Analysis Overview
SHA256
8c436076143b5d5a49ed25419f05c071654b0f0aa1a9f8c1b2db723964e45bf8
Threat Level: Shows suspicious behavior
The file 66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Drops Chrome extension
Installs/modifies Browser Helper Object
Checks installed software on the system
UPX packed file
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 14:11
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1424 wrote to memory of 1532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1424 wrote to memory of 1532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1424 wrote to memory of 1532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1928 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 3016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
103s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 1036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2872 wrote to memory of 1036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2872 wrote to memory of 1036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 224
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
129s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4628 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4628 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4628 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2680 -ip 2680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
109s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2448 wrote to memory of 5032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2448 wrote to memory of 5032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2448 wrote to memory of 5032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5032 -ip 5032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ = "ILiteStatement" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ = "ILiteConnection" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ = "ILiteStatement" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "ILiteColumn" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID\ = "LiteX.LargeInteger" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ = "ILiteBusy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CurVer\ = "LiteX.LiteConnection.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ = "ILiteBusy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement\ = "LiteStatement Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\CLSID\ = "{25EE8E01-5237-41F1-B29F-6AF441CF0924}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement.1\ = "LiteStatement Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\VersionIndependentProgID\ = "LiteX.LiteStatement" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ = "ILiteRow" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2148 wrote to memory of 4672 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2148 wrote to memory of 4672 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2148 wrote to memory of 4672 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/4672-0-0x0000000010000000-0x000000001009E000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20241010-en
Max time kernel
13s
Max time network
18s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2248 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2248 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2248 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2248 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2248 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2248 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2248 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5088 wrote to memory of 2952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5088 wrote to memory of 2952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5088 wrote to memory of 2952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2952 -ip 2952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1848 wrote to memory of 1736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1848 wrote to memory of 1736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1848 wrote to memory of 1736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1736 -ip 1736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
148s
Max time network
143s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\FaviconURL = "http://search.ividi.org/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\DisplayName = "Search" | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\URL = "http://search.ividi.org/?q={searchTerms}&src=tbsp&id=160e802a000000000000c28adb222bba&affilt=3&r=354" | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\Codepage = "65001" | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6} | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000a2b7537641a7654979d7020049a5abfc6e35aaca6b19d1516beffe8bebce7582000000000e80000000020000200000005521647f1a677769b1d62ae95a10b63e4fceca221f126f827a7b2f213ffaebf0100000006fe062f948c63c51b17c2c99c240ed1940000000775a7cce1b2f48a4b804b5e938ec5abdbe32ac52f28b94d15bab410e8e27eaee65b39c3a499346a29794bfb401b2ced4384f63a811e9aac7fd0916255e3582c2 | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000033df780e20c3792f01eba93d7e86fa07ff33125cf024cab7b56e144ac740edff000000000e8000000002000020000000dd6ae9d7ca2854e66ef6cc6d21ed12ed222a62f43996c141b5171afd37a111b75000000047f8e2f7026154fc87e31a0187b78d48d4e2867413a7474fdfd4e7bb6c7fe3a924ca73f64c5f88c6740de06ba749d59330f49807a55642997adf42fe130a4489d71e99c77d760fbaea6ef502360fdb5c40000000a33b1c0e8e95447b96eecdefb1c8a7b6a022103b4541e07c9d0faca2aad12cf0b56b336bdafdbdfb7966de7a4477b9620b33c9f6a6dbae43d08540175fdc7719 | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://search.ividi.org/?q={searchTerms}&src=tbnt&id=160e802a000000000000c28adb222bba&affilt=3" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/Unitech%20LLC/ividi/1.8.23.0/ividi.xml" | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{56BD67AB-67CE-4FA1-8503-334F31E85DE6}.ico" | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutUrls | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{56BD67AB-67CE-4FA1-8503-334F31E85DE6}" | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.ividi.org/?src=tbhp&id=160e802a000000000000c28adb222bba&affilt=3" | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ = "IIEWndFct" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ = "IxpEmphszr" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\excTlbr = "true" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\VersionIndependentProgID\ = "esrv.ividiESrvc" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1\CLSID\ = "{211B330A-499B-415E-B1F1-B7132A8751D2}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\vrsni = "1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\postUninstall | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\FLAGS | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ = "IescrtSrvc" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc\ = "escrtSrvc Object" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividisrv.exe" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ = "IEHostWnd" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\uninstaller = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\uninstall.exe" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ = "IEHostWnd" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ = "IwebAtrbts" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A} | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\VersionIndependentProgID\ = "escort.escortIEPane" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\smplGrp = "none" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\rvrt = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ = "IXmlCnfg" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\ffxInstl = "all" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ = "IXtrnlBsc" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ = "IRegmapDisp" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32\ThreadingModel = "apartment" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe"
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 868,CF58CD2452A740ADA26AF903D6F0F624,E8817F5F755E4ECC9C128BAD4872516C,0D4C99A5826A4D5898A46E16BB0FD4E6
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 868,E0F530973D664C38A00A7293660F69FA,F94B0BAC6587449E8FFC3891AA5E1329,0D4C99A5826A4D5898A46E16BB0FD4E6
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe" /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe" /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.opencandy.com | udp |
| US | 8.8.8.8:53 | api.opencandy.com | udp |
| US | 8.8.8.8:53 | dl.ividi.org | udp |
| DE | 195.201.124.255:80 | dl.ividi.org | tcp |
| US | 8.8.8.8:53 | search.ividi.org | udp |
| DE | 159.69.83.207:80 | search.ividi.org | tcp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 172.232.31.180:80 | reports.montiera.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\OCSetupHlp.dll
| MD5 | 9e4e850e12f2f4f869b2491dbbb17ceb |
| SHA1 | bd89581a89604b601c817ea680c2a224b46737f8 |
| SHA256 | 4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6 |
| SHA512 | 9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5 |
\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\IS.dll
| MD5 | c31b97adf54bdd6ac6d19ab85cc6bc57 |
| SHA1 | 7e458577b1fe49885c21f38ba981f77b00bdd59b |
| SHA256 | 2e5af5577044835e7d1c526b1ef11dddbf660dbf265f3c8b533cbfcfd2a8b57a |
| SHA512 | 9178ba7bfd3851b9622ffa7f5981f43b4ca654e3f85113f7c91ebd2ce417c1acb718e73737838c61496a255cee1f5ad9873ea88bce78a0cfe67bd2cfb1e71790 |
memory/868-27-0x00000000743F0000-0x00000000743FA000-memory.dmp
\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsJSON.dll
| MD5 | 78b913fcd04259634a5e901c616e6074 |
| SHA1 | ad5e1c651851a1125bcad79b01ccdcfa45df4799 |
| SHA256 | e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59 |
| SHA512 | cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5 |
\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\NET.dll
| MD5 | 9adaffc2a1b579115e40407733d94dde |
| SHA1 | 866bbb0dbbd217aa287fe3324ecaa828e8d7b622 |
| SHA256 | b31d4e8af5d38991c692f219130fdfa92762a9a77e04e7ab05e44603af578555 |
| SHA512 | 214eedc4b314b48c192d3a847a64807bf41481e5cd06b1a627bad048dbac14a2c0d6b5b3c992616e18ec9f59f4107d68e57b8c4fd9da01e0695824ffc8030619 |
\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe
| MD5 | 8c271a4f3d22bab31657afef6d391392 |
| SHA1 | 73ca356b709eea6404ad8a997d4175894706430f |
| SHA256 | afc3a56884a203c8351098f217383d7397ede85580e1ce6dd54ad59f327bed69 |
| SHA512 | cd433aae16749a0581761fed60d1758f80351d9a08219a256aae95711060f91a2189fbfbf7e5dd35202d8c1da92049c03357c505159c7b724c4896dd7a1cc832 |
\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\chrmPref.dll
| MD5 | b2bff24dcb4606c6c8474f979bfb4858 |
| SHA1 | 5671b867df8ce726d1075909cd40f3934d680da6 |
| SHA256 | 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af |
| SHA512 | e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874 |
\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
memory/2540-83-0x00000000029A0000-0x0000000002A3E000-memory.dmp
\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll
| MD5 | db4961bbb3c1cf487904b15ea5b5884b |
| SHA1 | d1c23d22e93d3f9b268f99519d38d010ff99ea6c |
| SHA256 | 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12 |
| SHA512 | 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d |
\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\mt.dll
| MD5 | 4fae8b7d6c73ca9e5fc4fe8d96c14583 |
| SHA1 | 10865e388f36174297ec4ecdafd6265b331bfdcd |
| SHA256 | 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f |
| SHA512 | 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1 |
\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nstFE20.tmp
| MD5 | d3079578282b28ba03ffdd2b6b4e0e1f |
| SHA1 | 6fe41d64a9132030121a9fe5cf2850b813767857 |
| SHA256 | 31a17eeaf1af357533c4bafed56ffdf89b7a9c3b71b7081c3e3fbc01033b7b8b |
| SHA512 | 6287fa74ba3add7407ea65c5406e13ef151f778eb0ba1acd76cd32e17da92be5d6ba98c616132730d558026a94241d24036643e2eae35b164e78140869254f50 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsyFE40.tmp
| MD5 | f4c67df51bc663d0fe796da555808daf |
| SHA1 | 401b211bb00735844e776c42808584a68644a82e |
| SHA256 | 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187 |
| SHA512 | a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nseFE61.tmp
| MD5 | 1e46e894e3edbae113af5b18894ae502 |
| SHA1 | f4d160113aad241764f67b4ea3db3995aaec4a1e |
| SHA256 | 9cf2b61be912114c9da26dec65a1e6970164d8e21ae981cd2c65ed8907e41781 |
| SHA512 | f45facc4aab2889b316e01e0a62d6c122497bcb4f9607b14a342c76f2ad5053dae43952e032e5dd307cca72f87a9eef1b203640a88a9d005c2b0740d5a7fbb76 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsjFE81.tmp
