Malware Analysis Report

2025-08-05 21:09

Sample ID 241021-rhphlswhna
Target 66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118
SHA256 8c436076143b5d5a49ed25419f05c071654b0f0aa1a9f8c1b2db723964e45bf8
Tags
discovery upx adware spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8c436076143b5d5a49ed25419f05c071654b0f0aa1a9f8c1b2db723964e45bf8

Threat Level: Shows suspicious behavior

The file 66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx adware spyware stealer

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Drops Chrome extension

Installs/modifies Browser Helper Object

Checks installed software on the system

UPX packed file

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 14:11

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1424 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1424 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1532 -ip 1532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 1036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 1036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 1036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 78.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 143.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 224

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

129s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4628 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4628 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4628 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2680 -ip 2680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 143.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

109s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 5032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 5032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 5032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5032 -ip 5032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 148.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ = "ILiteStatement" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ = "ILiteConnection" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ = "ILiteStatement" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "ILiteColumn" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID\ = "LiteX.LargeInteger" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ = "ILiteBusy" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CurVer\ = "LiteX.LiteConnection.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ = "ILiteBusy" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement\ = "LiteStatement Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\CLSID\ = "{25EE8E01-5237-41F1-B29F-6AF441CF0924}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement.1\ = "LiteStatement Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\VersionIndependentProgID\ = "LiteX.LiteStatement" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ = "ILiteRow" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 4672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 4672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 4672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 143.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/4672-0-0x0000000010000000-0x000000001009E000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20241010-en

Max time kernel

13s

Max time network

18s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IEFunctions.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 2952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5088 wrote to memory of 2952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5088 wrote to memory of 2952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2952 -ip 2952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 148.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NET.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1736 -ip 1736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 78.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 143.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\RunDll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\RunDll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\FaviconURL = "http://search.ividi.org/favicon.ico" C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\DisplayName = "Search" C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\URL = "http://search.ividi.org/?q={searchTerms}&src=tbsp&id=160e802a000000000000c28adb222bba&affilt=3&r=354" C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\Codepage = "65001" C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6} C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000a2b7537641a7654979d7020049a5abfc6e35aaca6b19d1516beffe8bebce7582000000000e80000000020000200000005521647f1a677769b1d62ae95a10b63e4fceca221f126f827a7b2f213ffaebf0100000006fe062f948c63c51b17c2c99c240ed1940000000775a7cce1b2f48a4b804b5e938ec5abdbe32ac52f28b94d15bab410e8e27eaee65b39c3a499346a29794bfb401b2ced4384f63a811e9aac7fd0916255e3582c2 C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000033df780e20c3792f01eba93d7e86fa07ff33125cf024cab7b56e144ac740edff000000000e8000000002000020000000dd6ae9d7ca2854e66ef6cc6d21ed12ed222a62f43996c141b5171afd37a111b75000000047f8e2f7026154fc87e31a0187b78d48d4e2867413a7474fdfd4e7bb6c7fe3a924ca73f64c5f88c6740de06ba749d59330f49807a55642997adf42fe130a4489d71e99c77d760fbaea6ef502360fdb5c40000000a33b1c0e8e95447b96eecdefb1c8a7b6a022103b4541e07c9d0faca2aad12cf0b56b336bdafdbdfb7966de7a4477b9620b33c9f6a6dbae43d08540175fdc7719 C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://search.ividi.org/?q={searchTerms}&src=tbnt&id=160e802a000000000000c28adb222bba&affilt=3" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/Unitech%20LLC/ividi/1.8.23.0/ividi.xml" C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\{56BD67AB-67CE-4FA1-8503-334F31E85DE6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{56BD67AB-67CE-4FA1-8503-334F31E85DE6}.ico" C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutUrls C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{56BD67AB-67CE-4FA1-8503-334F31E85DE6}" C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.ividi.org/?src=tbhp&id=160e802a000000000000c28adb222bba&affilt=3" C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ = "IIEWndFct" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ = "IxpEmphszr" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\excTlbr = "true" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\VersionIndependentProgID\ = "esrv.ividiESrvc" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1\CLSID\ = "{211B330A-499B-415E-B1F1-B7132A8751D2}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\vrsni = "1.8.23.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\postUninstall C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\FLAGS C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc\ = "escrtSrvc Object" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividisrv.exe" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\uninstaller = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\uninstall.exe" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ = "IwebAtrbts" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A} C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\VersionIndependentProgID\ = "escort.escortIEPane" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\smplGrp = "none" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\rvrt = "false" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ = "IXmlCnfg" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1 C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\ffxInstl = "all" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ = "IXtrnlBsc" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ = "IRegmapDisp" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32\ThreadingModel = "apartment" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 868 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe
PID 868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe
PID 868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe
PID 868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe
PID 868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe
PID 868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe
PID 868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe
PID 2540 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2540 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2540 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2540 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2540 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2540 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2540 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe"

C:\Windows\SysWOW64\RunDll32.exe

RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 868,CF58CD2452A740ADA26AF903D6F0F624,E8817F5F755E4ECC9C128BAD4872516C,0D4C99A5826A4D5898A46E16BB0FD4E6

C:\Windows\SysWOW64\RunDll32.exe

RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 868,E0F530973D664C38A00A7293660F69FA,F94B0BAC6587449E8FFC3891AA5E1329,0D4C99A5826A4D5898A46E16BB0FD4E6

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe" /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe" /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.opencandy.com udp
US 8.8.8.8:53 api.opencandy.com udp
US 8.8.8.8:53 dl.ividi.org udp
DE 195.201.124.255:80 dl.ividi.org tcp
US 8.8.8.8:53 search.ividi.org udp
DE 159.69.83.207:80 search.ividi.org tcp
US 8.8.8.8:53 reports.montiera.com udp
US 172.232.31.180:80 reports.montiera.com tcp

Files

\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\OCSetupHlp.dll

MD5 9e4e850e12f2f4f869b2491dbbb17ceb
SHA1 bd89581a89604b601c817ea680c2a224b46737f8
SHA256 4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6
SHA512 9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5

\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\IS.dll

MD5 c31b97adf54bdd6ac6d19ab85cc6bc57
SHA1 7e458577b1fe49885c21f38ba981f77b00bdd59b
SHA256 2e5af5577044835e7d1c526b1ef11dddbf660dbf265f3c8b533cbfcfd2a8b57a
SHA512 9178ba7bfd3851b9622ffa7f5981f43b4ca654e3f85113f7c91ebd2ce417c1acb718e73737838c61496a255cee1f5ad9873ea88bce78a0cfe67bd2cfb1e71790

memory/868-27-0x00000000743F0000-0x00000000743FA000-memory.dmp

\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsJSON.dll

MD5 78b913fcd04259634a5e901c616e6074
SHA1 ad5e1c651851a1125bcad79b01ccdcfa45df4799
SHA256 e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59
SHA512 cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5

\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\NET.dll

MD5 9adaffc2a1b579115e40407733d94dde
SHA1 866bbb0dbbd217aa287fe3324ecaa828e8d7b622
SHA256 b31d4e8af5d38991c692f219130fdfa92762a9a77e04e7ab05e44603af578555
SHA512 214eedc4b314b48c192d3a847a64807bf41481e5cd06b1a627bad048dbac14a2c0d6b5b3c992616e18ec9f59f4107d68e57b8c4fd9da01e0695824ffc8030619

\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\ividi_1.8.23.0.exe

MD5 8c271a4f3d22bab31657afef6d391392
SHA1 73ca356b709eea6404ad8a997d4175894706430f
SHA256 afc3a56884a203c8351098f217383d7397ede85580e1ce6dd54ad59f327bed69
SHA512 cd433aae16749a0581761fed60d1758f80351d9a08219a256aae95711060f91a2189fbfbf7e5dd35202d8c1da92049c03357c505159c7b724c4896dd7a1cc832

\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\chrmPref.dll

MD5 b2bff24dcb4606c6c8474f979bfb4858
SHA1 5671b867df8ce726d1075909cd40f3934d680da6
SHA256 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af
SHA512 e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874

\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

memory/2540-83-0x00000000029A0000-0x0000000002A3E000-memory.dmp

\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll

MD5 db4961bbb3c1cf487904b15ea5b5884b
SHA1 d1c23d22e93d3f9b268f99519d38d010ff99ea6c
SHA256 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12
SHA512 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d

\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\mt.dll

MD5 4fae8b7d6c73ca9e5fc4fe8d96c14583
SHA1 10865e388f36174297ec4ecdafd6265b331bfdcd
SHA256 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f
SHA512 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nstFE20.tmp

MD5 d3079578282b28ba03ffdd2b6b4e0e1f
SHA1 6fe41d64a9132030121a9fe5cf2850b813767857
SHA256 31a17eeaf1af357533c4bafed56ffdf89b7a9c3b71b7081c3e3fbc01033b7b8b
SHA512 6287fa74ba3add7407ea65c5406e13ef151f778eb0ba1acd76cd32e17da92be5d6ba98c616132730d558026a94241d24036643e2eae35b164e78140869254f50

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsyFE40.tmp

MD5 f4c67df51bc663d0fe796da555808daf
SHA1 401b211bb00735844e776c42808584a68644a82e
SHA256 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187
SHA512 a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nseFE61.tmp

MD5 1e46e894e3edbae113af5b18894ae502
SHA1 f4d160113aad241764f67b4ea3db3995aaec4a1e
SHA256 9cf2b61be912114c9da26dec65a1e6970164d8e21ae981cd2c65ed8907e41781
SHA512 f45facc4aab2889b316e01e0a62d6c122497bcb4f9607b14a342c76f2ad5053dae43952e032e5dd307cca72f87a9eef1b203640a88a9d005c2b0740d5a7fbb76

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsjFE81.tmp

MD5 95f8b3b648c016474acdd5b01fb4ec35
SHA1 931bb414aff8506cec7fd856a118e3284e9dfa99
SHA256 a0a0b9dd4ca19d04dac378f98750494826750e325a9c902e446b9fe29cb0d771
SHA512 3685be51c2da29c62f01ba1b2af9bb86e673fe5094fbe18b3963f232a6d0c5824e10a584cc8b894952804a8c2284e9e3d6acfdf7db330d52d07ea415a8f95e9d

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsoFEA1.tmp

MD5 f1d5d5d767a8131da1fc7cf716ff2a15
SHA1 aacb16b7e1e242ddd2e7e2047e01579322d545e2
SHA256 13c28f22baef964c4351578b5dda9744d6e5e7dbbc69f5443ae092611ddd31b6
SHA512 cb041bc87828773ab7ed5cbd17809a12c2eb768e324dc7d1ad27779abf5cde03c045b4f7540da19662672ab57ac2be8fbddacc8888a07255aba380c7c72b3796

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nstFEC1.tmp

MD5 6a2154e374a248d98139462d92900311
SHA1 5b5cbc7e21ff2093647d04966de35a429c4d42c9
SHA256 d7f8c096c2faa3a85bedc0b8185fd59020c00c1190405e89c22f7e9f1fbd0363
SHA512 17eb6f65f55776cd3cd777b1fc03e6e5b8ac4b0095422f486adf40d06ec46655bf94d83bbaa5ef4f56ebac922f6ee30f2e76b86256f21e1d18ef30d52534c486

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsyFEE1.tmp

MD5 d71e5784d260825ad2c63652cac3673d
SHA1 b2dec1bab7ab03572298648fb7626a204981f0ed
SHA256 5233e39f303c2425a9e568800b30d27bb45732cbf84d0ee6c264627536dc9863
SHA512 7598f78f1fb640e8de50d7548188e0caa20996e1a3da31d981aea60401b293f52b223d94bbfd4b20566db87a6015a07c3876dab7033130851680e2df0d7f4a1d

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsyFEE3.tmp

MD5 3685803a8bf288149948257444f4b71a
SHA1 fa5d5c9b6379def0329a32d102773d841d75318d
SHA256 4ca882f253e353273a1004b3993ad80200a83eab9f20daa6d4ee666baa438c3a
SHA512 0e921cff49fd599efc954a8245b67ff0614fac1c5e5152521b88b48e9146cfb31410c925fde89cc2d38954b6ee7cd605dd017e1b478c8a1fe301e1b171cf1999

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsoFEF4.tmp

MD5 279dd3a12b962532be82049c5cb1248e
SHA1 6f80001ef64e9529a820a977eb559254fb8cb532
SHA256 e07dcb5a645d3895e3c60b1ed799fe186ea19c984456bee42c554b023c5b66c6
SHA512 079fde4ebf86a18b7e6c5a4fc6035af27ecbd82e4b151fbfd500b1b729020f99b55233d73bdce69dcd06cc4f3d138abd2b6a2e523afc87200c17b87f72e31320

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nseFF05.tmp

MD5 ee80745b5710c8b4a3d28371f998d11d
SHA1 401d2182543b9a11cda6fd0de2ac44c7ffa6b5c7
SHA256 dbda07310a8c124cb9c98b3b47e486f41f1080da556f14b1998260b3aae967f1
SHA512 81a3b70367bc323ea6a6ba4e988caa2e82c595c622cb4297d34dee63ff6ee7f57baa0c332700cdb1e857fd6b2c23960fafd8e53de0bb39efa31de9b6f9eaf3a9

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsjFF25.tmp

MD5 fd8498d9480fc5d64129cb5b453b49f3
SHA1 efc836399518434f20d1edbbc31e62533d90298c
SHA256 ea363aa00cca4c38c2f9fb4e334a2d014a92051e708a16dd5168e9cad88f12a7
SHA512 64cf256e5536ecfae6e3fb76af3b5f08e8caaaf06b7fe450af9d7a84d88a5b9ed9a4bad6740d0bceb0ac174cd391b3667316e94b40c89b54f23f6869262a6333

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.Admin\user.js

MD5 1a1baae0f82cfcda6a478df722f3c152
SHA1 c8636e08263cf7a01a138ee48e388e5ba0826d3d
SHA256 ee678595f007c7aa62d92a679a4476070a89a3498da0c1b3fba934c156b672ab
SHA512 727e2b5b64f7e3c2be38648dc3fae4e5dbb0391ffd73afbe5ed94705ae8604bdafdf47ff1e32aeb04359117308f76fa0816e611cb3e61fa6b8bc578710313413

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\user.js

MD5 d66b2022009ac5ee79ccf1e849609241
SHA1 e7ee619e4cc3c4896ad65eada651643d80ed9a1b
SHA256 481a094a5199d2d45a036676d84508505559f56288b0ed8131eb9a32510551e6
SHA512 c3f8396e7e3670b32c3125184c8e8ff67447f3d2fee600c37357bcb748d1c4cbc03a7c68d5202913e70a0aaa5bd95304ae90bf61e5ee7242a43d3e467812e1e9

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsyFF85.tmp

MD5 c1f678982f2e14ee43ab9e25d6d4dc1b
SHA1 283c5f9db053718e4f5f9c572f18502b9ff1e6e6
SHA256 f853acf4b930763ba2fb5c782bad9ee8c5d36dc3b9774998462e792eb4da747f
SHA512 03ff3be160581617af8e67164e92de4f012dbc6841928a229a6e487489c71e1b04e4ec180a0bfb9b8109c3cff3f5fb2b52df9c6f721b2b8cc92dcd897f9d99e0

