Play interactive tour

Edit tour

Analysis Report iLividSetupV1.exe

Overview

General Information

Sample Name:	iLividSetupV1.exe
Analysis ID:	416969
MD5:	016b0f5e6b3221659c763a2cb6a238da
SHA1:	b120b44b9320e21b9277f8520d0a9f8e0a663f05
SHA256:	03d1e0a1b7bdd49c52fe65917ab7376987b89719722a3e907604be9639900370
Infos:
Most interesting Screenshot:

Detection

Score:	45
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Drops PE files

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Classification

Startup

System is w10x64

iLividSetupV1.exe (PID: 5056 cmdline: 'C:\Users\user\Desktop\iLividSetupV1.exe' MD5: 016B0F5E6B3221659C763A2CB6A238DA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: iLividSetupV1.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: iLividSetupV1.exe	Virustotal: Detection: 47%	Perma Link
Source: iLividSetupV1.exe	Metadefender: Detection: 32%	Perma Link
Source: iLividSetupV1.exe	ReversingLabs: Detection: 44%

Machine Learning detection for sample

Show sources

Source: iLividSetupV1.exe

Joe Sandbox ML: detected

Source: iLividSetupV1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\iLividSetupV1.exe

Window detected: &Next >CancelSelect your preferred installation:Typical Installation (recommended)Custom InstallationInstall iLivid with Searchqu Toolbar to search the webfrom the browser.Set and keep Searchnu.com as my homepage and Search-Results.com as my default web search engine.Set and keep Searchnu.com as my homepage and Search-Results.com as my default web search engineInstall Searchqu Toolbar to search the web from the browserBy clicking "Accept and Install" you accept theLicense AgreementsToolbar installs in IE and FireFox. Settings apply in IE FireFox and Chrome.CancelAccept and Install

Source: C:\Users\user\Desktop\iLividSetupV1.exe

File created: C:\Users\user~1\AppData\Local\Temp\nse91FD.tmp\license.txt

Jump to behavior

Source: iLividSetupV1.exe

Static PE information: certificate valid

Source:

Binary string: e:\Work\Rabbit\G1\rbin\Helper.pdb source: Helper.dll.1.dr

Source: unknown

DNS traffic detected: query: download.cdn.ilivid.com replaycode: Name error (3)

Source: unknown

DNS traffic detected: queries for: download.cdn.ilivid.com

Source: iLividSetupV1.exe	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: iLividSetupV1.exe	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: iLividSetupV1.exe	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: Helper.dll.1.dr	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: iLividSetupV1.exe	String found in binary or memory: http://download.cdn.ilivid.com/cdn/98/SetupDataMngr_Searchqu.exe
Source: iLividSetupV1.exe, 00000001.00000003.258010469.0000000003340000.00000004.00000040.sdmp	String found in binary or memory: http://download.cdn.ilivid.com/cdn/98/SetupDataMngr_Searchqu.exeC:
Source: iLividSetupV1.exe, 00000001.00000003.257997192.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://download.cdn.ilivid.com/cdn/98/SetupDataMngr_Searchqu.exeJ
Source: iLividSetupV1.exe, 00000001.00000003.257997192.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://download.cdn.ilivid.com/cdn/98/SetupDataMngr_Searchqu.exeP
Source: iLividSetupV1.exe, 00000001.00000003.257997192.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://download.cdn.ilivid.com/cdn/98/SetupDataMngr_Searchqu.exed
Source: iLividSetupV1.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: iLividSetupV1.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: license.txt.1.dr	String found in binary or memory: http://www.iLivid.com/articles/search_provider_instructions.php
Source: iLividSetupV1.exe	String found in binary or memory: https://www.thawte.com/cps0

Source: iLividSetupV1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal45.winEXE@1/7@8/0

Source: C:\Users\user\Desktop\iLividSetupV1.exe

File created: C:\Users\Public\Desktop\iLivid.lnk

Jump to behavior

Source: C:\Users\user\Desktop\iLividSetupV1.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsj91CD.tmp

Jump to behavior

Source: iLividSetupV1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\iLividSetupV1.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\iLividSetupV1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\iLividSetupV1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\iLividSetupV1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\iLividSetupV1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\iLividSetupV1.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: iLividSetupV1.exe	Virustotal: Detection: 47%
Source: iLividSetupV1.exe	Metadefender: Detection: 32%
Source: iLividSetupV1.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\iLividSetupV1.exe

File read: C:\Users\user\Desktop\iLividSetupV1.exe

Jump to behavior

Source: C:\Users\user\Desktop\iLividSetupV1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\iLividSetupV1.exe	Automated click: Next >
Source: C:\Users\user\Desktop\iLividSetupV1.exe	Automated click: Accept and Install
Source: C:\Users\user\Desktop\iLividSetupV1.exe	Automated click: Next >