| MD5 | 95f8b3b648c016474acdd5b01fb4ec35 |
| SHA1 | 931bb414aff8506cec7fd856a118e3284e9dfa99 |
| SHA256 | a0a0b9dd4ca19d04dac378f98750494826750e325a9c902e446b9fe29cb0d771 |
| SHA512 | 3685be51c2da29c62f01ba1b2af9bb86e673fe5094fbe18b3963f232a6d0c5824e10a584cc8b894952804a8c2284e9e3d6acfdf7db330d52d07ea415a8f95e9d |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsoFEA1.tmp
| MD5 | f1d5d5d767a8131da1fc7cf716ff2a15 |
| SHA1 | aacb16b7e1e242ddd2e7e2047e01579322d545e2 |
| SHA256 | 13c28f22baef964c4351578b5dda9744d6e5e7dbbc69f5443ae092611ddd31b6 |
| SHA512 | cb041bc87828773ab7ed5cbd17809a12c2eb768e324dc7d1ad27779abf5cde03c045b4f7540da19662672ab57ac2be8fbddacc8888a07255aba380c7c72b3796 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nstFEC1.tmp
| MD5 | 6a2154e374a248d98139462d92900311 |
| SHA1 | 5b5cbc7e21ff2093647d04966de35a429c4d42c9 |
| SHA256 | d7f8c096c2faa3a85bedc0b8185fd59020c00c1190405e89c22f7e9f1fbd0363 |
| SHA512 | 17eb6f65f55776cd3cd777b1fc03e6e5b8ac4b0095422f486adf40d06ec46655bf94d83bbaa5ef4f56ebac922f6ee30f2e76b86256f21e1d18ef30d52534c486 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsyFEE1.tmp
| MD5 | d71e5784d260825ad2c63652cac3673d |
| SHA1 | b2dec1bab7ab03572298648fb7626a204981f0ed |
| SHA256 | 5233e39f303c2425a9e568800b30d27bb45732cbf84d0ee6c264627536dc9863 |
| SHA512 | 7598f78f1fb640e8de50d7548188e0caa20996e1a3da31d981aea60401b293f52b223d94bbfd4b20566db87a6015a07c3876dab7033130851680e2df0d7f4a1d |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsyFEE3.tmp
| MD5 | 3685803a8bf288149948257444f4b71a |
| SHA1 | fa5d5c9b6379def0329a32d102773d841d75318d |
| SHA256 | 4ca882f253e353273a1004b3993ad80200a83eab9f20daa6d4ee666baa438c3a |
| SHA512 | 0e921cff49fd599efc954a8245b67ff0614fac1c5e5152521b88b48e9146cfb31410c925fde89cc2d38954b6ee7cd605dd017e1b478c8a1fe301e1b171cf1999 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsoFEF4.tmp
| MD5 | 279dd3a12b962532be82049c5cb1248e |
| SHA1 | 6f80001ef64e9529a820a977eb559254fb8cb532 |
| SHA256 | e07dcb5a645d3895e3c60b1ed799fe186ea19c984456bee42c554b023c5b66c6 |
| SHA512 | 079fde4ebf86a18b7e6c5a4fc6035af27ecbd82e4b151fbfd500b1b729020f99b55233d73bdce69dcd06cc4f3d138abd2b6a2e523afc87200c17b87f72e31320 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nseFF05.tmp
| MD5 | ee80745b5710c8b4a3d28371f998d11d |
| SHA1 | 401d2182543b9a11cda6fd0de2ac44c7ffa6b5c7 |
| SHA256 | dbda07310a8c124cb9c98b3b47e486f41f1080da556f14b1998260b3aae967f1 |
| SHA512 | 81a3b70367bc323ea6a6ba4e988caa2e82c595c622cb4297d34dee63ff6ee7f57baa0c332700cdb1e857fd6b2c23960fafd8e53de0bb39efa31de9b6f9eaf3a9 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsjFF25.tmp
| MD5 | fd8498d9480fc5d64129cb5b453b49f3 |
| SHA1 | efc836399518434f20d1edbbc31e62533d90298c |
| SHA256 | ea363aa00cca4c38c2f9fb4e334a2d014a92051e708a16dd5168e9cad88f12a7 |
| SHA512 | 64cf256e5536ecfae6e3fb76af3b5f08e8caaaf06b7fe450af9d7a84d88a5b9ed9a4bad6740d0bceb0ac174cd391b3667316e94b40c89b54f23f6869262a6333 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.Admin\user.js
| MD5 | 1a1baae0f82cfcda6a478df722f3c152 |
| SHA1 | c8636e08263cf7a01a138ee48e388e5ba0826d3d |
| SHA256 | ee678595f007c7aa62d92a679a4476070a89a3498da0c1b3fba934c156b672ab |
| SHA512 | 727e2b5b64f7e3c2be38648dc3fae4e5dbb0391ffd73afbe5ed94705ae8604bdafdf47ff1e32aeb04359117308f76fa0816e611cb3e61fa6b8bc578710313413 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\user.js
| MD5 | d66b2022009ac5ee79ccf1e849609241 |
| SHA1 | e7ee619e4cc3c4896ad65eada651643d80ed9a1b |
| SHA256 | 481a094a5199d2d45a036676d84508505559f56288b0ed8131eb9a32510551e6 |
| SHA512 | c3f8396e7e3670b32c3125184c8e8ff67447f3d2fee600c37357bcb748d1c4cbc03a7c68d5202913e70a0aaa5bd95304ae90bf61e5ee7242a43d3e467812e1e9 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsyFF85.tmp
| MD5 | c1f678982f2e14ee43ab9e25d6d4dc1b |
| SHA1 | 283c5f9db053718e4f5f9c572f18502b9ff1e6e6 |
| SHA256 | f853acf4b930763ba2fb5c782bad9ee8c5d36dc3b9774998462e792eb4da747f |
| SHA512 | 03ff3be160581617af8e67164e92de4f012dbc6841928a229a6e487489c71e1b04e4ec180a0bfb9b8109c3cff3f5fb2b52df9c6f721b2b8cc92dcd897f9d99e0 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nso35.tmp
| MD5 | 3ee63ddbd8551a9194284ec5c71669dd |
| SHA1 | f96b13036ce97f44ef32cf7cedc5534bd9b701a3 |
| SHA256 | 29b7090ef25a239755de0634bdc3ea1031917d2d42b5bb7cb34598b4e892e85e |
| SHA512 | 1aa46047f29dd002c144aca059bc84c1caddbd6012f2b6fa9821f454186fe9a85a6868c9f3974e5b090eec5391be8cc1530f858385fd3674b44d112698b98ab6 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nse46.tmp
| MD5 | f5cf0f8a638fcd8228e9493d27cbed25 |
| SHA1 | 47dde7ed80b20c75b0c0c37fa8256cca159c133d |
| SHA256 | 26d9f343033ac39da30e28d96120f157266803aa66bacf4b8f0f309677a35fdc |
| SHA512 | 12d987931f0358d55f18350b81df7c3d00f84e973193f046d0a3f721226d594d2e88ed3d1116b213e773d599268686cb2a3d18d5c096fe571abed26b19b74c48 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsoD3.tmp
| MD5 | 963c905c55ae7d48cd4fc962ee788e0c |
| SHA1 | 9d6b5bfdf370b247247ca6ed5a8dda5fb1704edf |
| SHA256 | 3ca23f19d06a3ec3ed32079e7d3fc1dacdc27fab3e2a5030ba8fb8042ddf117b |
| SHA512 | 085ad3081b561c63c490b41a5ea65068e3ee7fe83efdc82aec952c89b418d22c5f1766530378c2d4c91a9dcb64189995fd761ec260933b31bf3543e5ff9c3d72 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nseE4.tmp
| MD5 | bd24e09c137b6314ae432c30894d046c |
| SHA1 | 448daab002e50694acf37d07241433e6eb6f038d |
| SHA256 | 01a5efa9f0b5524b6c5d7df21e80e9849a6a199e98e2a668ac95202570fca505 |
| SHA512 | 25c0be80c8638fdec692d30bc9823a983d0a40dc1ed375107acc9cb4e35a57e9ea41b1932bec53d70aaf82c50e40204eeae218e3ac40e8a885fb1e6339b321a0 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nst31A.tmp
| MD5 | 7e65ff3b656003d505bda743404d383b |
| SHA1 | ca67674c37e841a4b6571b255f692961da551fcd |
| SHA256 | 048501b32e7eab72ba98af634a5c931728c62a94668eb9d6023a9a983b616b02 |
| SHA512 | fe68f533d1c67f950b81b7deba62287a99d86d2597df2e0a2cdeae46adb245a84176223332305643d2c0ad122c4a1559ebd0e6ebcf3a28833f0275c614e1d074 |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsj32B.tmp
| MD5 | b798e65983049f7d8888e0d4626fa47c |
| SHA1 | 9ae7efe5201cb364e51c8487c99bb7d4f16e398b |
| SHA256 | 353f3731fe1d9432353f307d22834247f07e9f1ead5a0f9ca7f568bd1b660b7d |
| SHA512 | 74671979714d5a7d1bd14a8712cbf330e510e25b0ce0563299675c017f111f0042f2bde3c6366f4505349d4af046d3c3b305e420709e93949ecbc67966bddffe |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsy33B.tmp
| MD5 | 61edc0f0090cfb13f57678c01f69a68f |
| SHA1 | 313b0c0a3c422edbd60d89edc073857eb378fc47 |
| SHA256 | 656c7106cb66d66d328756009a59f607a4f8245518720859173b133115466ce6 |
| SHA512 | da9df1d6afa09cbcc376e3023ce6218b6ae9f746381aeaf52e4624e4d6e1bd4d10996781893674eeec542539c8eed3ddc39231eda62768104c5e4eb77896254d |
C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nso34C.tmp
| MD5 | 31dcce6abe2c5f73ed103f6b02ace9cc |
| SHA1 | d53f8e9c1d8eb3d855054b8a3c1d6a5f4521474e |
| SHA256 | f0d6000b064d3c991289d1f5579c0d7a4ccc0aac5894205009ce914d66041bb8 |
| SHA512 | d53887d8d64a50738d978e8bc2ae2e2da4b5b4c9e97b7dc13361c214134f42ab66cf0b5e5980db1c0041bfa8dc7da5a3e8b81d9c0c7af17ca0676d0305e7fec3 |
memory/2540-3228-0x0000000000860000-0x0000000000872000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2540-3264-0x0000000002CA0000-0x0000000002D3E000-memory.dmp
memory/868-3270-0x00000000743F0000-0x00000000743FA000-memory.dmp
memory/2540-3275-0x00000000033C0000-0x000000000345E000-memory.dmp
memory/2540-3291-0x0000000002CA0000-0x0000000002D3E000-memory.dmp
memory/2540-3297-0x0000000002CA0000-0x0000000002D3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy542.tmp
| MD5 | dbeb9e5902f2ec685c1196a48271efd0 |
| SHA1 | 4d77751d9ab73a3964e2d395a2295ef1bf46aee7 |
| SHA256 | 31d111d7a683bd310b44f96c9b3c03d517fabeec2c77cf5656f2408393bc5794 |
| SHA512 | 606e417197f6a55ba33c76a4a446ca4712367396dabc6acb4d8da54036327cf376ebb6871a0b7b0cdc8ce220fb4ae55d96a08af3783c00fd16c869be730f1125 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nse563.tmp
| MD5 | 17f3c44732eb03e3788b7419c4677339 |
| SHA1 | 374fccf13c655a7d3afdff3408f17a5335313615 |
| SHA256 | eac1828eadb72980cfcc3e6e05997f8ce5798b35ffbc2f748202e87c985da63c |
| SHA512 | b2cfd719633d3088a36657cf0f7da343020d5d9d620ef3f6afefd8ecc144244bb0b1ec0de8dc7724b427616a02ddee77e11ff1e22d98db6eebbea6140a420988 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsj583.tmp
| MD5 | 3256f72deea26deec3c63781578b9052 |
| SHA1 | 88b3b3c208aa86ba372051c6af0b44515d868d0f |
| SHA256 | be07b39485362bcf544ab967b1f6d07ca7bfef6b65b901f00a0dc59e7d2efb20 |
| SHA512 | c7bf283715fb9b4aa96f3e607c33b9bd79f7dbe5b8ad424217be13f3fac11bac892a1ddc3d7ef8676e6ab081c0cfe9e6ff66dc1ae0b7e7bfa4b45958953b888d |
memory/2484-3915-0x00000000003F0000-0x00000000003F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso5A3.tmp
| MD5 | eafae0664b9b17365fe6af0ab388ceaf |
| SHA1 | 0d931b4b41367539ad347962c538839278246e44 |
| SHA256 | dd799b42f15c95e21ce33892119cb98a8e2b7626f8ebb45cabdcf574ad23656e |
| SHA512 | b7d52032a8ceaae7aca4f9f14056a7e6c801539abee381190eb198797a1584c0afc0971a3422945ac7fcc5cdb569cb119b7004b53a153e3803228117ae28bdee |
C:\Users\Admin\AppData\Local\Temp\nst4D2.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe
| MD5 | 351707305245428eae73bc1add4e1e43 |
| SHA1 | a7c2eaa393ff9a96bf040a9f942b5a26807253f7 |
| SHA256 | c61eb0ab6df8f89573a9caa6876743f1fb7dde313f322df5ee8bb0e2fe07b00a |
| SHA512 | 00d766f16eeec9e6171dce6966a0729c43e0e14ab5f405672e1eddc764485aae12fb2d47ee842743df6d70728f703c65def81ba8cbb3cbcf3244ee1d63e4db63 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.Admin\user.js
| MD5 | 34315b127d06e06630f73ff2d8887d9a |
| SHA1 | 15e5a87308331e901e60ccf63b1fae9bf226afce |
| SHA256 | c5a043916c352cd162d9654dc7fa1ed0b489f511a81856c2223f6cb91bf4a314 |
| SHA512 | 1bb50671d86cc3175036145d4c0c72bf9dad71cee0d8722cbf890f55e7f13e4ea068b3f698192a2299dd2486b9f4d52a194070fa071648e85ccd4a00bf205c43 |
memory/2540-4326-0x0000000002CA0000-0x0000000002CB2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.Admin\user.js
| MD5 | 92050744879c6f43913b90ad163c941f |
| SHA1 | d7f636761d9dace0ccc3a2f831ea1905e5c837f3 |
| SHA256 | ac6bd4657b59a8bbfa97d8e277d75c264a2809db7ac9619a5961042a804b8173 |
| SHA512 | 68672f99b524bdd77685e55d9e1bb61a9add5df296ee357d412eae9171c24578d2cc283e46b17eb79e0f2985e3d70c5ee58a2c2b807783c0b73636541f80f7f3 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso72D.tmp
| MD5 | 89a88b6a6ed6e0673faba6bbea0b2f92 |
| SHA1 | 8d0b8555b6f340d7ac169336c4d2053f8a7ba29d |
| SHA256 | 20219f34b80747f161c86441f23790b018b1d380b506acac8c8cc044dfcddbda |
| SHA512 | 9c634e60fef1dfcfe69934987345bb9e559b54db340913c0fcb9fcc0efca490eeaf31cca51c0eb5b5569c0c6af795288a6d37c99c150413e68afdafeffe85bb7 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy7BA.tmp
| MD5 | d3eebf74f066559780691e028d1892f2 |
| SHA1 | 7f31f18fc918ddcb0405c5568bf965dca60f6bc5 |
| SHA256 | 2d893c77aaf12516782ef39ceae696769afbb7c046842a38e0796b0e7d2c30b9 |
| SHA512 | 43e48ac93f2ca72b4c87e860935063c12b42b04589bcc6859e287a781fa3d321e014626bdb122deaf5a39d02b5f01b12a2c53c58b57b2d9c8ff8bf09b235e0c1 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nse829.tmp
| MD5 | 538893b29a2f88b2c3873b546caec599 |
| SHA1 | d2a569011a51ebdcc7dbc86da9592f694e50fe0b |
| SHA256 | 59c5dae2f5e89bbbfc2c50680fd0a8c841652c5a8983a00085f995e86c189372 |
| SHA512 | 7dfdd6120a58f52f7c0472a23d2244a70281807d533db4a59f828b780e266922fb81059eb208d8c661c03324befcf8168a80af0232ebe826cd1eba6d29123144 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy8A6.tmp
| MD5 | 226e25cdfc1ba8964405821c6d49c50f |
| SHA1 | 477d985fbc152156d90d52e2aa1954128591d488 |
| SHA256 | debdaeb9a2d09bfc046e17acd0cdcf8ea0ac526010558ff36f53fe62438e662d |
| SHA512 | 500393207d4649995b8fc7a513d9b7e9630379b4b93efcb06183d74fc136c762983a4a9aca36e389116a2660e400de3cc1643cc97c5323ce00014263f7acb6dd |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst8D6.tmp
| MD5 | d920b5ccefd38505b8d64b439e80f6c5 |
| SHA1 | c5e5ef667a117346639f792c7044d594aeffd2b6 |
| SHA256 | a3f17ca57bcfa202ae0517964414f65e2041ce8ce219f45f39c066bb4cab7279 |
| SHA512 | 4eef657727b8b7ffda30c634510c498d711d7e99c308e9222b6ddf9c490be97e0ce90f078761caa60344212fa1a4a09ae538710a510db39fecb36a42a307ed07 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso906.tmp
| MD5 | dc0ca0c7758a9d0f38a1400d5523dd95 |
| SHA1 | b0169ecbfbb0a7ebcdeb3a0a11a940673f5951c3 |
| SHA256 | ef445c7042a7b71f852cb790ac466454b428d8df7ded832d76e3a89f21d6be83 |
| SHA512 | 55e7a5db113c8a8c8a66f208256a48c71c329b6fcdf0b3ecf4995e2379587b0f5122af0d4b658aa33c8f3e465d8efc33df1058872801305be8e0de6e2e9f8e16 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsj985.tmp
| MD5 | 7c2152200d15bdbc43f99b299f38ee08 |