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nso35.tmp

MD5 3ee63ddbd8551a9194284ec5c71669dd
SHA1 f96b13036ce97f44ef32cf7cedc5534bd9b701a3
SHA256 29b7090ef25a239755de0634bdc3ea1031917d2d42b5bb7cb34598b4e892e85e
SHA512 1aa46047f29dd002c144aca059bc84c1caddbd6012f2b6fa9821f454186fe9a85a6868c9f3974e5b090eec5391be8cc1530f858385fd3674b44d112698b98ab6

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nse46.tmp

MD5 f5cf0f8a638fcd8228e9493d27cbed25
SHA1 47dde7ed80b20c75b0c0c37fa8256cca159c133d
SHA256 26d9f343033ac39da30e28d96120f157266803aa66bacf4b8f0f309677a35fdc
SHA512 12d987931f0358d55f18350b81df7c3d00f84e973193f046d0a3f721226d594d2e88ed3d1116b213e773d599268686cb2a3d18d5c096fe571abed26b19b74c48

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsoD3.tmp

MD5 963c905c55ae7d48cd4fc962ee788e0c
SHA1 9d6b5bfdf370b247247ca6ed5a8dda5fb1704edf
SHA256 3ca23f19d06a3ec3ed32079e7d3fc1dacdc27fab3e2a5030ba8fb8042ddf117b
SHA512 085ad3081b561c63c490b41a5ea65068e3ee7fe83efdc82aec952c89b418d22c5f1766530378c2d4c91a9dcb64189995fd761ec260933b31bf3543e5ff9c3d72

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nseE4.tmp

MD5 bd24e09c137b6314ae432c30894d046c
SHA1 448daab002e50694acf37d07241433e6eb6f038d
SHA256 01a5efa9f0b5524b6c5d7df21e80e9849a6a199e98e2a668ac95202570fca505
SHA512 25c0be80c8638fdec692d30bc9823a983d0a40dc1ed375107acc9cb4e35a57e9ea41b1932bec53d70aaf82c50e40204eeae218e3ac40e8a885fb1e6339b321a0

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nst31A.tmp

MD5 7e65ff3b656003d505bda743404d383b
SHA1 ca67674c37e841a4b6571b255f692961da551fcd
SHA256 048501b32e7eab72ba98af634a5c931728c62a94668eb9d6023a9a983b616b02
SHA512 fe68f533d1c67f950b81b7deba62287a99d86d2597df2e0a2cdeae46adb245a84176223332305643d2c0ad122c4a1559ebd0e6ebcf3a28833f0275c614e1d074

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsj32B.tmp

MD5 b798e65983049f7d8888e0d4626fa47c
SHA1 9ae7efe5201cb364e51c8487c99bb7d4f16e398b
SHA256 353f3731fe1d9432353f307d22834247f07e9f1ead5a0f9ca7f568bd1b660b7d
SHA512 74671979714d5a7d1bd14a8712cbf330e510e25b0ce0563299675c017f111f0042f2bde3c6366f4505349d4af046d3c3b305e420709e93949ecbc67966bddffe

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nsy33B.tmp

MD5 61edc0f0090cfb13f57678c01f69a68f
SHA1 313b0c0a3c422edbd60d89edc073857eb378fc47
SHA256 656c7106cb66d66d328756009a59f607a4f8245518720859173b133115466ce6
SHA512 da9df1d6afa09cbcc376e3023ce6218b6ae9f746381aeaf52e4624e4d6e1bd4d10996781893674eeec542539c8eed3ddc39231eda62768104c5e4eb77896254d

C:\Users\Admin\AppData\Local\Temp\nseE0CF.tmp\nso34C.tmp

MD5 31dcce6abe2c5f73ed103f6b02ace9cc
SHA1 d53f8e9c1d8eb3d855054b8a3c1d6a5f4521474e
SHA256 f0d6000b064d3c991289d1f5579c0d7a4ccc0aac5894205009ce914d66041bb8
SHA512 d53887d8d64a50738d978e8bc2ae2e2da4b5b4c9e97b7dc13361c214134f42ab66cf0b5e5980db1c0041bfa8dc7da5a3e8b81d9c0c7af17ca0676d0305e7fec3

memory/2540-3228-0x0000000000860000-0x0000000000872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2540-3264-0x0000000002CA0000-0x0000000002D3E000-memory.dmp

memory/868-3270-0x00000000743F0000-0x00000000743FA000-memory.dmp

memory/2540-3275-0x00000000033C0000-0x000000000345E000-memory.dmp

memory/2540-3291-0x0000000002CA0000-0x0000000002D3E000-memory.dmp

memory/2540-3297-0x0000000002CA0000-0x0000000002D3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy542.tmp

MD5 dbeb9e5902f2ec685c1196a48271efd0
SHA1 4d77751d9ab73a3964e2d395a2295ef1bf46aee7
SHA256 31d111d7a683bd310b44f96c9b3c03d517fabeec2c77cf5656f2408393bc5794
SHA512 606e417197f6a55ba33c76a4a446ca4712367396dabc6acb4d8da54036327cf376ebb6871a0b7b0cdc8ce220fb4ae55d96a08af3783c00fd16c869be730f1125

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nse563.tmp

MD5 17f3c44732eb03e3788b7419c4677339
SHA1 374fccf13c655a7d3afdff3408f17a5335313615
SHA256 eac1828eadb72980cfcc3e6e05997f8ce5798b35ffbc2f748202e87c985da63c
SHA512 b2cfd719633d3088a36657cf0f7da343020d5d9d620ef3f6afefd8ecc144244bb0b1ec0de8dc7724b427616a02ddee77e11ff1e22d98db6eebbea6140a420988

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsj583.tmp

MD5 3256f72deea26deec3c63781578b9052
SHA1 88b3b3c208aa86ba372051c6af0b44515d868d0f
SHA256 be07b39485362bcf544ab967b1f6d07ca7bfef6b65b901f00a0dc59e7d2efb20
SHA512 c7bf283715fb9b4aa96f3e607c33b9bd79f7dbe5b8ad424217be13f3fac11bac892a1ddc3d7ef8676e6ab081c0cfe9e6ff66dc1ae0b7e7bfa4b45958953b888d

memory/2484-3915-0x00000000003F0000-0x00000000003F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso5A3.tmp

MD5 eafae0664b9b17365fe6af0ab388ceaf
SHA1 0d931b4b41367539ad347962c538839278246e44
SHA256 dd799b42f15c95e21ce33892119cb98a8e2b7626f8ebb45cabdcf574ad23656e
SHA512 b7d52032a8ceaae7aca4f9f14056a7e6c801539abee381190eb198797a1584c0afc0971a3422945ac7fcc5cdb569cb119b7004b53a153e3803228117ae28bdee

C:\Users\Admin\AppData\Local\Temp\nst4D2.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe

MD5 351707305245428eae73bc1add4e1e43
SHA1 a7c2eaa393ff9a96bf040a9f942b5a26807253f7
SHA256 c61eb0ab6df8f89573a9caa6876743f1fb7dde313f322df5ee8bb0e2fe07b00a
SHA512 00d766f16eeec9e6171dce6966a0729c43e0e14ab5f405672e1eddc764485aae12fb2d47ee842743df6d70728f703c65def81ba8cbb3cbcf3244ee1d63e4db63

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.Admin\user.js

MD5 34315b127d06e06630f73ff2d8887d9a
SHA1 15e5a87308331e901e60ccf63b1fae9bf226afce
SHA256 c5a043916c352cd162d9654dc7fa1ed0b489f511a81856c2223f6cb91bf4a314
SHA512 1bb50671d86cc3175036145d4c0c72bf9dad71cee0d8722cbf890f55e7f13e4ea068b3f698192a2299dd2486b9f4d52a194070fa071648e85ccd4a00bf205c43

memory/2540-4326-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.Admin\user.js

MD5 92050744879c6f43913b90ad163c941f
SHA1 d7f636761d9dace0ccc3a2f831ea1905e5c837f3
SHA256 ac6bd4657b59a8bbfa97d8e277d75c264a2809db7ac9619a5961042a804b8173
SHA512 68672f99b524bdd77685e55d9e1bb61a9add5df296ee357d412eae9171c24578d2cc283e46b17eb79e0f2985e3d70c5ee58a2c2b807783c0b73636541f80f7f3

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso72D.tmp

MD5 89a88b6a6ed6e0673faba6bbea0b2f92
SHA1 8d0b8555b6f340d7ac169336c4d2053f8a7ba29d
SHA256 20219f34b80747f161c86441f23790b018b1d380b506acac8c8cc044dfcddbda
SHA512 9c634e60fef1dfcfe69934987345bb9e559b54db340913c0fcb9fcc0efca490eeaf31cca51c0eb5b5569c0c6af795288a6d37c99c150413e68afdafeffe85bb7

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy7BA.tmp

MD5 d3eebf74f066559780691e028d1892f2
SHA1 7f31f18fc918ddcb0405c5568bf965dca60f6bc5
SHA256 2d893c77aaf12516782ef39ceae696769afbb7c046842a38e0796b0e7d2c30b9
SHA512 43e48ac93f2ca72b4c87e860935063c12b42b04589bcc6859e287a781fa3d321e014626bdb122deaf5a39d02b5f01b12a2c53c58b57b2d9c8ff8bf09b235e0c1

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nse829.tmp

MD5 538893b29a2f88b2c3873b546caec599
SHA1 d2a569011a51ebdcc7dbc86da9592f694e50fe0b
SHA256 59c5dae2f5e89bbbfc2c50680fd0a8c841652c5a8983a00085f995e86c189372
SHA512 7dfdd6120a58f52f7c0472a23d2244a70281807d533db4a59f828b780e266922fb81059eb208d8c661c03324befcf8168a80af0232ebe826cd1eba6d29123144

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsy8A6.tmp

MD5 226e25cdfc1ba8964405821c6d49c50f
SHA1 477d985fbc152156d90d52e2aa1954128591d488
SHA256 debdaeb9a2d09bfc046e17acd0cdcf8ea0ac526010558ff36f53fe62438e662d
SHA512 500393207d4649995b8fc7a513d9b7e9630379b4b93efcb06183d74fc136c762983a4a9aca36e389116a2660e400de3cc1643cc97c5323ce00014263f7acb6dd

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst8D6.tmp

MD5 d920b5ccefd38505b8d64b439e80f6c5
SHA1 c5e5ef667a117346639f792c7044d594aeffd2b6
SHA256 a3f17ca57bcfa202ae0517964414f65e2041ce8ce219f45f39c066bb4cab7279
SHA512 4eef657727b8b7ffda30c634510c498d711d7e99c308e9222b6ddf9c490be97e0ce90f078761caa60344212fa1a4a09ae538710a510db39fecb36a42a307ed07

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso906.tmp

MD5 dc0ca0c7758a9d0f38a1400d5523dd95
SHA1 b0169ecbfbb0a7ebcdeb3a0a11a940673f5951c3
SHA256 ef445c7042a7b71f852cb790ac466454b428d8df7ded832d76e3a89f21d6be83
SHA512 55e7a5db113c8a8c8a66f208256a48c71c329b6fcdf0b3ecf4995e2379587b0f5122af0d4b658aa33c8f3e465d8efc33df1058872801305be8e0de6e2e9f8e16

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsj985.tmp

MD5 7c2152200d15bdbc43f99b299f38ee08
SHA1 b095c12e994e4df49182f52479d187987c492f60
SHA256 25733f23a135183727135103600d11a638fc2b24d2250081ac6e903942dc6731
SHA512 cb233ce0f025873c9001dc762556545f9203c6286281dfc3fc4cb5fc78203a33ef1577c76a6fbc852b7e8af5dbcdc6b2eb184036ccfe6ae51b02dc28a6049b7c

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nst9C4.tmp

MD5 7e35fec4807358a3d330d7dbc4b85dd8
SHA1 38be81834bb9275e57d5eebf6c0a08035da471a5
SHA256 7cc587c76c33443ae26a60d513509a188a38188c188dfb95e0925ad4cdcdf5aa
SHA512 73c32e6291bc3530069f5729982e0c7407cf81257e2741fc8acd4d7cbb508a1fb1168bd299d7199d65568fb75b3d26f8cccea53cffc8209c2820e67939a8f72c

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstA14.tmp

MD5 2abab6361271d4bf1bfab1bc9400cd2e
SHA1 2b4a010f57cb18192214721df02ba0738505f295
SHA256 d3eb7aa2c3111bd56ad43f911c9d166caeae782644676badd21783c349781706
SHA512 d126b4ac96488411ae061e14db659a0cbd40b7ec0102afb1a057d8b248a06d14b8d1b9933a2778d6d586168e7fc5a5f8b772ccd235fe0e2413ad2fa673fe1902

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjA25.tmp

MD5 c47a19c451f807be94b3f8332649cde5
SHA1 2242613ef6bc7e81bed0608d514d4a6e827f3f81
SHA256 579140a0b3edd9d3b472604f5219e38b527bcf99fb67dce34346d504717d3f9e
SHA512 b2558b51db6656b3e56eb6f5f7312b149dedf2cab446d31d0373dcf989683bffa2f2dfac8045990d550c61d8c77e80d1a9620a34f883fdaecfd8534eb13c30de

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsyA35.tmp

MD5 3ff172f358ea0f32edb03961108c126f
SHA1 a296b4eb25e5c7cd2d8f20dae552e6aeb8766011
SHA256 2b3ed12982072473ef01c1639de1320941920c4bd239bc488ee54cb4bf8ecc67
SHA512 f73bc102d26c30329f4a8c454cae67e750584741cc8790388f2fc7be9bb43e63b060c939efcc23aee12c67814f61101f0551d04118ef5dbb742ebc994056bf58

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseA56.tmp

MD5 868bfd60ad1a38a95422169d5410ddf3
SHA1 3656de25d2632e4cf4df47d8fec516d7a7b2b818
SHA256 c3f7b68811ecb146e65d1a725796a179a4d8b532f83ae23e14745f746c527207
SHA512 f6ea3d3fce225d16d4319aaab0ff2aa08e7accb7ce183675f33408fb6fe6c7c6f6a3e49df2f66e1b606084d0cafbc623fe153f3b757552243ea75dc673551412

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstA66.tmp

MD5 d5fd702524bf7135167765b0817c2d22
SHA1 e07baa1f91cbc1a13cdccf0a8be3ee75e47cf4c9
SHA256 4893a0848173a72a4a9b498da062ee6fd0ac03a98bd532c173e2418a1e22bf1e
SHA512 eddc1c71c4d1dc3bc6c14bb2faf5142d2bfe9ee5aa9229e0191ed30646dbefd518b7d1031b9cba1ccbfbfa28dfad8f09ce35b664504809ebfee16b9bac9a1be7

