8d06d3537f9f425ebae073438e14a61cd026d92ae37c6d0eac63a90531beb51278913ae68b295128a444f2cf0664e31267d648c5fd7b |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst1DAF.tmp
| MD5 | 734cfa7649e90d2de67889921af331a1 |
| SHA1 | 14c5cb9c94db3800ad68a47fc616ad5b39162ffb |
| SHA256 | ea6787ae3e0611b391a52867551cb6486527c29cfcb66aada9e532b4c043f497 |
| SHA512 | 53c55491f53c74aeea2a3c5528f40e3ec7f65cf61bbc66d8c11f52f9a8ae52b50c3cd8dddaa5be8f7486a07b88796d0fdb5da9aeccce4e7378cd6905219bb287 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi1DBF.tmp
| MD5 | 191f63cfc2d775c89955ac0bed71b72e |
| SHA1 | 14e1316c3606d38186cc670b294a4c6e291d206f |
| SHA256 | 22073899a24affaf8f8c3b6f25113336a4d2aee313fda5de11ec5890f85911af |
| SHA512 | 79f2b03bfcc41fec04561a6c89efff29c45480dd8204ccd588981614ccaad7b4119e5d39e2a74e3a27a08d738038803a9f251ca61275aefb576b54fe2df11a28 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso1DE0.tmp
| MD5 | e41fdac5b1c325468ba194b37598457d |
| SHA1 | a21df010595dd4c5123ba32a3ad5966fd48f1abc |
| SHA256 | cc92f0402663b859bf81a8c30669138ae1abbb9d23a544ac6272d5cda04b5e9e |
| SHA512 | 2b27e07b7b2c0517b0e124cb65d935176f4ddf8b3259a48c31db8a7dbce18fbb5d09c8ce003b5e37ceb219bd7c9bd042e8b7f387c9eb621586b7e9609833fa40 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\user.js
| MD5 | 7e47345d94d8a232e07ef4476cc452ee |
| SHA1 | 203c9c93bfabd3a2cdc48e0a22ae344d07814fde |
| SHA256 | 743a8a548ae62914259abc119a0bbc7b07dfc4dfe4440da8550fdc8de4ae2757 |
| SHA512 | 2640df3d3b0ef6a5ba9a1b7cb1afc6d3729d9b74442f3647247cf3f1723ae160e85e1e62b7117038daf03d01d0e9612eddbf47f45126780e0c676483184b4e3b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\user.js
| MD5 | 74f5aa9956579e8b60a180a49408dca2 |
| SHA1 | ee0e6d973fbb8019715b6ba891bd00ff3ac325c0 |
| SHA256 | 1cc6325748ed86f931813f2e2a7a6033e676fa1b38c680ec273fd159f8ea78e4 |
| SHA512 | d288f7f9075784841e358f7970352788244d5333a23100a7e7a7b620feb0e240be9f0a910fa26c55de6cb7e95c9485eeeadd5afb759a3e39e0174443f5da2fab |
C:\Users\Admin\AppData\Local\Temp\nso15D3.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
107s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 3936 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3936 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2932 wrote to memory of 3936 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3936 -ip 3936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
99s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 376 wrote to memory of 3948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 376 wrote to memory of 3948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 376 wrote to memory of 3948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3948 -ip 3948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
156s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4776 wrote to memory of 3876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4776 wrote to memory of 3876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4776 wrote to memory of 3876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3876 -ip 3876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240419-en
Max time kernel
148s
Max time network
145s
Command Line
"C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe"
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\93f080cb9f3c3a52489e0b7623d87e9c_JaffaCakes118.exe"
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsyBB5.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 1700,B0274BE7A0CE4ED79F3A66315A6B0897,4067C76663CA49D9987A0EF4DF46F0B4,7A1122509BA7429EB95208E1F5E9BA10
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsyBB5.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 1700,9164ABEE343E443AAF623DB6D47B3242,581744F284B440A8AC94185922B093F5,7A1122509BA7429EB95208E1F5E9BA10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.opencandy.com | udp |
| US | 8.8.8.8:53 | api.opencandy.com | udp |
| US | 8.8.8.8:53 | dl.ividi.org | udp |
| FI | 65.21.240.245:80 | dl.ividi.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsyBB5.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
\Users\Admin\AppData\Local\Temp\nsyBB5.tmp\OCSetupHlp.dll
| MD5 | 9e4e850e12f2f4f869b2491dbbb17ceb |
| SHA1 | bd89581a89604b601c817ea680c2a224b46737f8 |
| SHA256 | 4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6 |
| SHA512 | 9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5 |
\Users\Admin\AppData\Local\Temp\nsyBB5.tmp\IS.dll
| MD5 | c31b97adf54bdd6ac6d19ab85cc6bc57 |
| SHA1 | 7e458577b1fe49885c21f38ba981f77b00bdd59b |
| SHA256 | 2e5af5577044835e7d1c526b1ef11dddbf660dbf265f3c8b533cbfcfd2a8b57a |
| SHA512 | 9178ba7bfd3851b9622ffa7f5981f43b4ca654e3f85113f7c91ebd2ce417c1acb718e73737838c61496a255cee1f5ad9873ea88bce78a0cfe67bd2cfb1e71790 |
\Users\Admin\AppData\Local\Temp\nsyBB5.tmp\nsJSON.dll
| MD5 | 78b913fcd04259634a5e901c616e6074 |
| SHA1 | ad5e1c651851a1125bcad79b01ccdcfa45df4799 |
| SHA256 | e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59 |
| SHA512 | cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5 |
memory/1700-28-0x0000000073D70000-0x0000000073D7A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsyBB5.tmp\NET.dll
| MD5 | 9adaffc2a1b579115e40407733d94dde |
| SHA1 | 866bbb0dbbd217aa287fe3324ecaa828e8d7b622 |
| SHA256 | b31d4e8af5d38991c692f219130fdfa92762a9a77e04e7ab05e44603af578555 |
| SHA512 | 214eedc4b314b48c192d3a847a64807bf41481e5cd06b1a627bad048dbac14a2c0d6b5b3c992616e18ec9f59f4107d68e57b8c4fd9da01e0695824ffc8030619 |
\Users\Admin\AppData\Local\Temp\nsyBB5.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
memory/1700-38-0x0000000073D70000-0x0000000073D7A000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240221-en
Max time kernel
117s
Max time network
124s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 224
Network
N/A
Files
N/A
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240215-en
Max time kernel
118s
Max time network
120s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 224
Network
N/A
Files
N/A
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-04 06:58
Reported
2024-06-04 07:01
Platform
win7-20240508-en
Max time kernel
121s
Max time network
125s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 220
Network
N/A
Files
N/A