| SHA1 | b095c12e994e4df49182f52479d187987c492f60 |
| SHA256 | 25733f23a135183727135103600d11a638fc2b24d2250081ac6e903942dc6731 |
| SHA512 | cb233ce0f025873c9001dc762556545f9203c6286281dfc3fc4cb5fc78203a33ef1577c76a6fbc852b7e8af5dbcdc6b2eb184036ccfe6ae51b02dc28a6049b7c |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst9C4.tmp
| MD5 | 7e35fec4807358a3d330d7dbc4b85dd8 |
| SHA1 | 38be81834bb9275e57d5eebf6c0a08035da471a5 |
| SHA256 | 7cc587c76c33443ae26a60d513509a188a38188c188dfb95e0925ad4cdcdf5aa |
| SHA512 | 73c32e6291bc3530069f5729982e0c7407cf81257e2741fc8acd4d7cbb508a1fb1168bd299d7199d65568fb75b3d26f8cccea53cffc8209c2820e67939a8f72c |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstA14.tmp
| MD5 | 2abab6361271d4bf1bfab1bc9400cd2e |
| SHA1 | 2b4a010f57cb18192214721df02ba0738505f295 |
| SHA256 | d3eb7aa2c3111bd56ad43f911c9d166caeae782644676badd21783c349781706 |
| SHA512 | d126b4ac96488411ae061e14db659a0cbd40b7ec0102afb1a057d8b248a06d14b8d1b9933a2778d6d586168e7fc5a5f8b772ccd235fe0e2413ad2fa673fe1902 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjA25.tmp
| MD5 | c47a19c451f807be94b3f8332649cde5 |
| SHA1 | 2242613ef6bc7e81bed0608d514d4a6e827f3f81 |
| SHA256 | 579140a0b3edd9d3b472604f5219e38b527bcf99fb67dce34346d504717d3f9e |
| SHA512 | b2558b51db6656b3e56eb6f5f7312b149dedf2cab446d31d0373dcf989683bffa2f2dfac8045990d550c61d8c77e80d1a9620a34f883fdaecfd8534eb13c30de |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsyA35.tmp
| MD5 | 3ff172f358ea0f32edb03961108c126f |
| SHA1 | a296b4eb25e5c7cd2d8f20dae552e6aeb8766011 |
| SHA256 | 2b3ed12982072473ef01c1639de1320941920c4bd239bc488ee54cb4bf8ecc67 |
| SHA512 | f73bc102d26c30329f4a8c454cae67e750584741cc8790388f2fc7be9bb43e63b060c939efcc23aee12c67814f61101f0551d04118ef5dbb742ebc994056bf58 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseA56.tmp
| MD5 | 868bfd60ad1a38a95422169d5410ddf3 |
| SHA1 | 3656de25d2632e4cf4df47d8fec516d7a7b2b818 |
| SHA256 | c3f7b68811ecb146e65d1a725796a179a4d8b532f83ae23e14745f746c527207 |
| SHA512 | f6ea3d3fce225d16d4319aaab0ff2aa08e7accb7ce183675f33408fb6fe6c7c6f6a3e49df2f66e1b606084d0cafbc623fe153f3b757552243ea75dc673551412 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstA66.tmp
| MD5 | d5fd702524bf7135167765b0817c2d22 |
| SHA1 | e07baa1f91cbc1a13cdccf0a8be3ee75e47cf4c9 |
| SHA256 | 4893a0848173a72a4a9b498da062ee6fd0ac03a98bd532c173e2418a1e22bf1e |
| SHA512 | eddc1c71c4d1dc3bc6c14bb2faf5142d2bfe9ee5aa9229e0191ed30646dbefd518b7d1031b9cba1ccbfbfa28dfad8f09ce35b664504809ebfee16b9bac9a1be7 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsyA86.tmp
| MD5 | eaa24497e4c4800162b25962420c8ee5 |
| SHA1 | 34f876bd26621490d9a6a1b4ae9d5deb0c7c0738 |
| SHA256 | cfbce9901bbf62ac11136b95d3930fcd4b2379bbdc421288b12702789bc1cc0b |
| SHA512 | 7689dfe226dbed3c77e99ac61542e420295e4cef0469bb5dba03c97378108c0a9dd9531e4034fa24f4d1282c19bd73fe158b3b8130436e8b0159a230679f0b57 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\user.js
| MD5 | f346d81f702e9bda05c9305498949376 |
| SHA1 | e743ad5c1321d9bd098efa8179bca2bebc64ccc7 |
| SHA256 | d3d2b40db1f8d66259cb88291592e0bdc8cadde76684c72a9918b70bb1434470 |
| SHA512 | f405b57a29a99a2a46c0ac9b35cfc0eb5e2a7d96805288614e1bb170f25f8894bfb4d8980609fafcb8a4f5cbf50c8e0d904a5bf553674627ae831ddeca1e5d94 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsyAD7.tmp
| MD5 | 69d7f80a71ff56090a5859a951368f0d |
| SHA1 | c30956dcfad72d0811c67dfca9a3f81a540f6be1 |
| SHA256 | 458cb63b60a97d7f133bc64c858b598514d2f4f3621306dc27748ce62e7ddfd6 |
| SHA512 | 3438e4ddeaeaf7e84fe92083b5067b4e1edce1b9593cff4e3155e3145482b7254f33e11af5c0161307591254e30d8749d42e660b5b55d9133a681f0145deb18d |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseAF8.tmp
| MD5 | b01927abeb9a6e72d978e8b783a91eb1 |
| SHA1 | 7f1ffcedd2b6fcb6caa9e8ca6e9882682f661e70 |
| SHA256 | d2b6584e8d307facdca42321dfb7ef7c73c35e4b3b67a4b3901d3a0dc30f64d5 |
| SHA512 | f594e8b3d88155bfcd1292b07ec328fc83a5c25ca8a7aac90f7abbd0b6c7a0668350a8423af7c75297b8daaf270a28752791b88068954ea41bf2563ff6ef91d6 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjB18.tmp
| MD5 | c0ebdec7a2f29b84b68d3d29680b8e54 |
| SHA1 | 924c365229245fc619b274ffc3d9778868f80830 |
| SHA256 | 4af97634888c8f15fe57e8daa377984e87c824caf1bcbc5274649368a903f8fb |
| SHA512 | 15e904f5e2a16ff7b5093a05d52c94c4c01233585c5c46ba5e209e4461745cde9a9d82d9d77eda6412aeb4eb2173b2b16439859c045fcd709c66366e2bb04c12 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\user.js
| MD5 | 2e6c24cf2610180b0d6e06b06f2c423f |
| SHA1 | 9a642fb0b338c2e98fd24c906257a9cba60b9830 |
| SHA256 | 6edd69c180042c0e4eda6647eeb7eff5d65700f95f1a0bb8d186a4475e7f55aa |
| SHA512 | 97592586330fef2cb8b0bf450389d0a84f92db50091c5825470ce17b4b944884a53a1b26256de835baab077a909eeb3e830853deab72d648862077cdcff0ba60 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsoB88.tmp
| MD5 | 9a5ef5d49e5aaa6202902e167dc2b7a7 |
| SHA1 | 9e4dd6d7d6c9612683b0cf132162bc3ff2a2d051 |
| SHA256 | cfcd80288ab186c415366e70a8129482f441a18545537f58f9d741d5301c7419 |
| SHA512 | fe45525bea220ead2b8210c8c0bc00398ddae9c52e4eff1f83d08571c5201c9d66aeb9dd73f389ace147e48c5eff1340f666566f2eff78370b5eb4988ee0c600 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\user.js
| MD5 | bf15204d27ef2b8a83f6ce829b057a11 |
| SHA1 | bd1e874589b118172fc60ef4adfa67413d6b3f6e |
| SHA256 | 179a6374242baddeae43418717d06518ae80203ddd05e5eb90dca5984f336b23 |
| SHA512 | 4c7e05e4fee9e481c6684aa457bf2d9aad529882007ac75a966a7c4798dca608e61e194633c76d41ee8335293e890192566e716197ecd7328f1fd54bf8ca51f1 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstBF8.tmp
| MD5 | 64c7d08c71eade5ebe2f58b608307b70 |
| SHA1 | 01fc42e32270cad29f01a92e9a1b9540053fce32 |
| SHA256 | 7c1b78ee4d85ab4cbcb2852003569aea318aaa790808c9d8dec0bc161a0adf5a |
| SHA512 | c853446df9483b058401a543ba9f3b38383ddd42987f18ed2fb42d0957eedcaf0f0eec1226f026d1e851d6b896f9ddd56d53ca2937524df28becbe2a577e6428 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjD96.tmp
| MD5 | 64ceb0aa15fa087a0791b4d5cac562da |
| SHA1 | 0db2e4daa1426867478530618e3a8722b9ee4e47 |
| SHA256 | ba6b3dd1db022492d908812ce1d412b2268cced0fcd65191ba45b178fea38f2f |
| SHA512 | c9372d8f75d2f41ca6c57e36212d7dc038ab8f7e26d52cc9730bfb492d23a8dc678c5bccd6ca2ab0fc8afee83dacd0835e14e5824aa835c612da9aeb7b087afa |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstE28.tmp
| MD5 | 8f39e881de4af18765a7926c0052b07e |
| SHA1 | 475faf2a1e315fcc2bcfe26dc0dc2ccb1f4bdb34 |
| SHA256 | d33b49cb9f6fa42376d05e1b59ad3e6df8e9cd1c8fb7ebfdb2c62e898a7b74e0 |
| SHA512 | e1054e2b5d3089d148b22c27b6042d6baa1136b8902fc359fd4fe1f80150671cfa860fcc78820bde2c848a3da8b2cd50007265630d54dc50fa9c7a7064a7126c |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstFB5.tmp
| MD5 | bdf8ff5010e7c7bdb86a4ec889e9d765 |
| SHA1 | c300cd01ad88cb0adeca713296f55ddc6718d39f |
| SHA256 | 89f4c9ff68e70a3797038246c90e7d9f03bf968b9695cf924f38b1b3db36ed68 |
| SHA512 | 721514c95144f31c9daf14a0fc2864c1280ce14f1f9d1ed8105f410fc869b62989ee0da0426cb56c93f1134896f7c76055c56a8ef5583aaaa310cea2e3697006 |
memory/2540-11092-0x00000000029A0000-0x0000000002A3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso120C.tmp
| MD5 | 72d5eefc82e08cfd02536d8902306322 |
| SHA1 | d00d7b7dc9d0399ff56bc857369d0ac08387b0f5 |
| SHA256 | c67396838537609b8b25d3fe216636febe9464156c4dfd707792dd12b8f5f5ef |
| SHA512 | f2ec2fb015374ab763d24fab12f6fd7aacaba61313a625394a065c3f98532c656a7f10f8a075fe470f36de8519b9ca22ee1c452c5b70d249728d3cd97acc0ebf |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso120D.tmp
| MD5 | 91cfc52b891c0fc676a0701173406c45 |
| SHA1 | ae18075de1f598528d8b38714566563c0bea6322 |
| SHA256 | a1c2b1d9441eb3fb28d8d78d7407a66321aa902732c6a62cacce6d552f6f6c61 |
| SHA512 | 26510c811d864ee138e843ac3b5800af1abc7a8d8bf5acbf7aa1752a5f68b249cbb5397d433729ee1fe20920a481023f87aaff5add50b11083d74ff13f10243a |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso120E.tmp
| MD5 | 3c9c68284c4b483c5030363e5786622e |
| SHA1 | 50a499a831ae2cc1e51845bee899bf9effb8027f |
| SHA256 | 02c6d63991cd97f0daebbda722b536d1879da78e163b2162528ae2ca0800b3b8 |
| SHA512 | faf3c7413246efc2eee3c56f672b5aa351983e56a98aed786d69560df2abe7f5ce4cfad4add7b5dab026d69b03fecc79728da3a6089ca0048e36367732e54e27 |
C:\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\IEFunctions.dll
| MD5 | 46ee93cfce4dd2576579f45ad8c41b88 |
| SHA1 | f34a4eb6df68e521debda61e5af46aaf461bc3ce |
| SHA256 | a8fbec39470467e43e3fbc48cceeaf11d5e2fe3b98c521ac71b5522e7b46a859 |
| SHA512 | a2eb8ed29a819ee821c749dd76c04c2f3a5284a0063d08c43c9eaeb6f68a7c9034b846cb3cca26608cfe28b5ddc07842ea70a6aeb9cb7c6c1b579c3d05e40a5b |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi.xml
| MD5 | 9bf9eac5bf80607c7dce40b49a7aef45 |
| SHA1 | f15607a35e387fddb86f03696c9f172badadee4b |
| SHA256 | a9705c8c84f7f60ac9da0573532b679ebaca459213c79163ef7f02d2a97c90ef |
| SHA512 | 7504cad6ce30c64cb18cecc8f5414d157689374df44bdce0efa8d4c5830c0760b0239f691fdf6f5b77b2feca104e07475155cd7243ba7b57a2795c32263d66d1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{56BD67AB-67CE-4FA1-8503-334F31E85DE6}.ico
| MD5 | cc293971feb692e18edd790fcd6ff10e |
| SHA1 | 09a2c236508962ed8d13736033bd2479f13dbf32 |
| SHA256 | a863b816dbda3deda70419bb471f11f0f0e0ca20ebec82a0c00d5c304690b3c5 |
| SHA512 | e245e2bf17e143fc4cd24224bcaa68ec7a9548ae8f8c295caf0cd49e366f22985a123d7e2da995864a9d233b9510df3eddaa5dbf0f65eb81468ed74bb0b2070e |
memory/2540-11191-0x0000000002CA0000-0x0000000002D3E000-memory.dmp
memory/2540-11192-0x0000000002CA0000-0x0000000002D3E000-memory.dmp
memory/2540-11193-0x0000000002CA0000-0x0000000002D3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
memory/2540-11221-0x00000000029A0000-0x0000000002A3E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240729-en
Max time kernel
15s
Max time network
17s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 220
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2712 wrote to memory of 4436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2712 wrote to memory of 4436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2712 wrote to memory of 4436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4436 -ip 4436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240708-en
Max time kernel
15s
Max time network
17s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} = "ividi Toolbar" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\hp_ffx = "http://search.ividi.org/?src=tbhp&id=b1f1995b000000000000ca26f3f7e98a&affilt=orgnl" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ = "escort" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\Programmable | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ = "Ixtrnlmain" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\ProgID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\ = "ividi Toolbar" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1\CLSID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\ProgID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc\ = "escrtSrvc Object" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dsFFX = "Search " | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\tlbrSrchUrl = "http://search.ividi.org/?src=tbsp&id=b1f1995b000000000000ca26f3f7e98a&affilt=orgnl&q=" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\CLSID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ProgID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd\ = "CDskBnd Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\ProgID\ = "ividi.ivididskBnd.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\TypeLib\ = "{905E34C2-F4EB-49BE-A36B-47692CF957A8}" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ = "IesrvXtrnl" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ = "escorTlbr" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\CLSID\ = "{211B330A-499B-415E-B1F1-B7132A8751D2}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\ = "esrv 1.0 Type Library" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\afltId = "orgnl" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ = "IesrvXtrnl" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\ = "esrv" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc\CLSID | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd.1 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe"
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 172.232.25.148:80 | reports.montiera.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\chrmPref.dll
| MD5 | b2bff24dcb4606c6c8474f979bfb4858 |
| SHA1 | 5671b867df8ce726d1075909cd40f3934d680da6 |
| SHA256 | 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af |
| SHA512 | e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874 |
\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll
| MD5 | db4961bbb3c1cf487904b15ea5b5884b |