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsyA86.tmp

MD5 eaa24497e4c4800162b25962420c8ee5
SHA1 34f876bd26621490d9a6a1b4ae9d5deb0c7c0738
SHA256 cfbce9901bbf62ac11136b95d3930fcd4b2379bbdc421288b12702789bc1cc0b
SHA512 7689dfe226dbed3c77e99ac61542e420295e4cef0469bb5dba03c97378108c0a9dd9531e4034fa24f4d1282c19bd73fe158b3b8130436e8b0159a230679f0b57

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\user.js

MD5 f346d81f702e9bda05c9305498949376
SHA1 e743ad5c1321d9bd098efa8179bca2bebc64ccc7
SHA256 d3d2b40db1f8d66259cb88291592e0bdc8cadde76684c72a9918b70bb1434470
SHA512 f405b57a29a99a2a46c0ac9b35cfc0eb5e2a7d96805288614e1bb170f25f8894bfb4d8980609fafcb8a4f5cbf50c8e0d904a5bf553674627ae831ddeca1e5d94

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsyAD7.tmp

MD5 69d7f80a71ff56090a5859a951368f0d
SHA1 c30956dcfad72d0811c67dfca9a3f81a540f6be1
SHA256 458cb63b60a97d7f133bc64c858b598514d2f4f3621306dc27748ce62e7ddfd6
SHA512 3438e4ddeaeaf7e84fe92083b5067b4e1edce1b9593cff4e3155e3145482b7254f33e11af5c0161307591254e30d8749d42e660b5b55d9133a681f0145deb18d

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseAF8.tmp

MD5 b01927abeb9a6e72d978e8b783a91eb1
SHA1 7f1ffcedd2b6fcb6caa9e8ca6e9882682f661e70
SHA256 d2b6584e8d307facdca42321dfb7ef7c73c35e4b3b67a4b3901d3a0dc30f64d5
SHA512 f594e8b3d88155bfcd1292b07ec328fc83a5c25ca8a7aac90f7abbd0b6c7a0668350a8423af7c75297b8daaf270a28752791b88068954ea41bf2563ff6ef91d6

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjB18.tmp

MD5 c0ebdec7a2f29b84b68d3d29680b8e54
SHA1 924c365229245fc619b274ffc3d9778868f80830
SHA256 4af97634888c8f15fe57e8daa377984e87c824caf1bcbc5274649368a903f8fb
SHA512 15e904f5e2a16ff7b5093a05d52c94c4c01233585c5c46ba5e209e4461745cde9a9d82d9d77eda6412aeb4eb2173b2b16439859c045fcd709c66366e2bb04c12

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\user.js

MD5 2e6c24cf2610180b0d6e06b06f2c423f
SHA1 9a642fb0b338c2e98fd24c906257a9cba60b9830
SHA256 6edd69c180042c0e4eda6647eeb7eff5d65700f95f1a0bb8d186a4475e7f55aa
SHA512 97592586330fef2cb8b0bf450389d0a84f92db50091c5825470ce17b4b944884a53a1b26256de835baab077a909eeb3e830853deab72d648862077cdcff0ba60

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsoB88.tmp

MD5 9a5ef5d49e5aaa6202902e167dc2b7a7
SHA1 9e4dd6d7d6c9612683b0cf132162bc3ff2a2d051
SHA256 cfcd80288ab186c415366e70a8129482f441a18545537f58f9d741d5301c7419
SHA512 fe45525bea220ead2b8210c8c0bc00398ddae9c52e4eff1f83d08571c5201c9d66aeb9dd73f389ace147e48c5eff1340f666566f2eff78370b5eb4988ee0c600

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\user.js

MD5 bf15204d27ef2b8a83f6ce829b057a11
SHA1 bd1e874589b118172fc60ef4adfa67413d6b3f6e
SHA256 179a6374242baddeae43418717d06518ae80203ddd05e5eb90dca5984f336b23
SHA512 4c7e05e4fee9e481c6684aa457bf2d9aad529882007ac75a966a7c4798dca608e61e194633c76d41ee8335293e890192566e716197ecd7328f1fd54bf8ca51f1

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstBF8.tmp

MD5 64c7d08c71eade5ebe2f58b608307b70
SHA1 01fc42e32270cad29f01a92e9a1b9540053fce32
SHA256 7c1b78ee4d85ab4cbcb2852003569aea318aaa790808c9d8dec0bc161a0adf5a
SHA512 c853446df9483b058401a543ba9f3b38383ddd42987f18ed2fb42d0957eedcaf0f0eec1226f026d1e851d6b896f9ddd56d53ca2937524df28becbe2a577e6428

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjD96.tmp

MD5 64ceb0aa15fa087a0791b4d5cac562da
SHA1 0db2e4daa1426867478530618e3a8722b9ee4e47
SHA256 ba6b3dd1db022492d908812ce1d412b2268cced0fcd65191ba45b178fea38f2f
SHA512 c9372d8f75d2f41ca6c57e36212d7dc038ab8f7e26d52cc9730bfb492d23a8dc678c5bccd6ca2ab0fc8afee83dacd0835e14e5824aa835c612da9aeb7b087afa

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstE28.tmp

MD5 8f39e881de4af18765a7926c0052b07e
SHA1 475faf2a1e315fcc2bcfe26dc0dc2ccb1f4bdb34
SHA256 d33b49cb9f6fa42376d05e1b59ad3e6df8e9cd1c8fb7ebfdb2c62e898a7b74e0
SHA512 e1054e2b5d3089d148b22c27b6042d6baa1136b8902fc359fd4fe1f80150671cfa860fcc78820bde2c848a3da8b2cd50007265630d54dc50fa9c7a7064a7126c

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstFB5.tmp

MD5 bdf8ff5010e7c7bdb86a4ec889e9d765
SHA1 c300cd01ad88cb0adeca713296f55ddc6718d39f
SHA256 89f4c9ff68e70a3797038246c90e7d9f03bf968b9695cf924f38b1b3db36ed68
SHA512 721514c95144f31c9daf14a0fc2864c1280ce14f1f9d1ed8105f410fc869b62989ee0da0426cb56c93f1134896f7c76055c56a8ef5583aaaa310cea2e3697006

memory/2540-11092-0x00000000029A0000-0x0000000002A3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso120C.tmp

MD5 72d5eefc82e08cfd02536d8902306322
SHA1 d00d7b7dc9d0399ff56bc857369d0ac08387b0f5
SHA256 c67396838537609b8b25d3fe216636febe9464156c4dfd707792dd12b8f5f5ef
SHA512 f2ec2fb015374ab763d24fab12f6fd7aacaba61313a625394a065c3f98532c656a7f10f8a075fe470f36de8519b9ca22ee1c452c5b70d249728d3cd97acc0ebf

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso120D.tmp

MD5 91cfc52b891c0fc676a0701173406c45
SHA1 ae18075de1f598528d8b38714566563c0bea6322
SHA256 a1c2b1d9441eb3fb28d8d78d7407a66321aa902732c6a62cacce6d552f6f6c61
SHA512 26510c811d864ee138e843ac3b5800af1abc7a8d8bf5acbf7aa1752a5f68b249cbb5397d433729ee1fe20920a481023f87aaff5add50b11083d74ff13f10243a

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nso120E.tmp

MD5 3c9c68284c4b483c5030363e5786622e
SHA1 50a499a831ae2cc1e51845bee899bf9effb8027f
SHA256 02c6d63991cd97f0daebbda722b536d1879da78e163b2162528ae2ca0800b3b8
SHA512 faf3c7413246efc2eee3c56f672b5aa351983e56a98aed786d69560df2abe7f5ce4cfad4add7b5dab026d69b03fecc79728da3a6089ca0048e36367732e54e27

C:\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\IEFunctions.dll

MD5 46ee93cfce4dd2576579f45ad8c41b88
SHA1 f34a4eb6df68e521debda61e5af46aaf461bc3ce
SHA256 a8fbec39470467e43e3fbc48cceeaf11d5e2fe3b98c521ac71b5522e7b46a859
SHA512 a2eb8ed29a819ee821c749dd76c04c2f3a5284a0063d08c43c9eaeb6f68a7c9034b846cb3cca26608cfe28b5ddc07842ea70a6aeb9cb7c6c1b579c3d05e40a5b

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi.xml

MD5 9bf9eac5bf80607c7dce40b49a7aef45
SHA1 f15607a35e387fddb86f03696c9f172badadee4b
SHA256 a9705c8c84f7f60ac9da0573532b679ebaca459213c79163ef7f02d2a97c90ef
SHA512 7504cad6ce30c64cb18cecc8f5414d157689374df44bdce0efa8d4c5830c0760b0239f691fdf6f5b77b2feca104e07475155cd7243ba7b57a2795c32263d66d1

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{56BD67AB-67CE-4FA1-8503-334F31E85DE6}.ico

MD5 cc293971feb692e18edd790fcd6ff10e
SHA1 09a2c236508962ed8d13736033bd2479f13dbf32
SHA256 a863b816dbda3deda70419bb471f11f0f0e0ca20ebec82a0c00d5c304690b3c5
SHA512 e245e2bf17e143fc4cd24224bcaa68ec7a9548ae8f8c295caf0cd49e366f22985a123d7e2da995864a9d233b9510df3eddaa5dbf0f65eb81468ed74bb0b2070e

memory/2540-11191-0x0000000002CA0000-0x0000000002D3E000-memory.dmp

memory/2540-11192-0x0000000002CA0000-0x0000000002D3E000-memory.dmp

memory/2540-11193-0x0000000002CA0000-0x0000000002D3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsjFD44.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

memory/2540-11221-0x00000000029A0000-0x0000000002A3E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240729-en

Max time kernel

15s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 4436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2712 wrote to memory of 4436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2712 wrote to memory of 4436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IS.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240708-en

Max time kernel

15s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} = "ividi Toolbar" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\hp_ffx = "http://search.ividi.org/?src=tbhp&id=b1f1995b000000000000ca26f3f7e98a&affilt=orgnl" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ = "escort" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\Programmable C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ = "Ixtrnlmain" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\ProgID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0 C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\ = "ividi Toolbar" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1\CLSID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\ProgID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc\ = "escrtSrvc Object" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dsFFX = "Search " C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\tlbrSrchUrl = "http://search.ividi.org/?src=tbsp&id=b1f1995b000000000000ca26f3f7e98a&affilt=orgnl&q=" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\CLSID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ProgID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd\ = "CDskBnd Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\ProgID\ = "ividi.ivididskBnd.1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\TypeLib\ = "{905E34C2-F4EB-49BE-A36B-47692CF957A8}" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ = "IesrvXtrnl" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ = "escorTlbr" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\CLSID\ = "{211B330A-499B-415E-B1F1-B7132A8751D2}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\ = "esrv 1.0 Type Library" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\afltId = "orgnl" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ = "IesrvXtrnl" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\ = "esrv" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc\CLSID C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ivididskBnd.1 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL\AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1768 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 1768 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 1768 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 1768 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 1768 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 1768 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 1768 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 1768 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2204 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2204 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2204 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 2204 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe"

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe"

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 reports.montiera.com udp
US 172.232.25.148:80 reports.montiera.com tcp

Files

\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\chrmPref.dll

MD5 b2bff24dcb4606c6c8474f979bfb4858
SHA1 5671b867df8ce726d1075909cd40f3934d680da6
SHA256 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af
SHA512 e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874

\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll

MD5 db4961bbb3c1cf487904b15ea5b5884b
SHA1 d1c23d22e93d3f9b268f99519d38d010ff99ea6c
SHA256 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12
SHA512 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d

memory/1768-38-0x00000000023A0000-0x000000000243E000-memory.dmp

\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\mt.dll

MD5 4fae8b7d6c73ca9e5fc4fe8d96c14583
SHA1 10865e388f36174297ec4ecdafd6265b331bfdcd
SHA256 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f
SHA512 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsjBB67.tmp

MD5 f4c67df51bc663d0fe796da555808daf
SHA1 401b211bb00735844e776c42808584a68644a82e
SHA256 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187
SHA512 a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsoBB88.tmp

MD5 55e77d60d71bb65a8fca04818df04968
SHA1 0d40f3710f9d137b2bdc4c725d2953ad84e5778e
SHA256 2f7e1067489437ae1d4ee047aa7f3800c44754f59a2b555a5a02a61163548ae2
SHA512 89d0efee4f55e5a93caece636c36702aad71bb2c9ba6dba4147d325131ad4214d6c192df3e2ae4963278eb394dcf61e746d6d6bd61771cc9f25eee240e09bbac

\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/1768-270-0x0000000000770000-0x0000000000782000-memory.dmp

\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

MD5 690df0811fc73ff2219183e5d80d824b
SHA1 a720126932f65de281c6f34c5512be8f787f7161
SHA256 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd
SHA512 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe

MD5 abbbe3516d8a6280b94e78ea7060e9c4
SHA1 a2f22d9dc3db1f10a44902e5cdfd7431b27a8671
SHA256 63601ef9667c037dc62dc92c7b389edfb4191cde9063d1059996b93f035f454f
SHA512 2ce546ef005dd07b5022fb524107c07693dbd58c21a2808060958baa7b968064c4e855d41c52f25ed89a3026460a6c9d413481e1d55f678ebf2cd5d170faf549

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.Admin\user.js

MD5 d5da78293d8383edaca2745be2bab8a8
SHA1 970ce7995a15f9fc39f0829126c6a4cfa547da15
SHA256 f778a088ece5db5be81b5a5edf81e1efa2fd778823b7ab655cca6da0b772f73a
SHA512 9f31cbb2d5ef23491af9b6c62665ca40b078e83c4c5836f5eba74cdffd97eb1478b0ad889dac8227c309c09d652ade015c924d6a3dcbcb630085e46169da824c

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nszBD9A.tmp

MD5 c203d6c86bccb4c89b7e41aed15a9e35
SHA1 dd2f881d54fd16d72309b9a31840f196d5c989fe
SHA256 d0a8eca843e9c903bda3b891e221a898b23d526da6dffb2cacbd1a8a1799eb51
SHA512 680b6826fed73a2fe30d909286a48e7bb07c2dd52fed4c6175133abb40902b899f7b5de34d22a73686bba4dce3ceda8f039d8e0e06656134207e966716dff416

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.Admin\user.js

MD5 d707cfa47c54bde0dd6fee5d81a7d9a2
SHA1 75dce921d06df748995eabca07bd35a6cb539b23
SHA256 e50f83c5e1cca9de71d2236ba735b35bb832506c5947f5aff9e1135c0cd95432
SHA512 f29a57189ef93914a17064c37694f7a0c6009d2ab68d2b9256aa59a14e37f625f8a87a0680835a52f744fd13cfd1d42980abf7f379c7431764f4d7635df16578

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstBDCA.tmp

MD5 a54fcd3ad118fab32eaafe11f3965b10
SHA1 bbd775bf6b40d5bdad87258bc59d7499f6cc7c4b
SHA256 14d1c4cdb87ac663314d0b9add2a2772f5e5d7da59997026362936a5a2587e68
SHA512 eb6f02c856a75d0e2a4eb79b930a2cdd52d21cd0b69394bfc7af4a9097eb875abb3f50ec6aa641a42307469be4e6ff477b2780e3a488688946d41f7b3785a8a1