| SHA1 | d1c23d22e93d3f9b268f99519d38d010ff99ea6c |
| SHA256 | 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12 |
| SHA512 | 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d |
memory/1768-38-0x00000000023A0000-0x000000000243E000-memory.dmp
\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\mt.dll
| MD5 | 4fae8b7d6c73ca9e5fc4fe8d96c14583 |
| SHA1 | 10865e388f36174297ec4ecdafd6265b331bfdcd |
| SHA256 | 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f |
| SHA512 | 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1 |
\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsjBB67.tmp
| MD5 | f4c67df51bc663d0fe796da555808daf |
| SHA1 | 401b211bb00735844e776c42808584a68644a82e |
| SHA256 | 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187 |
| SHA512 | a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618 |
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsoBB88.tmp
| MD5 | 55e77d60d71bb65a8fca04818df04968 |
| SHA1 | 0d40f3710f9d137b2bdc4c725d2953ad84e5778e |
| SHA256 | 2f7e1067489437ae1d4ee047aa7f3800c44754f59a2b555a5a02a61163548ae2 |
| SHA512 | 89d0efee4f55e5a93caece636c36702aad71bb2c9ba6dba4147d325131ad4214d6c192df3e2ae4963278eb394dcf61e746d6d6bd61771cc9f25eee240e09bbac |
\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/1768-270-0x0000000000770000-0x0000000000782000-memory.dmp
\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
| MD5 | 690df0811fc73ff2219183e5d80d824b |
| SHA1 | a720126932f65de281c6f34c5512be8f787f7161 |
| SHA256 | 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd |
| SHA512 | 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
| MD5 | abbbe3516d8a6280b94e78ea7060e9c4 |
| SHA1 | a2f22d9dc3db1f10a44902e5cdfd7431b27a8671 |
| SHA256 | 63601ef9667c037dc62dc92c7b389edfb4191cde9063d1059996b93f035f454f |
| SHA512 | 2ce546ef005dd07b5022fb524107c07693dbd58c21a2808060958baa7b968064c4e855d41c52f25ed89a3026460a6c9d413481e1d55f678ebf2cd5d170faf549 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.Admin\user.js
| MD5 | d5da78293d8383edaca2745be2bab8a8 |
| SHA1 | 970ce7995a15f9fc39f0829126c6a4cfa547da15 |
| SHA256 | f778a088ece5db5be81b5a5edf81e1efa2fd778823b7ab655cca6da0b772f73a |
| SHA512 | 9f31cbb2d5ef23491af9b6c62665ca40b078e83c4c5836f5eba74cdffd97eb1478b0ad889dac8227c309c09d652ade015c924d6a3dcbcb630085e46169da824c |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nszBD9A.tmp
| MD5 | c203d6c86bccb4c89b7e41aed15a9e35 |
| SHA1 | dd2f881d54fd16d72309b9a31840f196d5c989fe |
| SHA256 | d0a8eca843e9c903bda3b891e221a898b23d526da6dffb2cacbd1a8a1799eb51 |
| SHA512 | 680b6826fed73a2fe30d909286a48e7bb07c2dd52fed4c6175133abb40902b899f7b5de34d22a73686bba4dce3ceda8f039d8e0e06656134207e966716dff416 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.Admin\user.js
| MD5 | d707cfa47c54bde0dd6fee5d81a7d9a2 |
| SHA1 | 75dce921d06df748995eabca07bd35a6cb539b23 |
| SHA256 | e50f83c5e1cca9de71d2236ba735b35bb832506c5947f5aff9e1135c0cd95432 |
| SHA512 | f29a57189ef93914a17064c37694f7a0c6009d2ab68d2b9256aa59a14e37f625f8a87a0680835a52f744fd13cfd1d42980abf7f379c7431764f4d7635df16578 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstBDCA.tmp
| MD5 | a54fcd3ad118fab32eaafe11f3965b10 |
| SHA1 | bbd775bf6b40d5bdad87258bc59d7499f6cc7c4b |
| SHA256 | 14d1c4cdb87ac663314d0b9add2a2772f5e5d7da59997026362936a5a2587e68 |
| SHA512 | eb6f02c856a75d0e2a4eb79b930a2cdd52d21cd0b69394bfc7af4a9097eb875abb3f50ec6aa641a42307469be4e6ff477b2780e3a488688946d41f7b3785a8a1 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nszBDEB.tmp
| MD5 | eca88ff8d2b4b70d520a013b65cc8948 |
| SHA1 | c81b9afc3c0c0048e14b6aae5f4458b1da27d2e9 |
| SHA256 | e13b4b9d7b6a5854f32e672b99d08dbdc4c07c30011a662f926a3fcaca162c76 |
| SHA512 | 2b78724aa1fea3c5934f153b98cf1b1222a90c09b9418f93a855258db40abf9b0297adc28910293456348f33669b393ffc29ce6122298d52dc8d2cc662c434ad |
memory/2204-925-0x00000000004C0000-0x00000000004C9000-memory.dmp
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe
| MD5 | 351707305245428eae73bc1add4e1e43 |
| SHA1 | a7c2eaa393ff9a96bf040a9f942b5a26807253f7 |
| SHA256 | c61eb0ab6df8f89573a9caa6876743f1fb7dde313f322df5ee8bb0e2fe07b00a |
| SHA512 | 00d766f16eeec9e6171dce6966a0729c43e0e14ab5f405672e1eddc764485aae12fb2d47ee842743df6d70728f703c65def81ba8cbb3cbcf3244ee1d63e4db63 |
C:\Users\Admin\AppData\Local\Temp\nsjBD38.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjBE2A.tmp
| MD5 | 6d56676c7eeb29b46f91b34df2112ba3 |
| SHA1 | e44469e89ff9815cc357a37da375235fdbaabcd9 |
| SHA256 | c07a951314ac343e5201edb9cda74ed2837a4925da8ca50979f200a6cf6fe32b |
| SHA512 | 2bcfa0029977a802ce5bb430d2a274c22160d4dbb2a9c69163b3767d1c7abaa452bd899d9031960b2b084553d7305d1d3d0b82c9b6ee47edc6f929f5fc4288ef |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsoBE98.tmp
| MD5 | 18e2bb555ba4cdf8ae2115e8113a9c9d |
| SHA1 | 62a8ff28d5a0e4f538cec5544cc6086ef4744815 |
| SHA256 | ce49c6e1b26c2529336b1d80d5d946447e914159ffde46b34bb4520a84bdd9dc |
| SHA512 | 2bd1eb480cdf858eb087bc5d1eecb8fedba3e8b9d1256d0243eb8f680c8e4595c5e249d635b2c7396f94e758d0b9c5d5a21b4462e70b4c498e13f620dca8fb5e |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstBEB8.tmp
| MD5 | 25869876cfcf3817c71f947798061106 |
| SHA1 | cb735b41e986ff4e1bfa5dea2f6c1c8032c83e70 |
| SHA256 | f485688cb45ba5b4291803d6f5fbe30f23ff78c9a319f614d43c8227759bd288 |
| SHA512 | 314d75a803cd780d759a561d95d9626a13fb73101a29614e83ccaeb923d977542d1202b3a0aac4d0ba3d754e9d4f6e84cc581b99aa8f9de71da01cc46ba25022 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.Admin\user.js
| MD5 | 185040537f554904ef1d406e46d003d0 |
| SHA1 | 1e4711bfccbd0e587704c1ed52f3b40894c0d216 |
| SHA256 | 2b2baadb73b841075c105fac577200808d61a65026c7d01dc1e9ff02d5b211c7 |
| SHA512 | 84b6677da2deaf916109fe1218e540b3179fcfedd794ef660648e62b9e3bba4762d6fafcd2ac83db9e538a66f28c072c4841002180d25160b6b702a560398bc7 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjBF19.tmp
| MD5 | feb908e189d4db7ddcab1fb5fda64e65 |
| SHA1 | de34385dbf58e654671a6e7b8471dc6a73e98e69 |
| SHA256 | 5147379d6ac91ffdfbb5c8d267745307559b4aa0aa2afd24ef76fd8c2304b7a4 |
| SHA512 | 59e9d6618d8064df17f090c41949d2879f6e187270bb82d86ca8ff33e97ddc13cfbc2e0ee6d9eae314fa3828ed1886f630f6da8f779959b1b08ad0dfabd7a870 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsoBF39.tmp
| MD5 | 11cdae9f0fbc5a43b726493f0e5a7d4a |
| SHA1 | 3142235b0080677c329634141e6f16f6ca8ba774 |
| SHA256 | 1586c894d7bfc7912b5ff58773fe33b4ada52f4f1baf6a023411c6825f412fbf |
| SHA512 | ce26510bfed120a8060d5d058655c6115622596dd786b606dd709c43529b39349b516e21bb83ef7f70d21c33c08ef865c423f8f70905d7861817b7f9bec76883 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstBF59.tmp
| MD5 | 60a738998ca15e35ece52ebf0459f9db |
| SHA1 | c42e93468435616390013f66df3eb44496322c07 |
| SHA256 | ceba931bdc6afff49119b05f23e3f82b663a2b390c609f39c264fc35549c019f |
| SHA512 | fdd0684b52809f12689654621b2cd59230ab182f16c19e52fe12d1ce5546d1980b5774e9719256c751dd9c50916a20fefdbe5f2f7605838539a88dba645dd466 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nszBFCB.tmp
| MD5 | d1f3b4a8a846541d1bc9abcf43df4f57 |
| SHA1 | f5548c75823f138204d681cefde21090b5315480 |
| SHA256 | d00d077b39df4b4c5973e131fb18b36473d8e6572024d310539ac9b07781a9fd |
| SHA512 | 61809a5aabf4d109f5bf1d0f3f67ef90ab45c093b42f4aff5bfb4c7c679e650846730b4f71010d91e11671443f6f7093225758f12b078fa637b991b20524baa7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.Admin\user.js
| MD5 | a96619a2b016362dc1a3ec2912013dcf |
| SHA1 | 45affa9ac56e8565ac98b2ad210881e72e1f3049 |
| SHA256 | 629e1bd7d6a41dd061911b247a6824e0388e0825662eb63bbb108f98539694bd |
| SHA512 | a882432207a5398438452b71a1b5973da20b3ff652abbac43029bfb8284e43f8efcc817aa535c164733ff7dba4521aaa119b142cac61818357a085d58adf994e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\user.js
| MD5 | 7a71cdefec1942644e346cb9529f359d |
| SHA1 | 4de22da8126fd12c4bef1af61ccca58981a77161 |
| SHA256 | 440a33d63420046141446a923afbf1691ed4b8059d21aebb61a29a08253ef3b5 |
| SHA512 | 2022c76d6240fdd0019b6fef58a3d77178860e1092af686846054283425c6503e8490d3363271f3ebc4f14c113976b4f2a4c8e504bcb8a554fa8cb20a9110af6 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseBFEE.tmp
| MD5 | 5e627bcf005c166eef941b8b70955857 |
| SHA1 | d82ddb8b3dbccced83a73f03cf319d44ca34d24c |
| SHA256 | 04e54bdd91948ca64717c5602dfccfa97e4c5f7dadb919a3ec1add9cfbd32202 |
| SHA512 | f57b0b31395e27e8baee401af82e79bfc199938e78b21b9f3e214cc522201822abfb34b4e353193f3d5a866d5384f2b9bbc259c79cd3b8a6e778be495e64a013 |
memory/1768-1963-0x0000000002470000-0x0000000002482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseBFEF.tmp
| MD5 | 7f06700ebff618703d68c5f2ebd3cc0a |
| SHA1 | 75813ceb3cb705b4233fc8a09016e6f8dafe2112 |
| SHA256 | e3ffa5dfc930847bfe6003b88ea23bc89d305fe46b292dc2f16b227059c0e428 |
| SHA512 | 2161c8890f5c47ccbe1960e3f778aefe73392bdd025c621c28ecedbda2d3232bba502b121f6735e0e8718c761fd2384baffa6aff24b564ecb3b2afb3593aa1de |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstBFFF.tmp
| MD5 | 9fb916972b0ceb63a7ef758c0e42bcd0 |
| SHA1 | 0272a4a61fadb7e2bf4efe4353b4bf2cfa8de589 |
| SHA256 | 5aa6eea53ddb3d0b7b08261568b01bc114efb33b35147b3d1334c1e287ec35bf |
| SHA512 | 96b3fce1e03298f7952f975aa1033ce2aa6edfe4d320f8159aa12317e30aaeab216e8ad52b609820c21c79cc1e0aaed4bfe24267f817e79dee54aefa2b30c565 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjC010.tmp
| MD5 | 98b6362ffeff76cf30fe0c856d375d4c |
| SHA1 | 713995f48982786c96a7182667af4a0bc2b0879b |
| SHA256 | 8899bad652911554491e165b97219bee14c159881457e563fc1f80e033610bc3 |
| SHA512 | a203bd89a24c44379c9a40b32a45823b4a8538759c521c1fdc0527bad332845b095bc821596f7ce666ae46cce292a7249b135a38153d63a6e24af3666f294244 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nszC021.tmp
| MD5 | 4c2745ccd0bc01b3707dbcba7bf263ad |
| SHA1 | f85887c0e4a52308822f6c51b77a298012e7f978 |
| SHA256 | 8dea0db6576b40c63a21cf4bc6f272ab896b878bfb83552d44a59474244519c2 |
| SHA512 | e5322126336795b1cb4aa725ca776a424b8c08f4589abd3bb10ebf1ceb2c7c399ba4f7f53485c5825f2698b3e0c906b64b25bfaaab3b0b474a582e9bbd4631b7 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsoC031.tmp
| MD5 | f2e0551044dfed072467360d88ea773c |
| SHA1 | 3d4f44c6875353182273ebaeacf96dcd2f641b23 |
| SHA256 | a136b3df62496c7ba1faf8bea2e526c92dd3f7e01f8c385c60088ed526557ba5 |
| SHA512 | 8cf6def50049ff2795c4d9f6e83c1c9946d1adcf4dd16b2aa34dd83b165b9749257b87c0ba6b5ba51d9f5a7d003281625046a65aaeb0f3689c92a34aa0521a32 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\user.js
| MD5 | 31491d33659f0721c724c6b3f0ba4de2 |
| SHA1 | 7a544fcbd37393b7ff5baaf4689b791abd0ac834 |
| SHA256 | 60f5339e66bf7ad125d573a17ecd43882fbe6d36f89d3e81793e4df19e9eda07 |
| SHA512 | fd94a22664f98aa42bc10ca7c57d35de93fc30661fb1e1de24db880110d21271c23fb26163ea0b29c893362ea676fc1fd4d2df967d44d6b6c145cc279c60474d |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjC063.tmp
| MD5 | 718befe38b20cdf774e0410519c80f3b |
| SHA1 | 8cfed624310995f2738cdc35b419edfc36169c29 |
| SHA256 | a221ab2d8a559ba1eb0d78588c82ff65098b479d11a8aebdf84c59caa8388d17 |
| SHA512 | d08993e505530653f021a73e53fe49e2b3d44b1a809ccd245bd63a4471810f5f3e902d92619ae96580dd0cbba7ee187b5d7d6b03a7a11b38c43b24ee5712c8df |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsoC083.tmp
| MD5 | 4422aa97fda290bac69a1891f5d72095 |
| SHA1 | 0c033ce9181c0fa3e223994963e25991b8abe510 |
| SHA256 | b0140522c5e51f19f1351ae70dc79f1b7408fb6a4b4042a42d7266880bf76c98 |
| SHA512 | 0a0eaa069bf3e4322b8f13cbd24610f9a809a6f2bcef9efde70717a14d51113bcb1a2dbf541f53e41aad25a41458a9bfcc35cd6a7df835e99bb444925a35973e |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseC094.tmp
| MD5 | dc9bf0f09af1c0755c486acdc1098109 |
| SHA1 | 49386dc4f33154887a2943dab601b1ebf154c934 |
| SHA256 | 106f2e118cfe7970a9cefe45405d8f019be765856c1a8d07c80ec5d4f21d068f |
| SHA512 | 31a74358bda7b4d6847dba6e8f62cb98ed1804449053bceacb3de13683462268b34810db022659009cfc217a7ea808521f39b7ed57e66c7d184924276a97d09e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\user.js
| MD5 | 2e698baefd589247492a8d6a70608f91 |
| SHA1 | 53be6903693480e3f2bd111bef57d600ee7930ba |
| SHA256 | 6a3a1366bde34b3850bcadda45b60cf858d9def54b62fd9fdaf0e4ca831de9ec |
| SHA512 | d02e36019779f18c27f16142b0d6b4f5410a4f1ecdcabb870c8ee840349e162930c20666491265081e8fbbac7ea9b6e81249ba2c68bfe48956822490ee22ecf5 |