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nszBDEB.tmp

MD5 eca88ff8d2b4b70d520a013b65cc8948
SHA1 c81b9afc3c0c0048e14b6aae5f4458b1da27d2e9
SHA256 e13b4b9d7b6a5854f32e672b99d08dbdc4c07c30011a662f926a3fcaca162c76
SHA512 2b78724aa1fea3c5934f153b98cf1b1222a90c09b9418f93a855258db40abf9b0297adc28910293456348f33669b393ffc29ce6122298d52dc8d2cc662c434ad

memory/2204-925-0x00000000004C0000-0x00000000004C9000-memory.dmp

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe

MD5 351707305245428eae73bc1add4e1e43
SHA1 a7c2eaa393ff9a96bf040a9f942b5a26807253f7
SHA256 c61eb0ab6df8f89573a9caa6876743f1fb7dde313f322df5ee8bb0e2fe07b00a
SHA512 00d766f16eeec9e6171dce6966a0729c43e0e14ab5f405672e1eddc764485aae12fb2d47ee842743df6d70728f703c65def81ba8cbb3cbcf3244ee1d63e4db63

C:\Users\Admin\AppData\Local\Temp\nsjBD38.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjBE2A.tmp

MD5 6d56676c7eeb29b46f91b34df2112ba3
SHA1 e44469e89ff9815cc357a37da375235fdbaabcd9
SHA256 c07a951314ac343e5201edb9cda74ed2837a4925da8ca50979f200a6cf6fe32b
SHA512 2bcfa0029977a802ce5bb430d2a274c22160d4dbb2a9c69163b3767d1c7abaa452bd899d9031960b2b084553d7305d1d3d0b82c9b6ee47edc6f929f5fc4288ef

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsoBE98.tmp

MD5 18e2bb555ba4cdf8ae2115e8113a9c9d
SHA1 62a8ff28d5a0e4f538cec5544cc6086ef4744815
SHA256 ce49c6e1b26c2529336b1d80d5d946447e914159ffde46b34bb4520a84bdd9dc
SHA512 2bd1eb480cdf858eb087bc5d1eecb8fedba3e8b9d1256d0243eb8f680c8e4595c5e249d635b2c7396f94e758d0b9c5d5a21b4462e70b4c498e13f620dca8fb5e

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstBEB8.tmp

MD5 25869876cfcf3817c71f947798061106
SHA1 cb735b41e986ff4e1bfa5dea2f6c1c8032c83e70
SHA256 f485688cb45ba5b4291803d6f5fbe30f23ff78c9a319f614d43c8227759bd288
SHA512 314d75a803cd780d759a561d95d9626a13fb73101a29614e83ccaeb923d977542d1202b3a0aac4d0ba3d754e9d4f6e84cc581b99aa8f9de71da01cc46ba25022

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.Admin\user.js

MD5 185040537f554904ef1d406e46d003d0
SHA1 1e4711bfccbd0e587704c1ed52f3b40894c0d216
SHA256 2b2baadb73b841075c105fac577200808d61a65026c7d01dc1e9ff02d5b211c7
SHA512 84b6677da2deaf916109fe1218e540b3179fcfedd794ef660648e62b9e3bba4762d6fafcd2ac83db9e538a66f28c072c4841002180d25160b6b702a560398bc7

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjBF19.tmp

MD5 feb908e189d4db7ddcab1fb5fda64e65
SHA1 de34385dbf58e654671a6e7b8471dc6a73e98e69
SHA256 5147379d6ac91ffdfbb5c8d267745307559b4aa0aa2afd24ef76fd8c2304b7a4
SHA512 59e9d6618d8064df17f090c41949d2879f6e187270bb82d86ca8ff33e97ddc13cfbc2e0ee6d9eae314fa3828ed1886f630f6da8f779959b1b08ad0dfabd7a870

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsoBF39.tmp

MD5 11cdae9f0fbc5a43b726493f0e5a7d4a
SHA1 3142235b0080677c329634141e6f16f6ca8ba774
SHA256 1586c894d7bfc7912b5ff58773fe33b4ada52f4f1baf6a023411c6825f412fbf
SHA512 ce26510bfed120a8060d5d058655c6115622596dd786b606dd709c43529b39349b516e21bb83ef7f70d21c33c08ef865c423f8f70905d7861817b7f9bec76883

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstBF59.tmp

MD5 60a738998ca15e35ece52ebf0459f9db
SHA1 c42e93468435616390013f66df3eb44496322c07
SHA256 ceba931bdc6afff49119b05f23e3f82b663a2b390c609f39c264fc35549c019f
SHA512 fdd0684b52809f12689654621b2cd59230ab182f16c19e52fe12d1ce5546d1980b5774e9719256c751dd9c50916a20fefdbe5f2f7605838539a88dba645dd466

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nszBFCB.tmp

MD5 d1f3b4a8a846541d1bc9abcf43df4f57
SHA1 f5548c75823f138204d681cefde21090b5315480
SHA256 d00d077b39df4b4c5973e131fb18b36473d8e6572024d310539ac9b07781a9fd
SHA512 61809a5aabf4d109f5bf1d0f3f67ef90ab45c093b42f4aff5bfb4c7c679e650846730b4f71010d91e11671443f6f7093225758f12b078fa637b991b20524baa7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.Admin\user.js

MD5 a96619a2b016362dc1a3ec2912013dcf
SHA1 45affa9ac56e8565ac98b2ad210881e72e1f3049
SHA256 629e1bd7d6a41dd061911b247a6824e0388e0825662eb63bbb108f98539694bd
SHA512 a882432207a5398438452b71a1b5973da20b3ff652abbac43029bfb8284e43f8efcc817aa535c164733ff7dba4521aaa119b142cac61818357a085d58adf994e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\user.js

MD5 7a71cdefec1942644e346cb9529f359d
SHA1 4de22da8126fd12c4bef1af61ccca58981a77161
SHA256 440a33d63420046141446a923afbf1691ed4b8059d21aebb61a29a08253ef3b5
SHA512 2022c76d6240fdd0019b6fef58a3d77178860e1092af686846054283425c6503e8490d3363271f3ebc4f14c113976b4f2a4c8e504bcb8a554fa8cb20a9110af6

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseBFEE.tmp

MD5 5e627bcf005c166eef941b8b70955857
SHA1 d82ddb8b3dbccced83a73f03cf319d44ca34d24c
SHA256 04e54bdd91948ca64717c5602dfccfa97e4c5f7dadb919a3ec1add9cfbd32202
SHA512 f57b0b31395e27e8baee401af82e79bfc199938e78b21b9f3e214cc522201822abfb34b4e353193f3d5a866d5384f2b9bbc259c79cd3b8a6e778be495e64a013

memory/1768-1963-0x0000000002470000-0x0000000002482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseBFEF.tmp

MD5 7f06700ebff618703d68c5f2ebd3cc0a
SHA1 75813ceb3cb705b4233fc8a09016e6f8dafe2112
SHA256 e3ffa5dfc930847bfe6003b88ea23bc89d305fe46b292dc2f16b227059c0e428
SHA512 2161c8890f5c47ccbe1960e3f778aefe73392bdd025c621c28ecedbda2d3232bba502b121f6735e0e8718c761fd2384baffa6aff24b564ecb3b2afb3593aa1de

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nstBFFF.tmp

MD5 9fb916972b0ceb63a7ef758c0e42bcd0
SHA1 0272a4a61fadb7e2bf4efe4353b4bf2cfa8de589
SHA256 5aa6eea53ddb3d0b7b08261568b01bc114efb33b35147b3d1334c1e287ec35bf
SHA512 96b3fce1e03298f7952f975aa1033ce2aa6edfe4d320f8159aa12317e30aaeab216e8ad52b609820c21c79cc1e0aaed4bfe24267f817e79dee54aefa2b30c565

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjC010.tmp

MD5 98b6362ffeff76cf30fe0c856d375d4c
SHA1 713995f48982786c96a7182667af4a0bc2b0879b
SHA256 8899bad652911554491e165b97219bee14c159881457e563fc1f80e033610bc3
SHA512 a203bd89a24c44379c9a40b32a45823b4a8538759c521c1fdc0527bad332845b095bc821596f7ce666ae46cce292a7249b135a38153d63a6e24af3666f294244

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nszC021.tmp

MD5 4c2745ccd0bc01b3707dbcba7bf263ad
SHA1 f85887c0e4a52308822f6c51b77a298012e7f978
SHA256 8dea0db6576b40c63a21cf4bc6f272ab896b878bfb83552d44a59474244519c2
SHA512 e5322126336795b1cb4aa725ca776a424b8c08f4589abd3bb10ebf1ceb2c7c399ba4f7f53485c5825f2698b3e0c906b64b25bfaaab3b0b474a582e9bbd4631b7

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsoC031.tmp

MD5 f2e0551044dfed072467360d88ea773c
SHA1 3d4f44c6875353182273ebaeacf96dcd2f641b23
SHA256 a136b3df62496c7ba1faf8bea2e526c92dd3f7e01f8c385c60088ed526557ba5
SHA512 8cf6def50049ff2795c4d9f6e83c1c9946d1adcf4dd16b2aa34dd83b165b9749257b87c0ba6b5ba51d9f5a7d003281625046a65aaeb0f3689c92a34aa0521a32

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\user.js

MD5 31491d33659f0721c724c6b3f0ba4de2
SHA1 7a544fcbd37393b7ff5baaf4689b791abd0ac834
SHA256 60f5339e66bf7ad125d573a17ecd43882fbe6d36f89d3e81793e4df19e9eda07
SHA512 fd94a22664f98aa42bc10ca7c57d35de93fc30661fb1e1de24db880110d21271c23fb26163ea0b29c893362ea676fc1fd4d2df967d44d6b6c145cc279c60474d

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsjC063.tmp

MD5 718befe38b20cdf774e0410519c80f3b
SHA1 8cfed624310995f2738cdc35b419edfc36169c29
SHA256 a221ab2d8a559ba1eb0d78588c82ff65098b479d11a8aebdf84c59caa8388d17
SHA512 d08993e505530653f021a73e53fe49e2b3d44b1a809ccd245bd63a4471810f5f3e902d92619ae96580dd0cbba7ee187b5d7d6b03a7a11b38c43b24ee5712c8df

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsoC083.tmp

MD5 4422aa97fda290bac69a1891f5d72095
SHA1 0c033ce9181c0fa3e223994963e25991b8abe510
SHA256 b0140522c5e51f19f1351ae70dc79f1b7408fb6a4b4042a42d7266880bf76c98
SHA512 0a0eaa069bf3e4322b8f13cbd24610f9a809a6f2bcef9efde70717a14d51113bcb1a2dbf541f53e41aad25a41458a9bfcc35cd6a7df835e99bb444925a35973e

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseC094.tmp

MD5 dc9bf0f09af1c0755c486acdc1098109
SHA1 49386dc4f33154887a2943dab601b1ebf154c934
SHA256 106f2e118cfe7970a9cefe45405d8f019be765856c1a8d07c80ec5d4f21d068f
SHA512 31a74358bda7b4d6847dba6e8f62cb98ed1804449053bceacb3de13683462268b34810db022659009cfc217a7ea808521f39b7ed57e66c7d184924276a97d09e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\user.js

MD5 2e698baefd589247492a8d6a70608f91
SHA1 53be6903693480e3f2bd111bef57d600ee7930ba
SHA256 6a3a1366bde34b3850bcadda45b60cf858d9def54b62fd9fdaf0e4ca831de9ec
SHA512 d02e36019779f18c27f16142b0d6b4f5410a4f1ecdcabb870c8ee840349e162930c20666491265081e8fbbac7ea9b6e81249ba2c68bfe48956822490ee22ecf5

C:\Users\Admin\AppData\Local\Temp\nstBAB8.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

120s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\ = "OCVBValidateLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\OCSetupHlp.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 1980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 800 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 800 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 800 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrmPref.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 224

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\RunDll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\RunDll32.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/Unitech%20LLC/ividi/1.8.23.0/ividi.xml" C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\FaviconURL = "http://search.ividi.org/favicon.ico" C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\URL = "http://search.ividi.org/?q={searchTerms}&src=tbsp&id=d36618c4000000000000da61a5e71e4e&affilt=3&r=171" C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://search.ividi.org/?q={searchTerms}&src=tbnt&id=d36618c4000000000000da61a5e71e4e&affilt=3" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41} C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\DisplayName = "Search" C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutUrls C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{9300D574-3C8A-420B-903D-092FA54CBB41}.ico" C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9300D574-3C8A-420B-903D-092FA54CBB41}\Codepage = "65001" C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.ividi.org/?src=tbhp&id=d36618c4000000000000da61a5e71e4e&affilt=3" C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\ = "appCore Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\Programmable C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore.1\ = "appCore Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\Data C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\i\CurVer C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\tlbrSrchUrl = "http://search.ividi.org/?src=tbsp&id=d36618c4000000000000da61a5e71e4e&affilt=3&q=" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID\ = "{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr.1\CLSID\ = "{8B8B2E80-1444-451D-AC8E-EB9A847F3887}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\CLSID\ = "{8B8B2E80-1444-451D-AC8E-EB9A847F3887}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\instlRef C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\autoRvrt = "false" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\ = "IescrtSrvc" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\i\CLSID\ = "{D18734A5-B131-4335-A3E0-15FF90AC90EE}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\postUninstall C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\uninstExt = "false" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc\CurVer C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0\0\win32 C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiApp.dll" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76}\ = "IEvntCntr" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32\ = "\"C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividisrv.exe\"" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\smplGrp = "none" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\ = "IxpEmphszr" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\vrsni = "1.8.23.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\ProgID\ = "ividi.ividiappCore.1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\run4ie = "end" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\Programmable C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{676CA8F5-30D8-4292-8A1C-B5CBDE8C1B3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\Instl C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc.1\ = "escrtSrvc Object" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3688 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3688 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3688 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3688 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3688 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3688 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3688 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe
PID 3688 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe
PID 3688 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe
PID 2968 wrote to memory of 5504 N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2968 wrote to memory of 5504 N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2968 wrote to memory of 5504 N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2968 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2968 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2968 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 5504 wrote to memory of 5748 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 5504 wrote to memory of 5748 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 5504 wrote to memory of 5748 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\66f5fe2ff41e6be5a0174e3e13fece7e_JaffaCakes118.exe"

C:\Windows\SysWOW64\RunDll32.exe

RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 3688,6B1F6CF202234D3DA90BEAB1CA759938,323722A5827747A0A44574BC9BAFE52C,5BBCAFBD77654AA98C62DCE6B564311F

C:\Windows\SysWOW64\RunDll32.exe

RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 3688,DF3FACC75E514CF7A714597FF59744B1,59BBF15747F9447883F5DC410FF145F2,5BBCAFBD77654AA98C62DCE6B564311F