C:\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2072 wrote to memory of 748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2072 wrote to memory of 748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2072 wrote to memory of 748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\ = "OCVBValidateLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\OCSetupHlp.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1236 wrote to memory of 1980 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1236 wrote to memory of 1980 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1236 wrote to memory of 1980 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1236 wrote to memory of 1980 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1236 wrote to memory of 1980 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1236 wrote to memory of 1980 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1236 wrote to memory of 1980 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 800 wrote to memory of 4984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 800 wrote to memory of 4984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 800 wrote to memory of 4984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 4984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 224
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\RunDll32.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/Unitech%20LLC/ividi/1.8.23.0/ividi.xml" | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\FaviconURL = "http://search.ividi.org/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\URL = "http://search.ividi.org/?q={searchTerms}&src=tbsp&id=d36618c4000000000000da61a5e71e4e&affilt=3&r=171" | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://search.ividi.org/?q={searchTerms}&src=tbnt&id=d36618c4000000000000da61a5e71e4e&affilt=3" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41} | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\DisplayName = "Search" | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutUrls | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{9300D574-3C8A-420B-903D-092FA54CBB41}.ico" | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\Codepage = "65001" | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.ividi.org/?src=tbhp&id=d36618c4000000000000da61a5e71e4e&affilt=3" | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\Programmable | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1\ = "appCore Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\Data | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\i\CurVer | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\tlbrSrchUrl = "http://search.ividi.org/?src=tbsp&id=d36618c4000000000000da61a5e71e4e&affilt=3&q=" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1\CLSID\ = "{8B8B2E80-1444-451D-AC8E-EB9A847F3887}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\CLSID\ = "{8B8B2E80-1444-451D-AC8E-EB9A847F3887}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\instlRef | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\autoRvrt = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ = "IescrtSrvc" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\i\CLSID\ = "{D18734A5-B131-4335-A3E0-15FF90AC90EE}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\postUninstall | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\uninstExt = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc\CurVer | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiApp.dll" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\ = "IEvntCntr" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32\ = "\"C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividisrv.exe\"" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\smplGrp = "none" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ = "IxpEmphszr" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\vrsni = "1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\ProgID\ = "ividi.ividiappCore.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\InprocServer32\ThreadingModel = "apartment" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\run4ie = "end" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\Programmable | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\Instl | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1\ = "escrtSrvc Object" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe"
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 3688,6B1F6CF202234D3DA90BEAB1CA759938,323722A5827747A0A44574BC9BAFE52C,5BBCAFBD77654AA98C62DCE6B564311F
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 3688,DF3FACC75E514CF7A714597FF59744B1,59BBF15747F9447883F5DC410FF145F2,5BBCAFBD77654AA98C62DCE6B564311F
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe" /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe" /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.opencandy.com | udp |
| US | 8.8.8.8:53 | dl.ividi.org | udp |
| DE | 23.88.53.29:80 | dl.ividi.org | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 29.53.88.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | search.ividi.org | udp |
| DE | 23.88.53.29:80 | search.ividi.org | tcp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 172.232.25.148:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | 148.25.232.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\OCSetupHlp.dll
| MD5 | 9e4e850e12f2f4f869b2491dbbb17ceb |
| SHA1 | bd89581a89604b601c817ea680c2a224b46737f8 |
| SHA256 | 4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6 |
| SHA512 | 9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5 |
memory/880-13-0x0000000001540000-0x0000000001541000-memory.dmp
memory/4636-15-0x00000000007D0000-0x00000000007D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\IS.dll
| MD5 | c31b97adf54bdd6ac6d19ab85cc6bc57 |
| SHA1 | 7e458577b1fe49885c21f38ba981f77b00bdd59b |
| SHA256 | 2e5af5577044835e7d1c526b1ef11dddbf660dbf265f3c8b533cbfcfd2a8b57a |
| SHA512 | 9178ba7bfd3851b9622ffa7f5981f43b4ca654e3f85113f7c91ebd2ce417c1acb718e73737838c61496a255cee1f5ad9873ea88bce78a0cfe67bd2cfb1e71790 |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsJSON.dll
| MD5 | 78b913fcd04259634a5e901c616e6074 |
| SHA1 | ad5e1c651851a1125bcad79b01ccdcfa45df4799 |
| SHA256 | e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59 |
| SHA512 | cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5 |
memory/3688-28-0x0000000073780000-0x000000007378A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\NET.dll
| MD5 | 9adaffc2a1b579115e40407733d94dde |
| SHA1 | 866bbb0dbbd217aa287fe3324ecaa828e8d7b622 |
| SHA256 | b31d4e8af5d38991c692f219130fdfa92762a9a77e04e7ab05e44603af578555 |
| SHA512 | 214eedc4b314b48c192d3a847a64807bf41481e5cd06b1a627bad048dbac14a2c0d6b5b3c992616e18ec9f59f4107d68e57b8c4fd9da01e0695824ffc8030619 |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe
| MD5 | 8c271a4f3d22bab31657afef6d391392 |
| SHA1 | 73ca356b709eea6404ad8a997d4175894706430f |
| SHA256 | afc3a56884a203c8351098f217383d7397ede85580e1ce6dd54ad59f327bed69 |
| SHA512 | cd433aae16749a0581761fed60d1758f80351d9a08219a256aae95711060f91a2189fbfbf7e5dd35202d8c1da92049c03357c505159c7b724c4896dd7a1cc832 |
C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\chrmPref.dll
| MD5 | b2bff24dcb4606c6c8474f979bfb4858 |
| SHA1 | 5671b867df8ce726d1075909cd40f3934d680da6 |
| SHA256 | 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af |
| SHA512 | e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874 |
C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll
| MD5 | db4961bbb3c1cf487904b15ea5b5884b |
| SHA1 | d1c23d22e93d3f9b268f99519d38d010ff99ea6c |
| SHA256 | 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12 |
| SHA512 | 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d |
memory/2968-87-0x0000000002830000-0x00000000028CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\mt.dll
| MD5 | 4fae8b7d6c73ca9e5fc4fe8d96c14583 |
| SHA1 | 10865e388f36174297ec4ecdafd6265b331bfdcd |
| SHA256 | 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f |
| SHA512 | 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1 |
C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 272bd30fc0ad14498009865db72e72d8 |
| SHA1 | 614d01219e99362e53481241222b5e08455a35ef |
| SHA256 | 4b1f5cd993418399c70cddd77a624ec5f5c93b0cff309e77110fd9626ea1dd70 |
| SHA512 | 73fafac850b25a91576d782a4194c398449fe8239d231e162c8ee407709c8a749be6af2d741ddb2914018219aebff5a4a13dfb794cf3d761a592af49850d7db3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\prefs.js
| MD5 | b19931fbf0770986629cd6dd7357d713 |
| SHA1 | 231c2a45fc9f2b1589125ee37a8baae53e32cd47 |
| SHA256 | 8d318217a2be11f55e8a0610d0d2625e10939b0048d4ecfdc4a38f6b65a30839 |
| SHA512 | 09a21f561574c4e734c30e7885cbab1e724af3f82464a840083082a346b205d8292aaa2f63ae8ddb69247a001612fd8e2e3b8bcf85b50d86b7ac702437448ed5 |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsfD1E0.tmp
| MD5 | 28ca68f733a2baa1bd1f516bcc65b541 |
| SHA1 | 6e4dc57fb74679f8b3b9a4bebb55a1c49554d2d6 |
| SHA256 | e704a4be4f9e448060814859c8af7393bd3f0d5670cb7da33ea397ba4067144b |
| SHA512 | dade5c80198532acb12d49d0d23228a59cafd3ee35c8e746e92367d1d66e5fae00b79173efc11c2d7cff32d47f5908b49108322e29d54a534627ab4cf3c4d98d |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nseD18C.tmp
| MD5 | f4c67df51bc663d0fe796da555808daf |
| SHA1 | 401b211bb00735844e776c42808584a68644a82e |
| SHA256 | 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187 |
| SHA512 | a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618 |
memory/2968-86-0x0000000002830000-0x00000000028CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | b522517c3080368363dd30cb20178701 |
| SHA1 | 7f4ffc4b050dbd6cfcddc99b3c8ffa41a86462ba |
| SHA256 | 2797eb9bd0f24807822aa0ad9f9a770504c61598d496875be5d3a3ed6c9fc50a |
| SHA512 | c7d06150a1b376b4a5f70d02cf551f9930c384623b023a6949cbc38a623ac783c11512f8483738ca12eb94acb5837951dac21153832b78b73f0b63e74e157689 |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsaD34F.tmp
| MD5 | c1f678982f2e14ee43ab9e25d6d4dc1b |
| SHA1 | 283c5f9db053718e4f5f9c572f18502b9ff1e6e6 |
| SHA256 | f853acf4b930763ba2fb5c782bad9ee8c5d36dc3b9774998462e792eb4da747f |
| SHA512 | 03ff3be160581617af8e67164e92de4f012dbc6841928a229a6e487489c71e1b04e4ec180a0bfb9b8109c3cff3f5fb2b52df9c6f721b2b8cc92dcd897f9d99e0 |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsfD370.tmp
| MD5 | d66b2022009ac5ee79ccf1e849609241 |
| SHA1 | e7ee619e4cc3c4896ad65eada651643d80ed9a1b |
| SHA256 | 481a094a5199d2d45a036676d84508505559f56288b0ed8131eb9a32510551e6 |
| SHA512 | c3f8396e7e3670b32c3125184c8e8ff67447f3d2fee600c37357bcb748d1c4cbc03a7c68d5202913e70a0aaa5bd95304ae90bf61e5ee7242a43d3e467812e1e9 |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsfD36F.tmp
| MD5 | 55e77d60d71bb65a8fca04818df04968 |
| SHA1 | 0d40f3710f9d137b2bdc4c725d2953ad84e5778e |
| SHA256 | 2f7e1067489437ae1d4ee047aa7f3800c44754f59a2b555a5a02a61163548ae2 |
| SHA512 | 89d0efee4f55e5a93caece636c36702aad71bb2c9ba6dba4147d325131ad4214d6c192df3e2ae4963278eb394dcf61e746d6d6bd61771cc9f25eee240e09bbac |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsqD44D.tmp
| MD5 | 0ab1ab6be564252ebc87be385bb23743 |
| SHA1 | 064661f0fc8dc6b4ef86590632666c3d6f575d47 |
| SHA256 | 0fa43ffd44c3440ae1660cc524376682955473408dc65649d452396296e9cf4a |
| SHA512 | 0a8bd008e5c50d18ded857a80be5baa070de5d1e493f06243e521600e0718508ed59c2d74ee00d154fac64ad6ba06ab0cc616e97c29df5d5258a70d6602852d5 |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsgD45E.tmp
| MD5 | 61f2fbf7f90e52ce617766db11941700 |
| SHA1 | ab0df6fac65b0ede03f3281514495758744d56d2 |
| SHA256 | b077945e07f395378d1b9c5958aaa86fcc8a631a66f27c6a9b73dc87c8d92a1f |
| SHA512 | c2d8b150ee6a7e153a84f6aeab85fc4548b8c62bfd5cccad5b92b948531ebf7ace8ac6c5dc73f72358dc5c8cb0e2a77d27ac4fde7556a52e99c7d1cdd7e4a3f7 |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsvD50A.tmp
| MD5 | 4cb12120edfac9fc690afac246250b0d |
| SHA1 | ea3d09114164ca561e02e27cd0bf7a70aca7eadd |
| SHA256 | 0c951decc8a2f3a09e715bb657b742d7b040f061b58328a2c54c0e4428c073eb |
| SHA512 | 58c3e2d0648f8b13aa07501679d5ca0a25f3d3ae64a8abbb9bc0c04d861480527eaf18dab93a07994210e2deb1159f812ad5ea02f7174bab226c32d24e3b34d5 |
C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nslD51B.tmp
| MD5 | 03c34b0b9c524f804e8bebad6f4262ef |
| SHA1 | fbb285280ecb75e3586c3c39156335b3a745d771 |
| SHA256 | 0abd18bfa3c846321416b1d4946bff393bff29f6d1a44a56ec4613a6d492a813 |
| SHA512 | 1e6d8fd9b55a2c590c788dc07391b71dc335bc46a34dc26b2273ae6e34d7cac21d8173fbea8c37c904027bab423c4bdb905f1ebcb442e2f6d385b85f0510f77b |
memory/4636-1899-0x00000000007D0000-0x00000000007D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | d18c20b1768f93556c79f89a31a56b4b |
| SHA1 | cbffb7f87f41197df38adca90757b8c77a01f6c9 |
| SHA256 | 438afd8cae7f5dc75fdff0849523ca79ed1360a411349b3210442a0eeaef7567 |
| SHA512 | 9b2eb2c31b8dc3a151a9b42f9a335c79ccd17d9d34ba96e1d7ca119ac707129af856defd151389c4fbbf986b3952a34cab8dc058df54730d69b7f2b92177b4e4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | 430f8129fdf28bde913f8699c1aeb396 |
| SHA1 | 1d68bf2fc160e62637b9d6450f9367dbab59af4e |
| SHA256 | 831f8ccc8834e532f8623c1a99cff9fc55037bcb902941a186a0df560cc82038 |
| SHA512 | e677bf955cb2d6aa56b8ac9f03727f12ea6286683838f3f5414b0eeb5f40e9e95695a6522a3824af518c9895938889b585ba1a2d45881c3187a8d94303140537 |
memory/2968-3381-0x00000000021F0000-0x0000000002202000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2968-3423-0x0000000002F90000-0x000000000302E000-memory.dmp
memory/2968-3421-0x0000000002F90000-0x000000000302E000-memory.dmp
memory/2968-3430-0x0000000003000000-0x000000000309E000-memory.dmp
memory/2968-3431-0x0000000003000000-0x000000000309E000-memory.dmp
memory/2968-3448-0x0000000002FE0000-0x000000000307E000-memory.dmp
memory/2968-3480-0x0000000002830000-0x00000000028CE000-memory.dmp
memory/2968-3482-0x0000000002830000-0x00000000028CE000-memory.dmp
memory/2968-3481-0x0000000003010000-0x00000000030AE000-memory.dmp
memory/2968-3472-0x0000000002FF0000-0x000000000308E000-memory.dmp
memory/2968-3469-0x0000000002F90000-0x000000000302E000-memory.dmp
memory/2968-3468-0x0000000002F90000-0x000000000302E000-memory.dmp
memory/2968-3460-0x0000000002F90000-0x000000000302E000-memory.dmp
memory/2968-3457-0x0000000002F90000-0x000000000302E000-memory.dmp
memory/2968-3449-0x0000000002FE0000-0x000000000307E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
| MD5 | 690df0811fc73ff2219183e5d80d824b |
| SHA1 | a720126932f65de281c6f34c5512be8f787f7161 |
| SHA256 | 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd |
| SHA512 | 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 0b4a84435ba1fc4f3f8495cb837ea2b5 |
| SHA1 | 436e832401ab762dc3c698b9a66e0a47ca588d30 |
| SHA256 | 060603bf05d5e99ce1b789f32372b3575e429874ce17e42db8eb3b99072140fc |
| SHA512 | 58c413369e69c50a4795bc75f8a109cf79f7852ce3bde1db5d22fb9e3f17df0f933bd8549738d24cc65619c38c2cfc29ca3e21a57d9be5b814374622720ee5f6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | ede628f24cb690070669440a3aa1623f |
| SHA1 | 788ba90cb4fff0cf4dcb870d7fb71664fcc5f938 |
| SHA256 | 2a4bbe7ec76c69b09afe3eb48616ebcf88e7468b6bf599e1ce32e215ec12b379 |
| SHA512 | 7abe6498d38be047a90695ee1cbab64b98a0f9dbe9db16eb9a6d096a5c32408c7bba527d8aa0bb73f203a6473501d1e041d69a4678ed2b30b097d5e92e321d38 |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll
| MD5 | 1989cd78346c1f430484236daca1c2cc |
| SHA1 | 9d9eaece8fe80dd400a1af12595a5a32e931abfe |
| SHA256 | 2d8ab3f2dfec1393b75e1ba8d12148ab5b5e334d1b071754e08f7087b22cdcc2 |
| SHA512 | 00aaf06bc2a092ce3d9b8d95e685a9fd0b61a8a5afb23910bdeb43a82bb294f54ce21a05823cdca28aa67b520dfb4091c847f4ae2ea211156441dd3e5a50205a |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseDD5C.tmp
| MD5 | fe6f1a57ac6c71034270c4bc2d07ccba |
| SHA1 | 601b2215f7570a33f0c8c10bcd4c2dfd7f95ffd7 |
| SHA256 | 5ee1d60356393422f134b8b2960adc16bcdd9d354c07372e568981edf651212a |
| SHA512 | 8225521ae9ea2d3d345ead6373e2c94232884fb55b4261edc32315ab29abee4e0020e6e14e909659fa5cdd49870088165fba7cd40811b73303b4ffdc1ca00ca5 |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll
| MD5 | 8a7e5619cbb2c659b3dd2d9c4a09db98 |
| SHA1 | a7eb94c32ca25dc1a9eb461d2d97d48475e010b4 |
| SHA256 | eae253b5691720fadd70083ed874b53929287a3d93834a3206f78ddf8fab1201 |
| SHA512 | 14f126006dccead7a344e69e6f21de15bddc6ed30fc248df4043838edd6ed838eae2db0f9ea1204584064a4426d610aeb34f268e37a98f54f274029763a146c1 |
C:\Users\Admin\AppData\Local\Temp\nsjDB9C.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nspDD9C.tmp
| MD5 | 9dbb20bd446f2f4b09d3488b99cf30fa |
| SHA1 | 43089287123cc8f0f7e2e9b5148f8512db968d76 |
| SHA256 | 43d080fb6a1b053e68b7e36b00669ecc33cc28d497596a14d614147329c2ab2a |
| SHA512 | 9313ea5978d3b2f77eb57209c7f394d0ca204acb558c63a53d8a73badb81a29c959a6051489c78192d7dd434ea6ee4c7a9af8196db2b347e6d13a8ead97971dd |
memory/2968-5063-0x0000000002F90000-0x000000000302E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseDDFA.tmp
| MD5 | 408ac1c973b3d5aba970dc7bcaa25b23 |
| SHA1 | 5193764142d1aae696c70080c94cdbdd0eca104f |
| SHA256 | 303e48f406401ca3f879e0e098e7a60a9996e35f81fe9588b208efd762f0a941 |
| SHA512 | 5208cdafe0867451227d5beffa6abe3149cc5e8bb607f47935b95cf66fd93d1bbee70f9d36f2ef1a19a439dcbed4379e0dc2c5875ff2a7b8242adff283d92b5e |
memory/5504-5043-0x00000000022F0000-0x00000000022F9000-memory.dmp
memory/5504-5040-0x00000000022F0000-0x00000000022F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nskDE1B.tmp
| MD5 | 5a44305e078c215e66a2c43f75188a22 |
| SHA1 | 8b0b72d50c7e228c0f651dcb2649c61a129ba9c4 |
| SHA256 | 3903e15c13c11da0ce085342fee31973baa63e802c53303b51c169bd53b8c4f2 |
| SHA512 | a97bc49c4328f7ac6431bc07d03640e2d4541be477272ba776b19286b7a12345ec422a1d91cb8d38cb1f07a87bbc11b488306df51435377137b1decc03b891d5 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nszDE79.tmp
| MD5 | 14874c05e64ff08f2b1a386b94565906 |
| SHA1 | 0f3b54790a9130d648c6dbde50c00b51c189cc8f |
| SHA256 | 628fdaed409108eca1a5ad3b03835d37733d87d04fc236c48fabd2c60362ea27 |
| SHA512 | ddba1781f1369b91a93bc9764c0dc39d8082671ac93326bcaf3375a50b5c24b66a24167a0a1de1ef0a97938c83a300e4934517dc302a667581b049f85000c4d5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 4d027f7a5042513541bd99b81ded2fc3 |
| SHA1 | 796f04694a0ba2fea205780a5eb1274c62f8a6fe |
| SHA256 | dc78c2fd56996e0092b0a773db901bf761b9acda0c5d4319ccbbe01c9747b0a5 |
| SHA512 | cc341cc9e7a7ab676eb2b1fb8ec4282e6b9e4a5acd1dc843a3c4b8877585dddb04ad8c5cba556cadff4b024dcfc446ba29e03ce2b267dd0935ebf4303b436c25 |
memory/2968-5575-0x0000000003310000-0x0000000003322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nskDF57.tmp
| MD5 | d3dd64c430995bd1e3ba0e3f8699cee0 |
| SHA1 | f9f6e875430b4a578a38ca028ea95e6fedc539d2 |
| SHA256 | 10f43ac859260f244b16ed6c05c4f149378baa50f74ebb1dae75db9a14d2fbed |
| SHA512 | d52e61df8e75d1a163b079bd4027a60e7193720bad017840b12879d8c3be13f0a4703ab0a58750af41956a215b954731af213a5d64fa8850d6aec4ed8692fda4 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nspDFC7.tmp
| MD5 | ea3f1c8bec8b641d2c92655cf286a592 |
| SHA1 | 54767e0bea11a4f2f30c11ac8ff8018e56bafbf6 |
| SHA256 | ed455288818fb71148775d22deab5ecfb063c26a72a843ee223d278fcd5c6a92 |
| SHA512 | a352569a0d7ddef26714bed8e2ba5cec6100fde791406bfd47dfbc622e8aeb6fecdfa713932e1e89976625de5efcd09cfaf673d2e2107c7bad965621d5e1c20c |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsvDFE8.tmp
| MD5 | 2d1384b9e49cff17ff573518e8abc01c |
| SHA1 | 3f7cc9d52fb36160c0c0a272f30fb47668f2426f |
| SHA256 | 2b06e677767cd7f95662c0e7c959d4a35c57f4869a68462faa855d22b0fb67c6 |
| SHA512 | 9a7263ad5a3436ad794ccb5b353e00eba0f042625ec181a6f9909e2838331e791c43316fb7fe32b480f1e0156c2e677792476a667f514e33bfad7e536f2adeeb |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nskDFF8.tmp
| MD5 | 2a3bac88eb2fade8939ecea9ac0507b4 |
| SHA1 | 12d8304e5524490fc5b27075a180cd57d13c81cf |
| SHA256 | dfcbb4eb1a41547f6e9691862d3f21c4a75397be3cbc3add310f05f305b3141f |
| SHA512 | 00cd78f1d3ba9e70f6fb8994160fe1034fc3b601489d8c39f0560c4a75f744539dd219dd2a016f1dc7d30d1cfdf719e175fced7fc2fae330a01df49a86c18b3f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | 93014efaf60db7d39826c2ad5848d667 |
| SHA1 | ad9d34bfd12dd13df4eccb5a1dd449a9be8aacf7 |
| SHA256 | 2da0bdfe9ef8ed2b8c5139fc7d4abacdd28cf048728ffc51709fb3a3ce48e389 |
| SHA512 | a148e9c986e473a60a14365ffbb8aad1db08de0b8704f3e2c8702fc46b8b15e72cbf0288e903f802c470354281ca8eab9ce3ed7c878b78adccb30328f58ae54c |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsvE088.tmp
| MD5 | 98704b1aea386e2c56e4656a8e8d5619 |
| SHA1 | 458273f9ab7f587b31ec25501470a6f56c0e2b46 |
| SHA256 | df04f4862f9053e0b5f4e9d07d5afa58cd1395a7f1043d4fbcc54125e10f4ba8 |
| SHA512 | 540e22169f1f5de59b9de65b1a0b9166b448717ec626eb3da9fe4130a0fdccfab8b35c3fbfaf962005cdab9109a4456da717ca1abe77141b47bb00f0046aa99f |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsqE0B8.tmp
| MD5 | ee00f632811cb64fc1f5930a81822a89 |
| SHA1 | 57e0e1c791e40ec257d7ab011cf8aacaa302617f |
| SHA256 | 4c209fa1f641d45d9ad9ff3f02cd95c8d613138fc9144f4a1ded771fba237210 |
| SHA512 | 3400db3a63111fe6d9505b1f5509532cd21cc0657aead06bedf4f918753083faed43a1cc739bb7139155d7dc09a550d7d8df1be97c57d5bc9863a9a5dec0bf2e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | 9451777590c3b72b0337c2a41c7cbb65 |
| SHA1 | 5ccbe8667cb238247f7e8b44f98089a835ec5e8e |
| SHA256 | 908ee8ed3167f437e96617250f01abaf2c9f0492ccb7ac9dc3503c25abbb0fb2 |
| SHA512 | aa185fb8b1ad88cccae43af1b994e441c50a8172ce8763292e9becbc07f6fcfa66d4e3166913ded381474547273ccc0ac5f2285f90821f7c7d5c41f571519da7 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsbE196.tmp
| MD5 | 2b5a3f08b9467a6a2ea55b7043ca4832 |
| SHA1 | 384d54c29e171927472e2c10912e6e019b40f2c4 |
| SHA256 | 70af56241f7eefd3f9b12016b1340cada724fa20975b35c14fdee507b85bc5da |
| SHA512 | bb265e9b6c3fb486cdd3ddf8d52f45de17e03d865054449f635f61851a982cffa4b6c72873b077b8cd62e55058d3ed966d7560cfa732e9e5bf93ee02a025ffdf |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsgE1B6.tmp
| MD5 | dfe485d2dcb84483e4a34841e7187a54 |
| SHA1 | 4b871afb521c7bb1a798fdc165fd244f992bf38d |
| SHA256 | 59d39a70a9634eefe1b73b89b75da2cae09d314c4a477750e5b5c4aa86334069 |
| SHA512 | bf02d6a4bd7bd8c45c77ddf9a2774b3e83989dd7b059a6fe4ed9448c2d9ff373ab21c01fa4ac807d2f106f92a661e4044a76009d7e0a275055b590b974b39498 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | ef2b245e66d2a3cc25665e7f627e2601 |
| SHA1 | c2b0e3d607582e4b4354395464f07a13b95e5b60 |
| SHA256 | 5a7c19716c12da40bfa2f0b71075c53a072be34edfe9037c5010ab90c738fe7c |
| SHA512 | 11938e3cb7fa18e192a4f05da1b377bb2bbb61299542feb8e9528e4917b6793aba38f3f4075cd7c520fcdd3c9b505adbf84131d53e2685a2000b38ec7edeb1c8 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nswE216.tmp
| MD5 | 0f148633098bdf93e0bc495301d3c121 |
| SHA1 | 814ba55daa60a3e7578326fcefe1f61c8235f4e8 |
| SHA256 | edafb254c0440b4a40a38916eb43775e62137a776e2fe530031c38e7d71db2ab |
| SHA512 | a90c58c553d88bdb80338b5558a3f929fdc3120231bd213f70c86995593e24a3376244c25fd7a643ae01196e8ca1a681f2c3d62d46a64da8e7510ced62974bf7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | a257f9fec9e392a6fcb8a3d93aa8a6fa |
| SHA1 | c29e4d850a9841b8397f2dbad1c6cd0f0f688f82 |
| SHA256 | 8c36177a8715695ed708daa5b21f7ce1c3d8b4cddee7f87292161d81e29c2be9 |
| SHA512 | 16757ce210b71dd9a652adf79101c2451af108a4d99b34858cf738b9eb1a21d37cca071378463f9254445fff0e7e918a27b06cedb7c6e9b0f6f97c25c7b06352 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nswE303.tmp
| MD5 | e28d93bed98d4ea95ed7be4355ce4cf2 |
| SHA1 | 5cabdbeebba00cb81fc4f9419deebbe112488f08 |
| SHA256 | 2f4e1e1207c4fb0a5e581d5e7bada3b781183da81022adb1c39383f9002f9f77 |
| SHA512 | 4f16f869a19c0f5d45fc6e9698910d437cc2324cd8951d5c25f115ae358b5bd04c4b388d476fbbc3fe18325246aa194b64f9036491ad48bb05c9d0af8c9d7898 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 26e76ff3daedb5ca9bd5889cd51a75bc |
| SHA1 | 4fd61202014650b93639d8ee8d0bb7eb7fb22d63 |
| SHA256 | 6a665f574a4c8c291a0d38fb6e9606408c53a3c3500f1e5b06be0cc9efbe30ab |
| SHA512 | 663fdd2b8714c9a00d70d8fd780468b334c4354b763fbed5a65ee2e97f9aeed7a84fa6c4575e8de8ca1516a774227347a5ab687d278c274c8d645d4a9d49c11b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 0f93105e3d1e78b7fa0b4f36a7d3cf88 |
| SHA1 | 1910b7537d43bed9be2986fec011e15214b6c12f |
| SHA256 | 0b49b7bc03828bf5c15a8ed9d4584a99e7ae4b463dfe9bf36820e944f8f92365 |
| SHA512 | 1e2cdda4ec8fbbf23bbebfd100c34ed5da8ba59aa552f2922fb6f3a7affa861f5de28f8987e31aaf590f91f376474bde66c76fe09b02389415b32042f4f0b2a2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 3f50b0cca0995d3a60a9dc3c3f8cf92a |
| SHA1 | 398f4eec94a413fc85c47253817f02b3cb5f9abf |
| SHA256 | 49ff4bc6d4df963575f3cddf52e01a39d5f32db6b500c2787eebe7b435d2f8a6 |
| SHA512 | 9902c4a8cb2e6aae9d718a32903b66a1f23d1ebb9b1a3ada2524a94374b17de7f7cd55ee049d471c16db0716ddd8bc0d87c9e5aced6a6053b9b720b5b237951c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 536856e17f27c0e6b919c4bef0e549f2 |
| SHA1 | 9c624db248505174d6f4501e2e78ceeede5704b7 |
| SHA256 | de5b8e1c6afcc49cbd6bf8dafe89a965c62f29e4f66034f314d4bb4102839e0a |
| SHA512 | cef170286c711ee196d3e84f438ca5861d8488eafee0ecb33a4a6fc55f8cb23d4f69fdd286615764000c945bf070b51a32dfbd3cf938b59d5470cc8831555f40 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 926de674d05481844414ad716b3692eb |
| SHA1 | 63e6a1f3305acea45b48df9ec127d982eaddd0ba |
| SHA256 | a97e499dc0856b1c6b5b619d3d83c54520c7ed069336118cfc2680418f99ed95 |
| SHA512 | 8097571c377839f2ffa927f17648b30c5d797dcc607c87c568b242a6e61f1385dcd84062aa08f57fc7f9a6fb9b950c5c339a078305890f462068685d94a94324 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 77ac06651e56a597a21820ffb2fedd35 |
| SHA1 | 542fe3ce8ebd0cc629460a87a9720bd975f0a2de |
| SHA256 | bf8b7ef865bf15e14d5932cad5651f888da06002d14d7b1b39e76b1de6453061 |