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe" /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe" /uninstallAll /aflt=3 /excTlbr /mhp /mnt /mds

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 api.opencandy.com udp
US 8.8.8.8:53 dl.ividi.org udp
DE 23.88.53.29:80 dl.ividi.org tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 29.53.88.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 search.ividi.org udp
DE 23.88.53.29:80 search.ividi.org tcp
US 8.8.8.8:53 reports.montiera.com udp
US 172.232.25.148:80 reports.montiera.com tcp
US 8.8.8.8:53 148.25.232.172.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\OCSetupHlp.dll

MD5 9e4e850e12f2f4f869b2491dbbb17ceb
SHA1 bd89581a89604b601c817ea680c2a224b46737f8
SHA256 4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6
SHA512 9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5

memory/880-13-0x0000000001540000-0x0000000001541000-memory.dmp

memory/4636-15-0x00000000007D0000-0x00000000007D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\IS.dll

MD5 c31b97adf54bdd6ac6d19ab85cc6bc57
SHA1 7e458577b1fe49885c21f38ba981f77b00bdd59b
SHA256 2e5af5577044835e7d1c526b1ef11dddbf660dbf265f3c8b533cbfcfd2a8b57a
SHA512 9178ba7bfd3851b9622ffa7f5981f43b4ca654e3f85113f7c91ebd2ce417c1acb718e73737838c61496a255cee1f5ad9873ea88bce78a0cfe67bd2cfb1e71790

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsJSON.dll

MD5 78b913fcd04259634a5e901c616e6074
SHA1 ad5e1c651851a1125bcad79b01ccdcfa45df4799
SHA256 e3ce60666bb88c2412615ef9f432ec24e219532dee5cc1c7aebc65ed9ec94d59
SHA512 cbe07179dd93011f3d9a8f83541961ff34fb83d96658ac82a433ef0aa3399b183eaec3e6a49ec1c1e478d1eada2d3ebc78ffb1ae0574984ae66a7a9cab5d59e5

memory/3688-28-0x0000000073780000-0x000000007378A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\NET.dll

MD5 9adaffc2a1b579115e40407733d94dde
SHA1 866bbb0dbbd217aa287fe3324ecaa828e8d7b622
SHA256 b31d4e8af5d38991c692f219130fdfa92762a9a77e04e7ab05e44603af578555
SHA512 214eedc4b314b48c192d3a847a64807bf41481e5cd06b1a627bad048dbac14a2c0d6b5b3c992616e18ec9f59f4107d68e57b8c4fd9da01e0695824ffc8030619

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\ividi_1.8.23.0.exe

MD5 8c271a4f3d22bab31657afef6d391392
SHA1 73ca356b709eea6404ad8a997d4175894706430f
SHA256 afc3a56884a203c8351098f217383d7397ede85580e1ce6dd54ad59f327bed69
SHA512 cd433aae16749a0581761fed60d1758f80351d9a08219a256aae95711060f91a2189fbfbf7e5dd35202d8c1da92049c03357c505159c7b724c4896dd7a1cc832

C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\chrmPref.dll

MD5 b2bff24dcb4606c6c8474f979bfb4858
SHA1 5671b867df8ce726d1075909cd40f3934d680da6
SHA256 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af
SHA512 e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874

C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll

MD5 db4961bbb3c1cf487904b15ea5b5884b
SHA1 d1c23d22e93d3f9b268f99519d38d010ff99ea6c
SHA256 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12
SHA512 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d

memory/2968-87-0x0000000002830000-0x00000000028CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\mt.dll

MD5 4fae8b7d6c73ca9e5fc4fe8d96c14583
SHA1 10865e388f36174297ec4ecdafd6265b331bfdcd
SHA256 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f
SHA512 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 272bd30fc0ad14498009865db72e72d8
SHA1 614d01219e99362e53481241222b5e08455a35ef
SHA256 4b1f5cd993418399c70cddd77a624ec5f5c93b0cff309e77110fd9626ea1dd70
SHA512 73fafac850b25a91576d782a4194c398449fe8239d231e162c8ee407709c8a749be6af2d741ddb2914018219aebff5a4a13dfb794cf3d761a592af49850d7db3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\prefs.js

MD5 b19931fbf0770986629cd6dd7357d713
SHA1 231c2a45fc9f2b1589125ee37a8baae53e32cd47
SHA256 8d318217a2be11f55e8a0610d0d2625e10939b0048d4ecfdc4a38f6b65a30839
SHA512 09a21f561574c4e734c30e7885cbab1e724af3f82464a840083082a346b205d8292aaa2f63ae8ddb69247a001612fd8e2e3b8bcf85b50d86b7ac702437448ed5

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsfD1E0.tmp

MD5 28ca68f733a2baa1bd1f516bcc65b541
SHA1 6e4dc57fb74679f8b3b9a4bebb55a1c49554d2d6
SHA256 e704a4be4f9e448060814859c8af7393bd3f0d5670cb7da33ea397ba4067144b
SHA512 dade5c80198532acb12d49d0d23228a59cafd3ee35c8e746e92367d1d66e5fae00b79173efc11c2d7cff32d47f5908b49108322e29d54a534627ab4cf3c4d98d

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nseD18C.tmp

MD5 f4c67df51bc663d0fe796da555808daf
SHA1 401b211bb00735844e776c42808584a68644a82e
SHA256 3de9f09bef858f665cb65798f1a5d9a3554b8965d318abbf0df42736294db187
SHA512 a6a8636e3c6676cc181aa41f1f2490177baf38920bd9c3fff2181475ac542fd25bf16c4f409a1c93d5eb3f6e20842aee529646a655e80548bbda752cdd38c618

memory/2968-86-0x0000000002830000-0x00000000028CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 b522517c3080368363dd30cb20178701
SHA1 7f4ffc4b050dbd6cfcddc99b3c8ffa41a86462ba
SHA256 2797eb9bd0f24807822aa0ad9f9a770504c61598d496875be5d3a3ed6c9fc50a
SHA512 c7d06150a1b376b4a5f70d02cf551f9930c384623b023a6949cbc38a623ac783c11512f8483738ca12eb94acb5837951dac21153832b78b73f0b63e74e157689

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsaD34F.tmp

MD5 c1f678982f2e14ee43ab9e25d6d4dc1b
SHA1 283c5f9db053718e4f5f9c572f18502b9ff1e6e6
SHA256 f853acf4b930763ba2fb5c782bad9ee8c5d36dc3b9774998462e792eb4da747f
SHA512 03ff3be160581617af8e67164e92de4f012dbc6841928a229a6e487489c71e1b04e4ec180a0bfb9b8109c3cff3f5fb2b52df9c6f721b2b8cc92dcd897f9d99e0

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsfD370.tmp

MD5 d66b2022009ac5ee79ccf1e849609241
SHA1 e7ee619e4cc3c4896ad65eada651643d80ed9a1b
SHA256 481a094a5199d2d45a036676d84508505559f56288b0ed8131eb9a32510551e6
SHA512 c3f8396e7e3670b32c3125184c8e8ff67447f3d2fee600c37357bcb748d1c4cbc03a7c68d5202913e70a0aaa5bd95304ae90bf61e5ee7242a43d3e467812e1e9

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsfD36F.tmp

MD5 55e77d60d71bb65a8fca04818df04968
SHA1 0d40f3710f9d137b2bdc4c725d2953ad84e5778e
SHA256 2f7e1067489437ae1d4ee047aa7f3800c44754f59a2b555a5a02a61163548ae2
SHA512 89d0efee4f55e5a93caece636c36702aad71bb2c9ba6dba4147d325131ad4214d6c192df3e2ae4963278eb394dcf61e746d6d6bd61771cc9f25eee240e09bbac

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsqD44D.tmp

MD5 0ab1ab6be564252ebc87be385bb23743
SHA1 064661f0fc8dc6b4ef86590632666c3d6f575d47
SHA256 0fa43ffd44c3440ae1660cc524376682955473408dc65649d452396296e9cf4a
SHA512 0a8bd008e5c50d18ded857a80be5baa070de5d1e493f06243e521600e0718508ed59c2d74ee00d154fac64ad6ba06ab0cc616e97c29df5d5258a70d6602852d5

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsgD45E.tmp

MD5 61f2fbf7f90e52ce617766db11941700
SHA1 ab0df6fac65b0ede03f3281514495758744d56d2
SHA256 b077945e07f395378d1b9c5958aaa86fcc8a631a66f27c6a9b73dc87c8d92a1f
SHA512 c2d8b150ee6a7e153a84f6aeab85fc4548b8c62bfd5cccad5b92b948531ebf7ace8ac6c5dc73f72358dc5c8cb0e2a77d27ac4fde7556a52e99c7d1cdd7e4a3f7

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nsvD50A.tmp

MD5 4cb12120edfac9fc690afac246250b0d
SHA1 ea3d09114164ca561e02e27cd0bf7a70aca7eadd
SHA256 0c951decc8a2f3a09e715bb657b742d7b040f061b58328a2c54c0e4428c073eb
SHA512 58c3e2d0648f8b13aa07501679d5ca0a25f3d3ae64a8abbb9bc0c04d861480527eaf18dab93a07994210e2deb1159f812ad5ea02f7174bab226c32d24e3b34d5

C:\Users\Admin\AppData\Local\Temp\nsyB547.tmp\nslD51B.tmp

MD5 03c34b0b9c524f804e8bebad6f4262ef
SHA1 fbb285280ecb75e3586c3c39156335b3a745d771
SHA256 0abd18bfa3c846321416b1d4946bff393bff29f6d1a44a56ec4613a6d492a813
SHA512 1e6d8fd9b55a2c590c788dc07391b71dc335bc46a34dc26b2273ae6e34d7cac21d8173fbea8c37c904027bab423c4bdb905f1ebcb442e2f6d385b85f0510f77b

memory/4636-1899-0x00000000007D0000-0x00000000007D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 d18c20b1768f93556c79f89a31a56b4b
SHA1 cbffb7f87f41197df38adca90757b8c77a01f6c9
SHA256 438afd8cae7f5dc75fdff0849523ca79ed1360a411349b3210442a0eeaef7567
SHA512 9b2eb2c31b8dc3a151a9b42f9a335c79ccd17d9d34ba96e1d7ca119ac707129af856defd151389c4fbbf986b3952a34cab8dc058df54730d69b7f2b92177b4e4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 430f8129fdf28bde913f8699c1aeb396
SHA1 1d68bf2fc160e62637b9d6450f9367dbab59af4e
SHA256 831f8ccc8834e532f8623c1a99cff9fc55037bcb902941a186a0df560cc82038
SHA512 e677bf955cb2d6aa56b8ac9f03727f12ea6286683838f3f5414b0eeb5f40e9e95695a6522a3824af518c9895938889b585ba1a2d45881c3187a8d94303140537

memory/2968-3381-0x00000000021F0000-0x0000000002202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2968-3423-0x0000000002F90000-0x000000000302E000-memory.dmp

memory/2968-3421-0x0000000002F90000-0x000000000302E000-memory.dmp

memory/2968-3430-0x0000000003000000-0x000000000309E000-memory.dmp

memory/2968-3431-0x0000000003000000-0x000000000309E000-memory.dmp

memory/2968-3448-0x0000000002FE0000-0x000000000307E000-memory.dmp

memory/2968-3480-0x0000000002830000-0x00000000028CE000-memory.dmp

memory/2968-3482-0x0000000002830000-0x00000000028CE000-memory.dmp

memory/2968-3481-0x0000000003010000-0x00000000030AE000-memory.dmp

memory/2968-3472-0x0000000002FF0000-0x000000000308E000-memory.dmp

memory/2968-3469-0x0000000002F90000-0x000000000302E000-memory.dmp

memory/2968-3468-0x0000000002F90000-0x000000000302E000-memory.dmp

memory/2968-3460-0x0000000002F90000-0x000000000302E000-memory.dmp

memory/2968-3457-0x0000000002F90000-0x000000000302E000-memory.dmp

memory/2968-3449-0x0000000002FE0000-0x000000000307E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

MD5 690df0811fc73ff2219183e5d80d824b
SHA1 a720126932f65de281c6f34c5512be8f787f7161
SHA256 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd
SHA512 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 0b4a84435ba1fc4f3f8495cb837ea2b5
SHA1 436e832401ab762dc3c698b9a66e0a47ca588d30
SHA256 060603bf05d5e99ce1b789f32372b3575e429874ce17e42db8eb3b99072140fc
SHA512 58c413369e69c50a4795bc75f8a109cf79f7852ce3bde1db5d22fb9e3f17df0f933bd8549738d24cc65619c38c2cfc29ca3e21a57d9be5b814374622720ee5f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 ede628f24cb690070669440a3aa1623f
SHA1 788ba90cb4fff0cf4dcb870d7fb71664fcc5f938
SHA256 2a4bbe7ec76c69b09afe3eb48616ebcf88e7468b6bf599e1ce32e215ec12b379
SHA512 7abe6498d38be047a90695ee1cbab64b98a0f9dbe9db16eb9a6d096a5c32408c7bba527d8aa0bb73f203a6473501d1e041d69a4678ed2b30b097d5e92e321d38

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll

MD5 1989cd78346c1f430484236daca1c2cc
SHA1 9d9eaece8fe80dd400a1af12595a5a32e931abfe
SHA256 2d8ab3f2dfec1393b75e1ba8d12148ab5b5e334d1b071754e08f7087b22cdcc2
SHA512 00aaf06bc2a092ce3d9b8d95e685a9fd0b61a8a5afb23910bdeb43a82bb294f54ce21a05823cdca28aa67b520dfb4091c847f4ae2ea211156441dd3e5a50205a

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseDD5C.tmp

MD5 fe6f1a57ac6c71034270c4bc2d07ccba
SHA1 601b2215f7570a33f0c8c10bcd4c2dfd7f95ffd7
SHA256 5ee1d60356393422f134b8b2960adc16bcdd9d354c07372e568981edf651212a
SHA512 8225521ae9ea2d3d345ead6373e2c94232884fb55b4261edc32315ab29abee4e0020e6e14e909659fa5cdd49870088165fba7cd40811b73303b4ffdc1ca00ca5

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll

MD5 8a7e5619cbb2c659b3dd2d9c4a09db98
SHA1 a7eb94c32ca25dc1a9eb461d2d97d48475e010b4
SHA256 eae253b5691720fadd70083ed874b53929287a3d93834a3206f78ddf8fab1201
SHA512 14f126006dccead7a344e69e6f21de15bddc6ed30fc248df4043838edd6ed838eae2db0f9ea1204584064a4426d610aeb34f268e37a98f54f274029763a146c1

C:\Users\Admin\AppData\Local\Temp\nsjDB9C.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nspDD9C.tmp

MD5 9dbb20bd446f2f4b09d3488b99cf30fa
SHA1 43089287123cc8f0f7e2e9b5148f8512db968d76
SHA256 43d080fb6a1b053e68b7e36b00669ecc33cc28d497596a14d614147329c2ab2a
SHA512 9313ea5978d3b2f77eb57209c7f394d0ca204acb558c63a53d8a73badb81a29c959a6051489c78192d7dd434ea6ee4c7a9af8196db2b347e6d13a8ead97971dd

memory/2968-5063-0x0000000002F90000-0x000000000302E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nseDDFA.tmp

MD5 408ac1c973b3d5aba970dc7bcaa25b23
SHA1 5193764142d1aae696c70080c94cdbdd0eca104f
SHA256 303e48f406401ca3f879e0e098e7a60a9996e35f81fe9588b208efd762f0a941
SHA512 5208cdafe0867451227d5beffa6abe3149cc5e8bb607f47935b95cf66fd93d1bbee70f9d36f2ef1a19a439dcbed4379e0dc2c5875ff2a7b8242adff283d92b5e

memory/5504-5043-0x00000000022F0000-0x00000000022F9000-memory.dmp

memory/5504-5040-0x00000000022F0000-0x00000000022F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nskDE1B.tmp

MD5 5a44305e078c215e66a2c43f75188a22
SHA1 8b0b72d50c7e228c0f651dcb2649c61a129ba9c4
SHA256 3903e15c13c11da0ce085342fee31973baa63e802c53303b51c169bd53b8c4f2
SHA512 a97bc49c4328f7ac6431bc07d03640e2d4541be477272ba776b19286b7a12345ec422a1d91cb8d38cb1f07a87bbc11b488306df51435377137b1decc03b891d5

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nszDE79.tmp

MD5 14874c05e64ff08f2b1a386b94565906
SHA1 0f3b54790a9130d648c6dbde50c00b51c189cc8f
SHA256 628fdaed409108eca1a5ad3b03835d37733d87d04fc236c48fabd2c60362ea27
SHA512 ddba1781f1369b91a93bc9764c0dc39d8082671ac93326bcaf3375a50b5c24b66a24167a0a1de1ef0a97938c83a300e4934517dc302a667581b049f85000c4d5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 4d027f7a5042513541bd99b81ded2fc3
SHA1 796f04694a0ba2fea205780a5eb1274c62f8a6fe
SHA256 dc78c2fd56996e0092b0a773db901bf761b9acda0c5d4319ccbbe01c9747b0a5
SHA512 cc341cc9e7a7ab676eb2b1fb8ec4282e6b9e4a5acd1dc843a3c4b8877585dddb04ad8c5cba556cadff4b024dcfc446ba29e03ce2b267dd0935ebf4303b436c25

memory/2968-5575-0x0000000003310000-0x0000000003322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nskDF57.tmp

MD5 d3dd64c430995bd1e3ba0e3f8699cee0
SHA1 f9f6e875430b4a578a38ca028ea95e6fedc539d2
SHA256 10f43ac859260f244b16ed6c05c4f149378baa50f74ebb1dae75db9a14d2fbed
SHA512 d52e61df8e75d1a163b079bd4027a60e7193720bad017840b12879d8c3be13f0a4703ab0a58750af41956a215b954731af213a5d64fa8850d6aec4ed8692fda4

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nspDFC7.tmp

MD5 ea3f1c8bec8b641d2c92655cf286a592
SHA1 54767e0bea11a4f2f30c11ac8ff8018e56bafbf6
SHA256 ed455288818fb71148775d22deab5ecfb063c26a72a843ee223d278fcd5c6a92
SHA512 a352569a0d7ddef26714bed8e2ba5cec6100fde791406bfd47dfbc622e8aeb6fecdfa713932e1e89976625de5efcd09cfaf673d2e2107c7bad965621d5e1c20c

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsvDFE8.tmp

MD5 2d1384b9e49cff17ff573518e8abc01c
SHA1 3f7cc9d52fb36160c0c0a272f30fb47668f2426f
SHA256 2b06e677767cd7f95662c0e7c959d4a35c57f4869a68462faa855d22b0fb67c6
SHA512 9a7263ad5a3436ad794ccb5b353e00eba0f042625ec181a6f9909e2838331e791c43316fb7fe32b480f1e0156c2e677792476a667f514e33bfad7e536f2adeeb

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nskDFF8.tmp

MD5 2a3bac88eb2fade8939ecea9ac0507b4
SHA1 12d8304e5524490fc5b27075a180cd57d13c81cf
SHA256 dfcbb4eb1a41547f6e9691862d3f21c4a75397be3cbc3add310f05f305b3141f
SHA512 00cd78f1d3ba9e70f6fb8994160fe1034fc3b601489d8c39f0560c4a75f744539dd219dd2a016f1dc7d30d1cfdf719e175fced7fc2fae330a01df49a86c18b3f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 93014efaf60db7d39826c2ad5848d667
SHA1 ad9d34bfd12dd13df4eccb5a1dd449a9be8aacf7
SHA256 2da0bdfe9ef8ed2b8c5139fc7d4abacdd28cf048728ffc51709fb3a3ce48e389
SHA512 a148e9c986e473a60a14365ffbb8aad1db08de0b8704f3e2c8702fc46b8b15e72cbf0288e903f802c470354281ca8eab9ce3ed7c878b78adccb30328f58ae54c

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsvE088.tmp

MD5 98704b1aea386e2c56e4656a8e8d5619
SHA1 458273f9ab7f587b31ec25501470a6f56c0e2b46
SHA256 df04f4862f9053e0b5f4e9d07d5afa58cd1395a7f1043d4fbcc54125e10f4ba8
SHA512 540e22169f1f5de59b9de65b1a0b9166b448717ec626eb3da9fe4130a0fdccfab8b35c3fbfaf962005cdab9109a4456da717ca1abe77141b47bb00f0046aa99f

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsqE0B8.tmp

MD5 ee00f632811cb64fc1f5930a81822a89
SHA1 57e0e1c791e40ec257d7ab011cf8aacaa302617f
SHA256 4c209fa1f641d45d9ad9ff3f02cd95c8d613138fc9144f4a1ded771fba237210
SHA512 3400db3a63111fe6d9505b1f5509532cd21cc0657aead06bedf4f918753083faed43a1cc739bb7139155d7dc09a550d7d8df1be97c57d5bc9863a9a5dec0bf2e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 9451777590c3b72b0337c2a41c7cbb65
SHA1 5ccbe8667cb238247f7e8b44f98089a835ec5e8e
SHA256 908ee8ed3167f437e96617250f01abaf2c9f0492ccb7ac9dc3503c25abbb0fb2
SHA512 aa185fb8b1ad88cccae43af1b994e441c50a8172ce8763292e9becbc07f6fcfa66d4e3166913ded381474547273ccc0ac5f2285f90821f7c7d5c41f571519da7

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsbE196.tmp

MD5 2b5a3f08b9467a6a2ea55b7043ca4832
SHA1 384d54c29e171927472e2c10912e6e019b40f2c4
SHA256 70af56241f7eefd3f9b12016b1340cada724fa20975b35c14fdee507b85bc5da
SHA512 bb265e9b6c3fb486cdd3ddf8d52f45de17e03d865054449f635f61851a982cffa4b6c72873b077b8cd62e55058d3ed966d7560cfa732e9e5bf93ee02a025ffdf

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsgE1B6.tmp

MD5 dfe485d2dcb84483e4a34841e7187a54
SHA1 4b871afb521c7bb1a798fdc165fd244f992bf38d
SHA256 59d39a70a9634eefe1b73b89b75da2cae09d314c4a477750e5b5c4aa86334069
SHA512 bf02d6a4bd7bd8c45c77ddf9a2774b3e83989dd7b059a6fe4ed9448c2d9ff373ab21c01fa4ac807d2f106f92a661e4044a76009d7e0a275055b590b974b39498

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 ef2b245e66d2a3cc25665e7f627e2601
SHA1 c2b0e3d607582e4b4354395464f07a13b95e5b60
SHA256 5a7c19716c12da40bfa2f0b71075c53a072be34edfe9037c5010ab90c738fe7c
SHA512 11938e3cb7fa18e192a4f05da1b377bb2bbb61299542feb8e9528e4917b6793aba38f3f4075cd7c520fcdd3c9b505adbf84131d53e2685a2000b38ec7edeb1c8

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nswE216.tmp

MD5 0f148633098bdf93e0bc495301d3c121
SHA1 814ba55daa60a3e7578326fcefe1f61c8235f4e8
SHA256 edafb254c0440b4a40a38916eb43775e62137a776e2fe530031c38e7d71db2ab
SHA512 a90c58c553d88bdb80338b5558a3f929fdc3120231bd213f70c86995593e24a3376244c25fd7a643ae01196e8ca1a681f2c3d62d46a64da8e7510ced62974bf7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 a257f9fec9e392a6fcb8a3d93aa8a6fa
SHA1 c29e4d850a9841b8397f2dbad1c6cd0f0f688f82
SHA256 8c36177a8715695ed708daa5b21f7ce1c3d8b4cddee7f87292161d81e29c2be9
SHA512 16757ce210b71dd9a652adf79101c2451af108a4d99b34858cf738b9eb1a21d37cca071378463f9254445fff0e7e918a27b06cedb7c6e9b0f6f97c25c7b06352

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nswE303.tmp

MD5 e28d93bed98d4ea95ed7be4355ce4cf2
SHA1 5cabdbeebba00cb81fc4f9419deebbe112488f08
SHA256 2f4e1e1207c4fb0a5e581d5e7bada3b781183da81022adb1c39383f9002f9f77
SHA512 4f16f869a19c0f5d45fc6e9698910d437cc2324cd8951d5c25f115ae358b5bd04c4b388d476fbbc3fe18325246aa194b64f9036491ad48bb05c9d0af8c9d7898

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 26e76ff3daedb5ca9bd5889cd51a75bc
SHA1 4fd61202014650b93639d8ee8d0bb7eb7fb22d63
SHA256 6a665f574a4c8c291a0d38fb6e9606408c53a3c3500f1e5b06be0cc9efbe30ab
SHA512 663fdd2b8714c9a00d70d8fd780468b334c4354b763fbed5a65ee2e97f9aeed7a84fa6c4575e8de8ca1516a774227347a5ab687d278c274c8d645d4a9d49c11b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 0f93105e3d1e78b7fa0b4f36a7d3cf88
SHA1 1910b7537d43bed9be2986fec011e15214b6c12f
SHA256 0b49b7bc03828bf5c15a8ed9d4584a99e7ae4b463dfe9bf36820e944f8f92365
SHA512 1e2cdda4ec8fbbf23bbebfd100c34ed5da8ba59aa552f2922fb6f3a7affa861f5de28f8987e31aaf590f91f376474bde66c76fe09b02389415b32042f4f0b2a2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 3f50b0cca0995d3a60a9dc3c3f8cf92a
SHA1 398f4eec94a413fc85c47253817f02b3cb5f9abf
SHA256 49ff4bc6d4df963575f3cddf52e01a39d5f32db6b500c2787eebe7b435d2f8a6
SHA512 9902c4a8cb2e6aae9d718a32903b66a1f23d1ebb9b1a3ada2524a94374b17de7f7cd55ee049d471c16db0716ddd8bc0d87c9e5aced6a6053b9b720b5b237951c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 536856e17f27c0e6b919c4bef0e549f2
SHA1 9c624db248505174d6f4501e2e78ceeede5704b7
SHA256 de5b8e1c6afcc49cbd6bf8dafe89a965c62f29e4f66034f314d4bb4102839e0a
SHA512 cef170286c711ee196d3e84f438ca5861d8488eafee0ecb33a4a6fc55f8cb23d4f69fdd286615764000c945bf070b51a32dfbd3cf938b59d5470cc8831555f40

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 926de674d05481844414ad716b3692eb
SHA1 63e6a1f3305acea45b48df9ec127d982eaddd0ba
SHA256 a97e499dc0856b1c6b5b619d3d83c54520c7ed069336118cfc2680418f99ed95
SHA512 8097571c377839f2ffa927f17648b30c5d797dcc607c87c568b242a6e61f1385dcd84062aa08f57fc7f9a6fb9b950c5c339a078305890f462068685d94a94324

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 77ac06651e56a597a21820ffb2fedd35
SHA1 542fe3ce8ebd0cc629460a87a9720bd975f0a2de
SHA256 bf8b7ef865bf15e14d5932cad5651f888da06002d14d7b1b39e76b1de6453061
SHA512 c1883edede9ae48fed929cd096657ed49b82ade2811b95782a82bfbbcf269aedf4d561c860e8951893dc26cc9719e125324d7385317bd16e8708e6dc3aa7de9b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\prefs.js

MD5 44bb00decb47b97536f710b2a89ea5b4
SHA1 20307700f43f731960af94ffeab17ff4b6080809
SHA256 82d153158bb2cfd4cf298b143987c41ea028981f540c4c6df38bcfc718622a65
SHA512 fdafc1e4948c90f7402bcc9104b21c21424f5bef1bb01e37605aa89eeb775060e7e854980b47625939d9437f0416ae369ef4e00b17a33021dfe4c9158b8b2767

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\prefs.js

MD5 4bb238d5b78721d5c0b92a058ce69f29
SHA1 bc5a13c45e28770e2dc6432b7bf3c3e49c087561
SHA256 6662bf5ca1f346e2891b61e0f133e96ac8bd1815542af84620331485565b5011
SHA512 3c5c17843c03e362eef68dc8b28c0dc3c3fddc0f4dfe07e4ae8eecfaa864648c0d84c26d8b64e8f18446cef880ed70c06eedd30f8bb5118357b7197280a5f419

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 57d4477bc92c67b4335799777f0b175f
SHA1 4b83e7a6a5140ee9330a2a6acbc609ebb32f2b15
SHA256 5522a015d7394e88b0977e9a46d461b24662cdb04f245f208ef02cf25f272f09
SHA512 5ddae1d8ca6c34318f9ef9b0a32eadec6c74a11e50ee5f465b898af903b934fb263293343ebc74b8bab9a1ceaf71aa7cbdb7e69f10aba2aa3ff6975cedb9a2c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 60ac5c279548ae26948e1d8cf72c8690
SHA1 0c30f1161ab5270f82e4c64dcb6c60e148894bdf
SHA256 8d374dee20b7726db66e2e1f4b3e6640262f1b181591c2e8e68d77f1659a9f22
SHA512 0bb7c7085243d200113ca394923b4dabe1d41b41d0be2c661847c3a2491823c8fc9e1742e4485e778ef74e672aa495c5ad246955d97e2b20369722b837f87f0e

memory/2968-8801-0x0000000003000000-0x000000000309E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kkr0into.Admin\user.js

MD5 0f34268f974b1f763a1b4b7cb7b59384
SHA1 8e3355026a167c56d5823be6c28c8c88eb2602c6
SHA256 54e99b449dc840e1d85bda23d741093de467f4ddf5c04aa760d0445561d24220
SHA512 632d014bc1f5e215803b5d5735931a8e580eb01aa1274ce275efd790edf3c081d80b6c4bb1350ebbdd07a41c76d413230e5636e2a179aa98e7e7e9aed6ba3312