| SHA512 | c1883edede9ae48fed929cd096657ed49b82ade2811b95782a82bfbbcf269aedf4d561c860e8951893dc26cc9719e125324d7385317bd16e8708e6dc3aa7de9b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\prefs.js
| MD5 | 44bb00decb47b97536f710b2a89ea5b4 |
| SHA1 | 20307700f43f731960af94ffeab17ff4b6080809 |
| SHA256 | 82d153158bb2cfd4cf298b143987c41ea028981f540c4c6df38bcfc718622a65 |
| SHA512 | fdafc1e4948c90f7402bcc9104b21c21424f5bef1bb01e37605aa89eeb775060e7e854980b47625939d9437f0416ae369ef4e00b17a33021dfe4c9158b8b2767 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\prefs.js
| MD5 | 4bb238d5b78721d5c0b92a058ce69f29 |
| SHA1 | bc5a13c45e28770e2dc6432b7bf3c3e49c087561 |
| SHA256 | 6662bf5ca1f346e2891b61e0f133e96ac8bd1815542af84620331485565b5011 |
| SHA512 | 3c5c17843c03e362eef68dc8b28c0dc3c3fddc0f4dfe07e4ae8eecfaa864648c0d84c26d8b64e8f18446cef880ed70c06eedd30f8bb5118357b7197280a5f419 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 57d4477bc92c67b4335799777f0b175f |
| SHA1 | 4b83e7a6a5140ee9330a2a6acbc609ebb32f2b15 |
| SHA256 | 5522a015d7394e88b0977e9a46d461b24662cdb04f245f208ef02cf25f272f09 |
| SHA512 | 5ddae1d8ca6c34318f9ef9b0a32eadec6c74a11e50ee5f465b898af903b934fb263293343ebc74b8bab9a1ceaf71aa7cbdb7e69f10aba2aa3ff6975cedb9a2c0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 60ac5c279548ae26948e1d8cf72c8690 |
| SHA1 | 0c30f1161ab5270f82e4c64dcb6c60e148894bdf |
| SHA256 | 8d374dee20b7726db66e2e1f4b3e6640262f1b181591c2e8e68d77f1659a9f22 |
| SHA512 | 0bb7c7085243d200113ca394923b4dabe1d41b41d0be2c661847c3a2491823c8fc9e1742e4485e778ef74e672aa495c5ad246955d97e2b20369722b837f87f0e |
memory/2968-8801-0x0000000003000000-0x000000000309E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js
| MD5 | 0f34268f974b1f763a1b4b7cb7b59384 |
| SHA1 | 8e3355026a167c56d5823be6c28c8c88eb2602c6 |
| SHA256 | 54e99b449dc840e1d85bda23d741093de467f4ddf5c04aa760d0445561d24220 |
| SHA512 | 632d014bc1f5e215803b5d5735931a8e580eb01aa1274ce275efd790edf3c081d80b6c4bb1350ebbdd07a41c76d413230e5636e2a179aa98e7e7e9aed6ba3312 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | 728d37a8ff83c45a0dd84783992ed978 |
| SHA1 | 01efc21698e6b8c27234d601af25e926a6ccaddc |
| SHA256 | dc2d0ef7f03f24d78ecd2e31d7a3cea224941f9808b0060edd4a46561859a12c |
| SHA512 | 7a0aff34eb145104d76c28e92c15d761699fdeda001e3e83fca56bfda61765da40361b3b78d5e7f0735dc9da351d494db79a9f1ff478dbdba3433a53bbb88af4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | 27761998db09262a8e636bec2edf7651 |
| SHA1 | 74ebd0ebc559244f2961f07af809e708d4815823 |
| SHA256 | d6b91935ee57a7c9f4c58bea71c509835ca64eaa1709de2234ddd0285d52d2a6 |
| SHA512 | 41826a4c18b01628a7ffa48e5ba84b80a0eec84143d77f307c61d20dff5a8790ca97c8b0d3c23cafdc9d200406c67e50ac2303dd5c70cbf4715da32a739ef6b2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | 4f190386fd63333ba049db8344433c61 |
| SHA1 | cbfa8f864e733ace8edd0b26bc8462447da68d6e |
| SHA256 | 1c4f93bf41ba04693a856dd21a92fe2a2bd9105d7c9540bfe77a1c155a445354 |
| SHA512 | cfd5232f602637dc657955671f924ee8108d870815284f987b7b1224e115a294bb85d9b255754781979a4cf5b1d293bc67138e9d34cabccbc515b9b969dff2b7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | 525ba7c62d9a513049a54e462da5bedf |
| SHA1 | cba53f1be9cb70d385dcb5c44a12cb01b5a939bc |
| SHA256 | 514af82ae2fa2c59877ee9377f5e94789300359a8627ecf7e58bce884634c5dc |
| SHA512 | 1e6b9c1318045d99b085a0981be26b44b1a238178906c39792a8f458097ce18b28f3bce284601a049210aefc19e098f382dadaf0592b25f8a05812b12adf1a8d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | a600d6290504018e9ae9d22ee9bae2b3 |
| SHA1 | aa75406457d8609f90de2a87ad2a08c795a49dbc |
| SHA256 | 6dbc6c72e75f8b96135cb4831d6ddaa3eaa653662a7c08ff65991d7a6a8b28b9 |
| SHA512 | 37ec34ec36a0c0df0939312da395d511bb4b4d7c53a224171078afb67b68b58255f9fb7a42948e82d8c0bd6d868ca04b6930e6fde9719098238f35d627925dee |
memory/2968-11076-0x0000000002F90000-0x000000000302E000-memory.dmp
memory/2968-11060-0x0000000002FE0000-0x000000000307E000-memory.dmp
memory/2968-11042-0x0000000003000000-0x000000000309E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | 9397be3d4c424b88aa0cfc14af1d2288 |
| SHA1 | db1c8f1b587bf7b18a566d63896c2bf605ee8e8d |
| SHA256 | 13e03393c0c2f9524ae14a9cca2fc58a5162844061e1e64cd3866cdcffa6c2f2 |
| SHA512 | 78225f15f8ec38dcb5ec7b7c588565bc6150d02bebf6ead4814f51481c95ff807b4845a820c7b1e648fc884e76a54120000d3212d0dfa98889c37d1b46af2fb7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | f34f88a096cff95e6f59b897ae996b33 |
| SHA1 | 1bd63933e0e6d3bcc5ade925fd0d65827791db07 |
| SHA256 | e84ec7340a0cb2d6910704b3eb3243f321ec23f69916a555761a3df5602d04b6 |
| SHA512 | 21bc5041e34130eef053609ed1cea0a07294d5d54d7e2586cc4838de63d6be5ae1ba41a48774707c0b9b2e85bc5934c980cc3ec36df1d10fb66969086d2e6fc3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js
| MD5 | 9ee16a915bd827c9c9241fc87e675378 |
| SHA1 | 843c75225d635c816cb8e2c585a5485b522697a2 |
| SHA256 | 0e59491f3ee70108c159547951993e94f8beb23e60767d8206892942427e0a11 |
| SHA512 | 17c108229f66aa66b57a7f58249edd206f7eea34958ca5f58e29902bbc2e2f30d2cc382ac5986f2c6a43424bf86eddaa57f5ea1d713b853cd2b7d41d78d1082a |
C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\IEFunctions.dll
| MD5 | 46ee93cfce4dd2576579f45ad8c41b88 |
| SHA1 | f34a4eb6df68e521debda61e5af46aaf461bc3ce |
| SHA256 | a8fbec39470467e43e3fbc48cceeaf11d5e2fe3b98c521ac71b5522e7b46a859 |
| SHA512 | a2eb8ed29a819ee821c749dd76c04c2f3a5284a0063d08c43c9eaeb6f68a7c9034b846cb3cca26608cfe28b5ddc07842ea70a6aeb9cb7c6c1b579c3d05e40a5b |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi.xml
| MD5 | d977ad4b5c1933194e9d40d01376275f |
| SHA1 | df335838b334c1f15d5bff2e6a5ae44ef9ea33db |
| SHA256 | e11e66bf9b97359a9ee25065cb3b8e574487fdfa7768ab71ef78e93a3531ebf5 |
| SHA512 | 6f162df3eaa514d1c02d4831cf4d296373b32a838ba73614bc0c8f5d13b2558d823f25470aa9526954e3a41958c89563e69b7d75d7f259ebb15b57435f81fc1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{9300D574-3C8A-420B-903D-092FA54CBB41}.ico
| MD5 | cc293971feb692e18edd790fcd6ff10e |
| SHA1 | 09a2c236508962ed8d13736033bd2479f13dbf32 |
| SHA256 | a863b816dbda3deda70419bb471f11f0f0e0ca20ebec82a0c00d5c304690b3c5 |
| SHA512 | e245e2bf17e143fc4cd24224bcaa68ec7a9548ae8f8c295caf0cd49e366f22985a123d7e2da995864a9d233b9510df3eddaa5dbf0f65eb81468ed74bb0b2070e |
memory/2968-12225-0x0000000002FE0000-0x000000000307E000-memory.dmp
memory/2968-12227-0x0000000002F90000-0x000000000302E000-memory.dmp
memory/2968-12226-0x0000000002F90000-0x000000000302E000-memory.dmp
memory/2968-12228-0x0000000002F90000-0x000000000302E000-memory.dmp
memory/2968-12229-0x0000000002FF0000-0x000000000308E000-memory.dmp
memory/2968-12230-0x0000000002FF0000-0x000000000308E000-memory.dmp
memory/2968-12231-0x0000000003010000-0x00000000030AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
106s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4040 wrote to memory of 4272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4040 wrote to memory of 4272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4040 wrote to memory of 4272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4272 -ip 4272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 224
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 220
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
151s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| File created | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} = "ividi Toolbar" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32\ = "\"C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividisrv.exe\"" | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\ = "escortIEPane Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\CurVer\ = "ividi.ividiappCore.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ = "IXtrnlBsc" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiTlbr.dll" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\run4ie = "start" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\Data | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ = "IEscortFctry" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiApp.dll" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\excTlbr = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\bh\\ividi.dll" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ = "escorTlbr" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ = "IRegmapDisp" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\Programmable | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\uninstallAll = "false" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dpblck | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ = "IesrvXtrnl" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\CLSID\ = "{211B330A-499B-415E-B1F1-B7132A8751D2}" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272} | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0 | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\ = "CescrtHlpr Object" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiEng.dll\\2" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ = "IEHostWnd" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE | C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\CurVer\ = "ividi.ividiHlpr.1" | C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe"
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe"
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reports.montiera.com | udp |
| US | 172.232.25.148:80 | reports.montiera.com | tcp |
| US | 8.8.8.8:53 | 148.25.232.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\chrmPref.dll
| MD5 | b2bff24dcb4606c6c8474f979bfb4858 |
| SHA1 | 5671b867df8ce726d1075909cd40f3934d680da6 |
| SHA256 | 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af |
| SHA512 | e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874 |
C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll
| MD5 | db4961bbb3c1cf487904b15ea5b5884b |
| SHA1 | d1c23d22e93d3f9b268f99519d38d010ff99ea6c |
| SHA256 | 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12 |
| SHA512 | 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d |
C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\mt.dll
| MD5 | 4fae8b7d6c73ca9e5fc4fe8d96c14583 |
| SHA1 | 10865e388f36174297ec4ecdafd6265b331bfdcd |
| SHA256 | 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f |
| SHA512 | 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1 |
C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\Processes.dll
| MD5 | cc0bd4f5a79107633084471dbd4af796 |
| SHA1 | 09dfcf182b1493161dec8044a5234c35ee24c43a |
| SHA256 | 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c |
| SHA512 | 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3 |
memory/2512-279-0x0000000002320000-0x0000000002332000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsa6DB3.tmp
| MD5 | c1f678982f2e14ee43ab9e25d6d4dc1b |
| SHA1 | 283c5f9db053718e4f5f9c572f18502b9ff1e6e6 |
| SHA256 | f853acf4b930763ba2fb5c782bad9ee8c5d36dc3b9774998462e792eb4da747f |
| SHA512 | 03ff3be160581617af8e67164e92de4f012dbc6841928a229a6e487489c71e1b04e4ec180a0bfb9b8109c3cff3f5fb2b52df9c6f721b2b8cc92dcd897f9d99e0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js
| MD5 | d5da78293d8383edaca2745be2bab8a8 |
| SHA1 | 970ce7995a15f9fc39f0829126c6a4cfa547da15 |
| SHA256 | f778a088ece5db5be81b5a5edf81e1efa2fd778823b7ab655cca6da0b772f73a |
| SHA512 | 9f31cbb2d5ef23491af9b6c62665ca40b078e83c4c5836f5eba74cdffd97eb1478b0ad889dac8227c309c09d652ade015c924d6a3dcbcb630085e46169da824c |
memory/2512-156-0x00000000028C0000-0x000000000295E000-memory.dmp
memory/2512-113-0x00000000028C0000-0x000000000295E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\Time.dll
| MD5 | 38977533750fe69979b2c2ac801f96e6 |
| SHA1 | 74643c30cda909e649722ed0c7f267903558e92a |
| SHA256 | b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35 |
| SHA512 | e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
| MD5 | 690df0811fc73ff2219183e5d80d824b |
| SHA1 | a720126932f65de281c6f34c5512be8f787f7161 |
| SHA256 | 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd |
| SHA512 | 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
| MD5 | abbbe3516d8a6280b94e78ea7060e9c4 |
| SHA1 | a2f22d9dc3db1f10a44902e5cdfd7431b27a8671 |
| SHA256 | 63601ef9667c037dc62dc92c7b389edfb4191cde9063d1059996b93f035f454f |
| SHA512 | 2ce546ef005dd07b5022fb524107c07693dbd58c21a2808060958baa7b968064c4e855d41c52f25ed89a3026460a6c9d413481e1d55f678ebf2cd5d170faf549 |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll
| MD5 | 57543e6554f60bd4082306d26245bfe5 |
| SHA1 | 70d4b021173c42dc82d40073fabe7fc0c28ebdde |
| SHA256 | 7838055c1f0aabe6df5b5fb3c6db737936eeee6d2314339082a7586414ae81b2 |
| SHA512 | 317557cddf5d666c2ed677619d9b98424cadc624e1e31067403ab7646008ce5496687e46fb07b4c61d0aa967bd0b3ac144acc3672c64ed66c1b3dd0d23938399 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js