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 728d37a8ff83c45a0dd84783992ed978
SHA1 01efc21698e6b8c27234d601af25e926a6ccaddc
SHA256 dc2d0ef7f03f24d78ecd2e31d7a3cea224941f9808b0060edd4a46561859a12c
SHA512 7a0aff34eb145104d76c28e92c15d761699fdeda001e3e83fca56bfda61765da40361b3b78d5e7f0735dc9da351d494db79a9f1ff478dbdba3433a53bbb88af4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 27761998db09262a8e636bec2edf7651
SHA1 74ebd0ebc559244f2961f07af809e708d4815823
SHA256 d6b91935ee57a7c9f4c58bea71c509835ca64eaa1709de2234ddd0285d52d2a6
SHA512 41826a4c18b01628a7ffa48e5ba84b80a0eec84143d77f307c61d20dff5a8790ca97c8b0d3c23cafdc9d200406c67e50ac2303dd5c70cbf4715da32a739ef6b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 4f190386fd63333ba049db8344433c61
SHA1 cbfa8f864e733ace8edd0b26bc8462447da68d6e
SHA256 1c4f93bf41ba04693a856dd21a92fe2a2bd9105d7c9540bfe77a1c155a445354
SHA512 cfd5232f602637dc657955671f924ee8108d870815284f987b7b1224e115a294bb85d9b255754781979a4cf5b1d293bc67138e9d34cabccbc515b9b969dff2b7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 525ba7c62d9a513049a54e462da5bedf
SHA1 cba53f1be9cb70d385dcb5c44a12cb01b5a939bc
SHA256 514af82ae2fa2c59877ee9377f5e94789300359a8627ecf7e58bce884634c5dc
SHA512 1e6b9c1318045d99b085a0981be26b44b1a238178906c39792a8f458097ce18b28f3bce284601a049210aefc19e098f382dadaf0592b25f8a05812b12adf1a8d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 a600d6290504018e9ae9d22ee9bae2b3
SHA1 aa75406457d8609f90de2a87ad2a08c795a49dbc
SHA256 6dbc6c72e75f8b96135cb4831d6ddaa3eaa653662a7c08ff65991d7a6a8b28b9
SHA512 37ec34ec36a0c0df0939312da395d511bb4b4d7c53a224171078afb67b68b58255f9fb7a42948e82d8c0bd6d868ca04b6930e6fde9719098238f35d627925dee

memory/2968-11076-0x0000000002F90000-0x000000000302E000-memory.dmp

memory/2968-11060-0x0000000002FE0000-0x000000000307E000-memory.dmp

memory/2968-11042-0x0000000003000000-0x000000000309E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 9397be3d4c424b88aa0cfc14af1d2288
SHA1 db1c8f1b587bf7b18a566d63896c2bf605ee8e8d
SHA256 13e03393c0c2f9524ae14a9cca2fc58a5162844061e1e64cd3866cdcffa6c2f2
SHA512 78225f15f8ec38dcb5ec7b7c588565bc6150d02bebf6ead4814f51481c95ff807b4845a820c7b1e648fc884e76a54120000d3212d0dfa98889c37d1b46af2fb7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 f34f88a096cff95e6f59b897ae996b33
SHA1 1bd63933e0e6d3bcc5ade925fd0d65827791db07
SHA256 e84ec7340a0cb2d6910704b3eb3243f321ec23f69916a555761a3df5602d04b6
SHA512 21bc5041e34130eef053609ed1cea0a07294d5d54d7e2586cc4838de63d6be5ae1ba41a48774707c0b9b2e85bc5934c980cc3ec36df1d10fb66969086d2e6fc3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\user.js

MD5 9ee16a915bd827c9c9241fc87e675378
SHA1 843c75225d635c816cb8e2c585a5485b522697a2
SHA256 0e59491f3ee70108c159547951993e94f8beb23e60767d8206892942427e0a11
SHA512 17c108229f66aa66b57a7f58249edd206f7eea34958ca5f58e29902bbc2e2f30d2cc382ac5986f2c6a43424bf86eddaa57f5ea1d713b853cd2b7d41d78d1082a

C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\IEFunctions.dll

MD5 46ee93cfce4dd2576579f45ad8c41b88
SHA1 f34a4eb6df68e521debda61e5af46aaf461bc3ce
SHA256 a8fbec39470467e43e3fbc48cceeaf11d5e2fe3b98c521ac71b5522e7b46a859
SHA512 a2eb8ed29a819ee821c749dd76c04c2f3a5284a0063d08c43c9eaeb6f68a7c9034b846cb3cca26608cfe28b5ddc07842ea70a6aeb9cb7c6c1b579c3d05e40a5b

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi.xml

MD5 d977ad4b5c1933194e9d40d01376275f
SHA1 df335838b334c1f15d5bff2e6a5ae44ef9ea33db
SHA256 e11e66bf9b97359a9ee25065cb3b8e574487fdfa7768ab71ef78e93a3531ebf5
SHA512 6f162df3eaa514d1c02d4831cf4d296373b32a838ba73614bc0c8f5d13b2558d823f25470aa9526954e3a41958c89563e69b7d75d7f259ebb15b57435f81fc1b

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{9300D574-3C8A-420B-903D-092FA54CBB41}.ico

MD5 cc293971feb692e18edd790fcd6ff10e
SHA1 09a2c236508962ed8d13736033bd2479f13dbf32
SHA256 a863b816dbda3deda70419bb471f11f0f0e0ca20ebec82a0c00d5c304690b3c5
SHA512 e245e2bf17e143fc4cd24224bcaa68ec7a9548ae8f8c295caf0cd49e366f22985a123d7e2da995864a9d233b9510df3eddaa5dbf0f65eb81468ed74bb0b2070e

memory/2968-12225-0x0000000002FE0000-0x000000000307E000-memory.dmp

memory/2968-12227-0x0000000002F90000-0x000000000302E000-memory.dmp

memory/2968-12226-0x0000000002F90000-0x000000000302E000-memory.dmp

memory/2968-12228-0x0000000002F90000-0x000000000302E000-memory.dmp

memory/2968-12229-0x0000000002FF0000-0x000000000308E000-memory.dmp

memory/2968-12230-0x0000000002FF0000-0x000000000308E000-memory.dmp

memory/2968-12231-0x0000000003010000-0x00000000030AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsjD10C.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4040 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4040 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4040 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Processes.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\default\extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_0\manifest.json C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\ = "ividi Helper Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\bh\ividi.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividi.crx C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
File created C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\uninstall.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57} = "ividi Toolbar" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppName = "ividisrv.exe" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F964AFD9-C4F0-4367-B5B8-E14DDBD524A8}\AppPath = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDD7D35E-DEE4-43B2-BADA-1901182B367B}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\trace = "0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32\ = "\"C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividisrv.exe\"" C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1399F80-21CB-4EE9-9C64-A00018863C96}\LocalServer32 C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\CurVer\ = "ividi.ividiappCore.1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ = "IXtrnlBsc" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFE1DF4F-2D7B-4714-BB3D-F242BB677E57}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiTlbr.dll" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D198823B-F44A-4EBD-B18C-961622C0113D}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\run4ie = "start" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\Data C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{186F4C6F-EE6F-46EF-A1A0-7F1BC88EF224}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\ = "IEscortFctry" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{211B330A-499B-415E-B1F1-B7132A8751D2}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiApp.dll" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F5978E2-5D6D-4B23-96FF-A4BBD97F0133}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EBB4CB-D1A6-47A2-9375-7E2936360D2A}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\excTlbr = "false" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\InprocServer32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\bh\\ividi.dll" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.ividiESrvc C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B8B2E80-1444-451D-AC8E-EB9A847F3887}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C930413F-8F9D-47F8-B7F6-53F45EDC3F76} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ = "escorTlbr" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\ = "escortIEPane Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8903CC-2769-42BE-8F7E-52B5B742D3EE}\ = "IRegmapDisp" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F92D72B2-8B85-403D-B849-0D8943695829}\TypeLib\ = "{AA587238-8C5A-4876-A59C-FF55412CB518}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D18734A5-B131-4335-A3E0-15FF90AC90EE}\Programmable C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\uninstallAll = "false" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{685F23D9-FCFD-475C-B56A-362645945C5A}\instl\data\dpblck C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E485B5E-A3BD-44F2-89D6-8E0FE65E4D4B}\ = "IesrvXtrnl" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiappCore\CLSID\ = "{211B330A-499B-415E-B1F1-B7132A8751D2}" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E967BBC-8053-4135-B6A9-A5B8DFF3C0EC}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA44E54-BF05-48AE-A0D5-3D18BEF3D272} C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{905E34C2-F4EB-49BE-A36B-47692CF957A8}\1.0 C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\ = "CescrtHlpr Object" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA587238-8C5A-4876-A59C-FF55412CB518}\1.0\0\win32\ = "C:\\Program Files (x86)\\Unitech LLC\\ividi\\1.8.23.0\\ividiEng.dll\\2" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C541A8F9-E098-4EAC-BDC6-D3FF5CAABFB4}\TypeLib C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ = "IEHostWnd" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F5539BC-A423-4DE2-BB0B-6A3111E9064B}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ividi.ividiHlpr\CurVer\ = "ividi.ividiHlpr.1" C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2512 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2512 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe
PID 2512 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2512 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 2512 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe
PID 4480 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 4480 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe
PID 4480 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ividi_1.8.23.0.exe"

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe"

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe

"C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe"

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe

"C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividisrv.exe" /RegServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 reports.montiera.com udp
US 172.232.25.148:80 reports.montiera.com tcp
US 8.8.8.8:53 148.25.232.172.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 148.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\chrmPref.dll

MD5 b2bff24dcb4606c6c8474f979bfb4858
SHA1 5671b867df8ce726d1075909cd40f3934d680da6
SHA256 82d89574b1019c60d6bcf97318b36f8e4bb535bb68334c68253b6306d9dbe4af
SHA512 e7187607c909a9416ede056c10e83d4a0b8f8bb33a8653009630d5f36f80c8be145658d1c2d9df3ede48ce1e9bdf20d192dff45ebe0c6fdc50f241e81df4c874

C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Roaming\Unitech LLC\sqlite3.dll

MD5 db4961bbb3c1cf487904b15ea5b5884b
SHA1 d1c23d22e93d3f9b268f99519d38d010ff99ea6c
SHA256 970ab5826883e15bd9ae33310dcfb00968a938eebbe7e8e1ba5c8b0c12cc5d12
SHA512 191e365500a824c1b31eca9f82caecdc227471d09c1343390a2879bd9642cad1a57fe812eb0ab3f20b24941da763a24a76f5a4b0791af5600d283eae7f6cae7d

C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\mt.dll

MD5 4fae8b7d6c73ca9e5fc4fe8d96c14583
SHA1 10865e388f36174297ec4ecdafd6265b331bfdcd
SHA256 069db1a83371dcd2dd28a51def6cef190edcac6bbf35b81b7ee3c52105db210f
SHA512 73a5547c6d83227a08e2427f2e5eb6abf429d4b5b7e146fcd59b9fb8c9cc6eb9ff61347a3d46f83d0c7adbaff15e94e70bf40660c217f48e9a46a6e310aaf6b1

C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\Processes.dll

MD5 cc0bd4f5a79107633084471dbd4af796
SHA1 09dfcf182b1493161dec8044a5234c35ee24c43a
SHA256 3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA512 67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

memory/2512-279-0x0000000002320000-0x0000000002332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsa6DB3.tmp

MD5 c1f678982f2e14ee43ab9e25d6d4dc1b
SHA1 283c5f9db053718e4f5f9c572f18502b9ff1e6e6
SHA256 f853acf4b930763ba2fb5c782bad9ee8c5d36dc3b9774998462e792eb4da747f
SHA512 03ff3be160581617af8e67164e92de4f012dbc6841928a229a6e487489c71e1b04e4ec180a0bfb9b8109c3cff3f5fb2b52df9c6f721b2b8cc92dcd897f9d99e0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 d5da78293d8383edaca2745be2bab8a8
SHA1 970ce7995a15f9fc39f0829126c6a4cfa547da15
SHA256 f778a088ece5db5be81b5a5edf81e1efa2fd778823b7ab655cca6da0b772f73a
SHA512 9f31cbb2d5ef23491af9b6c62665ca40b078e83c4c5836f5eba74cdffd97eb1478b0ad889dac8227c309c09d652ade015c924d6a3dcbcb630085e46169da824c

memory/2512-156-0x00000000028C0000-0x000000000295E000-memory.dmp

memory/2512-113-0x00000000028C0000-0x000000000295E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\Time.dll

MD5 38977533750fe69979b2c2ac801f96e6
SHA1 74643c30cda909e649722ed0c7f267903558e92a
SHA256 b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512 e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ie.exe

MD5 690df0811fc73ff2219183e5d80d824b
SHA1 a720126932f65de281c6f34c5512be8f787f7161
SHA256 19e42855c02278efba771951c712468221e3318984e65c866590899a70e9b8cd
SHA512 7e5feae85b18b479a014f050a31d276b3a7d82600b1ab62338c371b9093e23e59021973ddb2cd5783247be076b5824f96bb7f05998c5fc26e971307e1cbb49ce

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\ividi4ffx.exe

MD5 abbbe3516d8a6280b94e78ea7060e9c4
SHA1 a2f22d9dc3db1f10a44902e5cdfd7431b27a8671
SHA256 63601ef9667c037dc62dc92c7b389edfb4191cde9063d1059996b93f035f454f
SHA512 2ce546ef005dd07b5022fb524107c07693dbd58c21a2808060958baa7b968064c4e855d41c52f25ed89a3026460a6c9d413481e1d55f678ebf2cd5d170faf549

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiTlbr.dll

MD5 57543e6554f60bd4082306d26245bfe5
SHA1 70d4b021173c42dc82d40073fabe7fc0c28ebdde
SHA256 7838055c1f0aabe6df5b5fb3c6db737936eeee6d2314339082a7586414ae81b2
SHA512 317557cddf5d666c2ed677619d9b98424cadc624e1e31067403ab7646008ce5496687e46fb07b4c61d0aa967bd0b3ac144acc3672c64ed66c1b3dd0d23938399

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 42e8303f847571aac21de910c724b936
SHA1 2e51ec51cac690bf1393b7b3f0ecee7d193a999f
SHA256 1639196375c49733bbd5fd3d364a30f31a702e91fd1a0ebc62ba38e0a68e2164
SHA512 13cd9a4cb49bffedc3fb29540bf08c3b1056795a9a7dc0a144eabcef91bd6894813a36d4d79980d65e660f1cad15e0ec2d90b57cf4a94a739e73ca96d25bd5d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 ca445b7a7517c82309a4db3a68a01744
SHA1 fc6a32861b442020930437e32c518e18e5b1cb85
SHA256 d4801507b9ad17ca900677a65064d4c624351edbd13ad9249d7610d292f0ef9f
SHA512 e2e76dc2fea0f26b8b9d52017fc2642419f06a01075de9f3bf20e6566c471db641d9d2eb797e202609b6d48887ad7bc821ebf42d1855bc7a8a61a6f23850e452

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiEng.dll

MD5 8a7e5619cbb2c659b3dd2d9c4a09db98
SHA1 a7eb94c32ca25dc1a9eb461d2d97d48475e010b4
SHA256 eae253b5691720fadd70083ed874b53929287a3d93834a3206f78ddf8fab1201
SHA512 14f126006dccead7a344e69e6f21de15bddc6ed30fc248df4043838edd6ed838eae2db0f9ea1204584064a4426d610aeb34f268e37a98f54f274029763a146c1

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsh7130.tmp

MD5 b202a19d597901a748abf8509bfde934
SHA1 b2348671ff379ad28ba1d6b8aedb12ad80897845
SHA256 cbd8c4de019e84ca3b4cb4d32c6b74821aaef70e38d5bd43fe7bb6043a86c02e
SHA512 1bf4933fd13541bc577a91477f0e2853be1b219231fbaa805bb0b2038f82451ab524fcd7b92b26248458d47a5dbed9a16f3189da4eb410a4c7b8ffc9e525c414

C:\Program Files (x86)\Unitech LLC\ividi\1.8.23.0\ividiApp.dll

MD5 1989cd78346c1f430484236daca1c2cc
SHA1 9d9eaece8fe80dd400a1af12595a5a32e931abfe
SHA256 2d8ab3f2dfec1393b75e1ba8d12148ab5b5e334d1b071754e08f7087b22cdcc2
SHA512 00aaf06bc2a092ce3d9b8d95e685a9fd0b61a8a5afb23910bdeb43a82bb294f54ce21a05823cdca28aa67b520dfb4091c847f4ae2ea211156441dd3e5a50205a

C:\Users\Admin\AppData\Local\Temp\nsb706E.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

memory/4480-961-0x00000000021A0000-0x00000000021A9000-memory.dmp

memory/4480-960-0x00000000021A0000-0x00000000021A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsc71B0.tmp

MD5 7533961cc19d23f928c40008bdfd253b
SHA1 eb5cb177e2b04d8ecb0b627a011efc103e4311b5
SHA256 d590edd4dfb4be0909d745245d993b02c09c9e1cd270c63af3abc3ad58e404b3
SHA512 8e5698b432cd23a616b6a9b11125d8a38822d3db1fa54a72bd5c4fe7f313a97249baa071c7a738f702f864199520252b83d0e597adbc79b424d283b206373493

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsh71D0.tmp

MD5 ae46f1823c8623b1418c316a37ce650c
SHA1 9d1d85dbd3cc79ba85201181b2fdf88525f2339b
SHA256 5efba76b38d773c6ca0197f727f3e242481ce1d992f6e56763e7a6e7c4adb86a
SHA512 1b572946f40c8670235ff46ea25f2f5767a0e80f5ed3ac52a61fb3f75b71fd2d4a195896ce531eff88a8f357a9e58a80942825779cb783358630bfeaa4735316

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsc7200.tmp

MD5 73e44e90350f35e856fa497f9d486399
SHA1 0525eeeea07acb71474960e1bbca89282ce4b9df
SHA256 72b3078ef760805a21a145b5bdfd58b0a3bbeabf5ffd65641e40f91af3fc0ac1
SHA512 f62ea9cfec616fa2a2e0c83839a9ee9cb57943b8c2f34364cec01d7d80014b56283c1399cdf7d40b85e4c5b6c9df89fffbde8746eb30bfec7b8d0e10a150a7f1

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsx7230.tmp

MD5 0f0fb59507499844ddeaaee87d84628c
SHA1 1762b161143f069db8b381220e125442c5d9a432
SHA256 fcf401463b1efc1fec407f8cf8f69e61400a9d03b86b18d87ec7ecb4356fc005
SHA512 810f047459096928dccffa4b1dd4c569a070464a4aca99de8205da28b43dbeb9008008efcf371638083fa54f4bc4687b18ddc1b2b2a023fa23571936e9f4f77f

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsm7240.tmp

MD5 e315356b4518b96c28539571c75c5cb2
SHA1 a6426178b9878086f09adb58ad1c4579643915a4
SHA256 fd136cc43461e18fce1a1f56adf989a37e64ee0a85fe8bb2764c26f7be7b4891
SHA512 ae859cb73ffc0faf040f015a584c87b9a8b0f33134c600a5199e885e9fd92bb18940a1dcf25184ff9b1f7ed4d128f0fee57cb85da941a015fe2a6caa248b5a8c

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsr7260.tmp

MD5 434f7716a42016452b2db8acfffd46ca
SHA1 b4af91b9336d51611a533e05eaed2bd1fb2b2776
SHA256 e0c28b14d8bcc47a894c88695fd954bb0bb5fa22793f052bdaac983d5f8598f2
SHA512 b662ab476b521c17a51284b9769025cd83e8f57a207ce7dac7fde54c36933d2974b284ac6de5363e50cb6834be1472eed44e8ac30e5c1348de2d1d25f56fd076

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsm7290.tmp

MD5 35999907716c3ae81161d8addea467d1
SHA1 60d543a1730d41b032841c5381335959de8be97a
SHA256 a57eb38aada1fcc7fe7360ed67b0cafd2e96b1a032a4246e90f3646616b665a9
SHA512 79452ab3747c0ed13d17c0fc810071e24f4d38fc16c8a120dc000dfe215d5ed8b164b570feceefd99f5b1c7113d7abc064721a4f75119b13dc620f39f197125c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 fe5a9112843c20b8e1c9fdc6f9b4ba06
SHA1 fbcba814083b4861667874f9ca975f7d6f6443a2
SHA256 8d8e1f46e431a98dbbf528d7d8f458100e03a24c8e5092a038a8d69069ba8b7d
SHA512 5b401f202965253400dd8b5d343597647581f246a5a41c95c6dd94eaf36ac064319611fbffbe5cc6bf331c01ad49e7cee3ec7d1b494a2d8d7808720dca0bfac7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js

MD5 c1a32373820e89e2519d6339267a2830
SHA1 ca22e5b22a6a3b9715d429893af4835b80d2aaae
SHA256 9ba8ff903dfee915949a64fabdaab6ac3402f9ab35059e1ad5044dc6e05a60fb
SHA512 05cdcc7add01ff4f9c7ef4248eded73d3b4727f978c9987afab82f13b7e3af0fae49e2064012c6f294a2dc44e31f652074ed8065ef57b563b204a50df44a403b

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsn7331.tmp

MD5 d1f3b4a8a846541d1bc9abcf43df4f57
SHA1 f5548c75823f138204d681cefde21090b5315480
SHA256 d00d077b39df4b4c5973e131fb18b36473d8e6572024d310539ac9b07781a9fd
SHA512 61809a5aabf4d109f5bf1d0f3f67ef90ab45c093b42f4aff5bfb4c7c679e650846730b4f71010d91e11671443f6f7093225758f12b078fa637b991b20524baa7

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nss7301.tmp

MD5 059d8cbdceaf7d57ad8484bf7ca30a19
SHA1 ae0106cb7d4606d558529d265c549ee08d54f87a
SHA256 dd6cc7554e07030f81899416cea0d64d0ba7a3eccbdd385ee8507a7d55d0b5af
SHA512 6c7d7a7d89fc74bdd031d5d90afa0a28a0a0fc4197eee69868250934c1cf296f9f998957adefbaf4bf9cbdcdd13cd6f828d1afdf71aae4c8a3f7976ed891d692

memory/2512-2454-0x0000000002D50000-0x0000000002D62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsc73E7.tmp

MD5 7aee0e9d51a00e0f1c44b804cfce6044
SHA1 d51585fb0046a2bf26f82a9ba63ab3a3dccb0027
SHA256 7f69604e63b2d74f105cc4aaae397c97cc3bfead2fc0077c0abd6f642ae6dd1c
SHA512 037d6e084477d6bffb53b5a19bd63f4a93139656c5703a3d7003695e9dce56338dc878cc376dd4c4f9d5225e9d9c38c3860a090867128691c1d630b761fe0d72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js

MD5 69ddd27df99727eaaf75a94aa4029b3a
SHA1 4b6f800250c3a8c5ade91279fe3fb391235427e7
SHA256 e9a70687c8af22f72250253369bfa4fde3a792ea48f378f57dbfd01213835f77
SHA512 3a511b7c9f2f17c5283ea9b0dc5ec6386dcab749f6654665dac53787fd016aaa8a9efd8529860ff7ab337e8cb1278a45bb84bbb35da887b9add54f734274b71b

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsd7439.tmp

MD5 374f5511742e36b9093fe4c4ae6658e2
SHA1 489a64800274ad86df2c674ac9a636830e833d77
SHA256 db4fbe937b68fdee75a74ca9100883f27ea1b416f3fa84c29c4428f35ce0f117
SHA512 ee45fbd0b12cb46a3ef860bae102cfbc769d65c9c93c3f54072e5aaec2888c90ccdbc00ce3c2356e6b96070955090d1ed745b6ecb4f53a108fc3144d67c7e62d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js

MD5 c37004e1967248cafe4ffd48b73e2bf5
SHA1 3bc9668733a2fe65ef9eb644dbdf1f2c64b68853
SHA256 61e53792f7b4461e0fdee250de13597749dd3e961fe92a303e6454d4b4d91a26
SHA512 88f2a91000d2eef1bcdb22ce38fd0824148451f1e7450ca526cfaced73c25fda6f42765e3f21ff441fa05eca87caf714784c11cfe0a35a122bdc2d784269acb5

C:\Users\Admin\AppData\Local\Temp\Unitech LLC\ividi\1.8.23.0\nsi74A9.tmp

MD5 970d0acb50c5935c69d0d6212d948b59
SHA1 15cd3f492c55f4e8eebd3808843391d04c4c4719
SHA256 fb5c31a75bc06f56f3f68ab4ac554ac49e961cb58c33688babff20d37a27b2d6
SHA512 736b664518a1dffd771c3aa96c1e2e01e90900f0855b9f41262680b9daa607f571d2f46c796d9d683ed42e623f410f458ca2d7e6da318829e4e40e6c37cafeb1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 3b00029f17a0bbe950bf3b02a1e4e02b
SHA1 a763f05aeef7fc8557d53d79ea748d3764d4ea2e
SHA256 f2db5c223be6a2aa1342a85375fade3efa885561c3b201896f6fbd5850606cb9
SHA512 3f6505b18007267de6517e055e28e032563d15c1fc374e6057ae4d54b0152cb572eb6be793f06d43813e4e393fadb124066a1249e48d651a5a53dadf8678b9e0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 18efecbd7fcf3837f27913ba1baeccb8
SHA1 74e1bb6d84002d261a6c6fd91c51d0ebe645942d
SHA256 d318d315fdc3f0e5ab9c29abeba2e7afca9b7a45930552bc2e31231521e3547f
SHA512 901ab7c407501e15183e65a85863806859b5ad5efb5e84c9a04d572a40f1a069a0c0330ca1f5a98bf0fb42c92703ffcf1e715843c62601d49e9c8327113ccc9f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vobr65rb.Admin\user.js

MD5 ae9299ac407f03ced3dc709cd5422777
SHA1 e4b5cbd351b8bfac4846f6bdd1137e70b6ba759e
SHA256 3d577bc99fad67694d295b73d7f2dd98d2d02feff1a2cdb9780f0030c3cbf204
SHA512 e8d32e36fa3d97042dc8d169036abf3afa45092e755d3882c82e88443c263f86dcb7c70f0c7618ca420302d87dcf80b8858d089f306de90f49c3412f22295624

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js

MD5 cecc6bad9463e1a9ff57bab9925407e8
SHA1 ef349d84fae666f0a675e220e6980e9bed6ba297
SHA256 f9f5fb56d56bc85aa742224a5b8f459798a16fecb02e870f6c1c3bbffec6c569
SHA512 77084defc5569838fbf7ead2926e7a7f4e7b4865ee25a71b4b47483e721eb6667ab0d94e6dd21e7494c9eed17cfeb6b2ac12ed9a9ecdcbefbe2a13863f73ace2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\user.js

MD5 024d41e3e5fcb951e24a247f5748ebd4
SHA1 b8884d466f0b6610ae0ea06c593a71d6f77a1977
SHA256 38d8f8c14dd526db559760dae83e7ed2749db0b32a36a4b0ad97ffcb7f90ebae
SHA512 f079e6fae527be7b1a0beec8dccd38fe239ddd81c131d129e4df0a056538c5601bc1419626b2793a202d552d30eeac9286cc3b7ade688ca77025cb02e831282e

C:\Users\Admin\AppData\Local\Temp\nsf6D32.tmp\InetLoad.dll

MD5 994669c5737b25c26642c94180e92fa2
SHA1 d8a1836914a446b0e06881ce1be8631554adafde
SHA256 bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512 d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240729-en

Max time kernel

16s

Max time network

17s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{820D6CD0-98E2-496B-B01A-D3C4EB3F92C9} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D4E89EB-4BCC-4647-8D0B-A6D7F627CA3D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\ = "ILiteBusy" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ = "ILiteParameters" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ = "ILiteProgress" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ = "ILiteStatement" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CurVer\ = "LiteX.LiteConnection.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\ = "LiteStatement Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25EE8E01-5237-41F1-B29F-6AF441CF0924} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7ADFDFCF-8B4E-42A2-B458-3CA6F2DB7FE4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ = "ILiteColumn" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LargeInteger.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089569}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteConnection\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B1A162-3DE5-47D4-9992-964281640F2F}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E22694D-7B92-42A1-89A7-668E2F7AA107}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$APPDATA\\Unitech LLC\\sqlite3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiteX.LiteStatement\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{453A51CC-F944-4643-9540-A78253B8019C}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\TypeLib\ = "{10770BEB-5AFA-4851-B68E-EE891F3DEE7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E575221-737A-443A-9D64-13B79512D287}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\ProxyStubClsid32\ = "{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3481F74-CB68-4D47-9F69-99D256089570}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD13FFC0-BA5D-4B6C-ACBF-D1C44D0DA9B5} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B3DD01-7CE3-4590-BFD4-856DEC9E3E85} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A33FE52-8122-4494-A74A-9C7A04D637A4}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A107497-5F9C-45D6-994B-FB2F8E802E84} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2300 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2300 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2300 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2300 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2300 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2300 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\$APPDATA\Unitech LLC\sqlite3.dll"

Network

N/A

Files

memory/1628-0-0x0000000010000000-0x000000001009E000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mt.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20241010-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 220

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\ = "OCVBValidateLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\OCSetupHlp.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4276 wrote to memory of 3632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4276 wrote to memory of 3632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4276 wrote to memory of 3632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 236

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4840 wrote to memory of 2764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4840 wrote to memory of 2764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4840 wrote to memory of 2764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InetLoad.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 2764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 3744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5028 wrote to memory of 3744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5028 wrote to memory of 3744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 78.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-21 14:11

Reported

2024-10-21 14:14

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 224

Network

N/A

Files

N/A