| MD5 | 42e8303f847571aac21de910c724b936 |
| SHA1 | 2e51ec51cac690bf1393b7b3f0ecee7d193a999f |
| SHA256 | 1639196375c49733bbd5fd3d364a30f31a702e91fd1a0ebc62ba38e0a68e2164 |
| SHA512 | 13cd9a4cb49bffedc3fb29540bf08c3b1056795a9a7dc0a144eabcef91bd6894813a36d4d79980d65e660f1cad15e0ec2d90b57cf4a94a739e73ca96d25bd5d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js
| MD5 | ca445b7a7517c82309a4db3a68a01744 |
| SHA1 | fc6a32861b442020930437e32c518e18e5b1cb85 |
| SHA256 | d4801507b9ad17ca900677a65064d4c624351edbd13ad9249d7610d292f0ef9f |
| SHA512 | e2e76dc2fea0f26b8b9d52017fc2642419f06a01075de9f3bf20e6566c471db641d9d2eb797e202609b6d48887ad7bc821ebf42d1855bc7a8a61a6f23850e452 |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll
| MD5 | 8a7e5619cbb2c659b3dd2d9c4a09db98 |
| SHA1 | a7eb94c32ca25dc1a9eb461d2d97d48475e010b4 |
| SHA256 | eae253b5691720fadd70083ed874b53929287a3d93834a3206f78ddf8fab1201 |
| SHA512 | 14f126006dccead7a344e69e6f21de15bddc6ed30fc248df4043838edd6ed838eae2db0f9ea1204584064a4426d610aeb34f268e37a98f54f274029763a146c1 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsh7130.tmp
| MD5 | b202a19d597901a748abf8509bfde934 |
| SHA1 | b2348671ff379ad28ba1d6b8aedb12ad80897845 |
| SHA256 | cbd8c4de019e84ca3b4cb4d32c6b74821aaef70e38d5bd43fe7bb6043a86c02e |
| SHA512 | 1bf4933fd13541bc577a91477f0e2853be1b219231fbaa805bb0b2038f82451ab524fcd7b92b26248458d47a5dbed9a16f3189da4eb410a4c7b8ffc9e525c414 |
C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll
| MD5 | 1989cd78346c1f430484236daca1c2cc |
| SHA1 | 9d9eaece8fe80dd400a1af12595a5a32e931abfe |
| SHA256 | 2d8ab3f2dfec1393b75e1ba8d12148ab5b5e334d1b071754e08f7087b22cdcc2 |
| SHA512 | 00aaf06bc2a092ce3d9b8d95e685a9fd0b61a8a5afb23910bdeb43a82bb294f54ce21a05823cdca28aa67b520dfb4091c847f4ae2ea211156441dd3e5a50205a |
C:\Users\Admin\AppData\Local\Temp\nsb706E.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
memory/4480-961-0x00000000021A0000-0x00000000021A9000-memory.dmp
memory/4480-960-0x00000000021A0000-0x00000000021A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsc71B0.tmp
| MD5 | 7533961cc19d23f928c40008bdfd253b |
| SHA1 | eb5cb177e2b04d8ecb0b627a011efc103e4311b5 |
| SHA256 | d590edd4dfb4be0909d745245d993b02c09c9e1cd270c63af3abc3ad58e404b3 |
| SHA512 | 8e5698b432cd23a616b6a9b11125d8a38822d3db1fa54a72bd5c4fe7f313a97249baa071c7a738f702f864199520252b83d0e597adbc79b424d283b206373493 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsh71D0.tmp
| MD5 | ae46f1823c8623b1418c316a37ce650c |
| SHA1 | 9d1d85dbd3cc79ba85201181b2fdf88525f2339b |
| SHA256 | 5efba76b38d773c6ca0197f727f3e242481ce1d992f6e56763e7a6e7c4adb86a |
| SHA512 | 1b572946f40c8670235ff46ea25f2f5767a0e80f5ed3ac52a61fb3f75b71fd2d4a195896ce531eff88a8f357a9e58a80942825779cb783358630bfeaa4735316 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsc7200.tmp
| MD5 | 73e44e90350f35e856fa497f9d486399 |
| SHA1 | 0525eeeea07acb71474960e1bbca89282ce4b9df |
| SHA256 | 72b3078ef760805a21a145b5bdfd58b0a3bbeabf5ffd65641e40f91af3fc0ac1 |
| SHA512 | f62ea9cfec616fa2a2e0c83839a9ee9cb57943b8c2f34364cec01d7d80014b56283c1399cdf7d40b85e4c5b6c9df89fffbde8746eb30bfec7b8d0e10a150a7f1 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsx7230.tmp
| MD5 | 0f0fb59507499844ddeaaee87d84628c |
| SHA1 | 1762b161143f069db8b381220e125442c5d9a432 |
| SHA256 | fcf401463b1efc1fec407f8cf8f69e61400a9d03b86b18d87ec7ecb4356fc005 |
| SHA512 | 810f047459096928dccffa4b1dd4c569a070464a4aca99de8205da28b43dbeb9008008efcf371638083fa54f4bc4687b18ddc1b2b2a023fa23571936e9f4f77f |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsm7240.tmp
| MD5 | e315356b4518b96c28539571c75c5cb2 |
| SHA1 | a6426178b9878086f09adb58ad1c4579643915a4 |
| SHA256 | fd136cc43461e18fce1a1f56adf989a37e64ee0a85fe8bb2764c26f7be7b4891 |
| SHA512 | ae859cb73ffc0faf040f015a584c87b9a8b0f33134c600a5199e885e9fd92bb18940a1dcf25184ff9b1f7ed4d128f0fee57cb85da941a015fe2a6caa248b5a8c |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsr7260.tmp
| MD5 | 434f7716a42016452b2db8acfffd46ca |
| SHA1 | b4af91b9336d51611a533e05eaed2bd1fb2b2776 |
| SHA256 | e0c28b14d8bcc47a894c88695fd954bb0bb5fa22793f052bdaac983d5f8598f2 |
| SHA512 | b662ab476b521c17a51284b9769025cd83e8f57a207ce7dac7fde54c36933d2974b284ac6de5363e50cb6834be1472eed44e8ac30e5c1348de2d1d25f56fd076 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsm7290.tmp
| MD5 | 35999907716c3ae81161d8addea467d1 |
| SHA1 | 60d543a1730d41b032841c5381335959de8be97a |
| SHA256 | a57eb38aada1fcc7fe7360ed67b0cafd2e96b1a032a4246e90f3646616b665a9 |
| SHA512 | 79452ab3747c0ed13d17c0fc810071e24f4d38fc16c8a120dc000dfe215d5ed8b164b570feceefd99f5b1c7113d7abc064721a4f75119b13dc620f39f197125c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js
| MD5 | fe5a9112843c20b8e1c9fdc6f9b4ba06 |
| SHA1 | fbcba814083b4861667874f9ca975f7d6f6443a2 |
| SHA256 | 8d8e1f46e431a98dbbf528d7d8f458100e03a24c8e5092a038a8d69069ba8b7d |
| SHA512 | 5b401f202965253400dd8b5d343597647581f246a5a41c95c6dd94eaf36ac064319611fbffbe5cc6bf331c01ad49e7cee3ec7d1b494a2d8d7808720dca0bfac7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js
| MD5 | c1a32373820e89e2519d6339267a2830 |
| SHA1 | ca22e5b22a6a3b9715d429893af4835b80d2aaae |
| SHA256 | 9ba8ff903dfee915949a64fabdaab6ac3402f9ab35059e1ad5044dc6e05a60fb |
| SHA512 | 05cdcc7add01ff4f9c7ef4248eded73d3b4727f978c9987afab82f13b7e3af0fae49e2064012c6f294a2dc44e31f652074ed8065ef57b563b204a50df44a403b |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsn7331.tmp
| MD5 | d1f3b4a8a846541d1bc9abcf43df4f57 |
| SHA1 | f5548c75823f138204d681cefde21090b5315480 |
| SHA256 | d00d077b39df4b4c5973e131fb18b36473d8e6572024d310539ac9b07781a9fd |
| SHA512 | 61809a5aabf4d109f5bf1d0f3f67ef90ab45c093b42f4aff5bfb4c7c679e650846730b4f71010d91e11671443f6f7093225758f12b078fa637b991b20524baa7 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nss7301.tmp
| MD5 | 059d8cbdceaf7d57ad8484bf7ca30a19 |
| SHA1 | ae0106cb7d4606d558529d265c549ee08d54f87a |
| SHA256 | dd6cc7554e07030f81899416cea0d64d0ba7a3eccbdd385ee8507a7d55d0b5af |
| SHA512 | 6c7d7a7d89fc74bdd031d5d90afa0a28a0a0fc4197eee69868250934c1cf296f9f998957adefbaf4bf9cbdcdd13cd6f828d1afdf71aae4c8a3f7976ed891d692 |
memory/2512-2454-0x0000000002D50000-0x0000000002D62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsc73E7.tmp
| MD5 | 7aee0e9d51a00e0f1c44b804cfce6044 |
| SHA1 | d51585fb0046a2bf26f82a9ba63ab3a3dccb0027 |
| SHA256 | 7f69604e63b2d74f105cc4aaae397c97cc3bfead2fc0077c0abd6f642ae6dd1c |
| SHA512 | 037d6e084477d6bffb53b5a19bd63f4a93139656c5703a3d7003695e9dce56338dc878cc376dd4c4f9d5225e9d9c38c3860a090867128691c1d630b761fe0d72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js
| MD5 | 69ddd27df99727eaaf75a94aa4029b3a |
| SHA1 | 4b6f800250c3a8c5ade91279fe3fb391235427e7 |
| SHA256 | e9a70687c8af22f72250253369bfa4fde3a792ea48f378f57dbfd01213835f77 |
| SHA512 | 3a511b7c9f2f17c5283ea9b0dc5ec6386dcab749f6654665dac53787fd016aaa8a9efd8529860ff7ab337e8cb1278a45bb84bbb35da887b9add54f734274b71b |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd7439.tmp
| MD5 | 374f5511742e36b9093fe4c4ae6658e2 |
| SHA1 | 489a64800274ad86df2c674ac9a636830e833d77 |
| SHA256 | db4fbe937b68fdee75a74ca9100883f27ea1b416f3fa84c29c4428f35ce0f117 |
| SHA512 | ee45fbd0b12cb46a3ef860bae102cfbc769d65c9c93c3f54072e5aaec2888c90ccdbc00ce3c2356e6b96070955090d1ed745b6ecb4f53a108fc3144d67c7e62d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js
| MD5 | c37004e1967248cafe4ffd48b73e2bf5 |
| SHA1 | 3bc9668733a2fe65ef9eb644dbdf1f2c64b68853 |
| SHA256 | 61e53792f7b4461e0fdee250de13597749dd3e961fe92a303e6454d4b4d91a26 |
| SHA512 | 88f2a91000d2eef1bcdb22ce38fd0824148451f1e7450ca526cfaced73c25fda6f42765e3f21ff441fa05eca87caf714784c11cfe0a35a122bdc2d784269acb5 |
C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi74A9.tmp
| MD5 | 970d0acb50c5935c69d0d6212d948b59 |
| SHA1 | 15cd3f492c55f4e8eebd3808843391d04c4c4719 |
| SHA256 | fb5c31a75bc06f56f3f68ab4ac554ac49e961cb58c33688babff20d37a27b2d6 |
| SHA512 | 736b664518a1dffd771c3aa96c1e2e01e90900f0855b9f41262680b9daa607f571d2f46c796d9d683ed42e623f410f458ca2d7e6da318829e4e40e6c37cafeb1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js
| MD5 | 3b00029f17a0bbe950bf3b02a1e4e02b |
| SHA1 | a763f05aeef7fc8557d53d79ea748d3764d4ea2e |
| SHA256 | f2db5c223be6a2aa1342a85375fade3efa885561c3b201896f6fbd5850606cb9 |
| SHA512 | 3f6505b18007267de6517e055e28e032563d15c1fc374e6057ae4d54b0152cb572eb6be793f06d43813e4e393fadb124066a1249e48d651a5a53dadf8678b9e0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js
| MD5 | 18efecbd7fcf3837f27913ba1baeccb8 |
| SHA1 | 74e1bb6d84002d261a6c6fd91c51d0ebe645942d |
| SHA256 | d318d315fdc3f0e5ab9c29abeba2e7afca9b7a45930552bc2e31231521e3547f |
| SHA512 | 901ab7c407501e15183e65a85863806859b5ad5efb5e84c9a04d572a40f1a069a0c0330ca1f5a98bf0fb42c92703ffcf1e715843c62601d49e9c8327113ccc9f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js
| MD5 | ae9299ac407f03ced3dc709cd5422777 |
| SHA1 | e4b5cbd351b8bfac4846f6bdd1137e70b6ba759e |
| SHA256 | 3d577bc99fad67694d295b73d7f2dd98d2d02feff1a2cdb9780f0030c3cbf204 |
| SHA512 | e8d32e36fa3d97042dc8d169036abf3afa45092e755d3882c82e88443c263f86dcb7c70f0c7618ca420302d87dcf80b8858d089f306de90f49c3412f22295624 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js
| MD5 | cecc6bad9463e1a9ff57bab9925407e8 |
| SHA1 | ef349d84fae666f0a675e220e6980e9bed6ba297 |
| SHA256 | f9f5fb56d56bc85aa742224a5b8f459798a16fecb02e870f6c1c3bbffec6c569 |
| SHA512 | 77084defc5569838fbf7ead2926e7a7f4e7b4865ee25a71b4b47483e721eb6667ab0d94e6dd21e7494c9eed17cfeb6b2ac12ed9a9ecdcbefbe2a13863f73ace2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js
| MD5 | 024d41e3e5fcb951e24a247f5748ebd4 |
| SHA1 | b8884d466f0b6610ae0ea06c593a71d6f77a1977 |
| SHA256 | 38d8f8c14dd526db559760dae83e7ed2749db0b32a36a4b0ad97ffcb7f90ebae |
| SHA512 | f079e6fae527be7b1a0beec8dccd38fe239ddd81c131d129e4df0a056538c5601bc1419626b2793a202d552d30eeac9286cc3b7ade688ca77025cb02e831282e |
C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\InetLoad.dll
| MD5 | 994669c5737b25c26642c94180e92fa2 |
| SHA1 | d8a1836914a446b0e06881ce1be8631554adafde |
| SHA256 | bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c |
| SHA512 | d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240729-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ = "ILiteBusy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ = "ILiteParameters" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ = "ILiteProgress" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ = "ILiteStatement" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CurVer\ = "LiteX.LiteConnection.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\ = "LiteStatement Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "ILiteColumn" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$APPDATA\\Unitech LLC\\sqlite3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2300 wrote to memory of 1628 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2300 wrote to memory of 1628 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2300 wrote to memory of 1628 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2300 wrote to memory of 1628 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2300 wrote to memory of 1628 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2300 wrote to memory of 1628 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2300 wrote to memory of 1628 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"
Network
Files
memory/1628-0-0x0000000010000000-0x000000001009E000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2120 wrote to memory of 2988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20241010-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 220
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\ = "OCVBValidateLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\OCSetupHlp.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4276 wrote to memory of 3632 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4276 wrote to memory of 3632 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4276 wrote to memory of 3632 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 236
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4840 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4840 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4840 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 2764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5028 wrote to memory of 3744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5028 wrote to memory of 3744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5028 wrote to memory of 3744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-10-21 14:11
Reported
2024-10-21 14:14
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 224