Source: C:\Users\user\Desktop\iLividSetupV1.exe

Source: iLividSetupV1.exe

Static PE information: certificate valid

Source:

Binary string: e:\Work\Rabbit\G1\rbin\Helper.pdb source: Helper.dll.1.dr

Source: C:\Users\user\Desktop\iLividSetupV1.exe	File created: C:\Users\user\AppData\Local\Temp\nse91FD.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\iLividSetupV1.exe	File created: C:\Users\user\AppData\Local\Temp\nse91FD.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\iLividSetupV1.exe	File created: C:\Users\user\AppData\Local\Temp\nse91FD.tmp\Helper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\iLividSetupV1.exe	File created: C:\Users\user\AppData\Local\Temp\nse91FD.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\iLividSetupV1.exe

File created: C:\Users\user~1\AppData\Local\Temp\nse91FD.tmp\license.txt

Jump to behavior

Source: C:\Users\user\Desktop\iLividSetupV1.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\iLividSetupV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLividSetupV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLividSetupV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iLividSetupV1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\iLividSetupV1.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\iLividSetupV1.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
iLividSetupV1.exe	47%	Virustotal		Browse
iLividSetupV1.exe	32%	Metadefender		Browse
iLividSetupV1.exe	45%	ReversingLabs	Win32.Adware.Bandoo
iLividSetupV1.exe	100%	Avira	PUA/iLivid.Gen
iLividSetupV1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\Helper.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\Helper.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\Helper.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\UAC.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\UAC.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\UAC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\nsDialogs.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\nsDialogs.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\nsDialogs.dll	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
download.cdn.ilivid.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://download.cdn.ilivid.com/cdn/98/SetupDataMngr_Searchqu.exeJ	iLividSetupV1.exe, 00000001.00000003.257997192.0000000005400000.00000004.00000001.sdmp	false		high
http://download.cdn.ilivid.com/cdn/98/SetupDataMngr_Searchqu.exe	iLividSetupV1.exe	false		high
http://cs-g2-crl.thawte.com/ThawteCSG2.crl0	iLividSetupV1.exe	false		high
http://crl.thawte.com/ThawtePCA.crl0	iLividSetupV1.exe	false		high
http://download.cdn.ilivid.com/cdn/98/SetupDataMngr_Searchqu.exed	iLividSetupV1.exe, 00000001.00000003.257997192.0000000005400000.00000004.00000001.sdmp	false		high
http://ocsp.thawte.com0	iLividSetupV1.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://download.cdn.ilivid.com/cdn/98/SetupDataMngr_Searchqu.exeC:	iLividSetupV1.exe, 00000001.00000003.258010469.0000000003340000.00000004.00000040.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	Helper.dll.1.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	iLividSetupV1.exe	false		high
http://crl.thawte.com/ThawtePremiumServerCA.crl0	iLividSetupV1.exe	false		high
http://www.iLivid.com/articles/search_provider_instructions.php	license.txt.1.dr	false		high
https://www.thawte.com/cps0	iLividSetupV1.exe	false		high
http://download.cdn.ilivid.com/cdn/98/SetupDataMngr_Searchqu.exeP	iLividSetupV1.exe, 00000001.00000003.257997192.0000000005400000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	416969
Start date:	19.05.2021
Start time:	08:10:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	iLividSetupV1.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal45.winEXE@1/7@8/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 168.61.161.212, 20.50.102.62, 204.79.197.200, 13.107.21.200, 52.255.188.83, 52.147.198.201, 92.122.145.220, 23.218.208.56, 2.20.143.16, 2.20.142.209, 20.82.210.154, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Execution Graph export aborted for target iLividSetupV1.exe, PID 5056 because there are no executed function Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:11:35	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce !iLividOnce C:\Users\user\Desktop\iLividSetupV1.exe
08:11:38	API Interceptor	8x Sleep call for process: iLividSetupV1.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nse91FD.tmp\System.dll	LphantSetup-r126-n-bi.exe.0000.exe	Get hash	malicious	Browse
	V3kT2daGkz.exe	Get hash	malicious	Browse
	wzdu53.exe	Get hash	malicious	Browse
	wzdu53.exe	Get hash	malicious	Browse
	wzdu53.exe	Get hash	malicious	Browse
	https://download.winzipdriverupdater.com/wzdu/wzdu53.exe	Get hash	malicious	Browse
	wzdu53.exe	Get hash	malicious	Browse
	A0149815.exe	Get hash	malicious	Browse
	7wit6LhMUx.exe	Get hash	malicious	Browse
	npCryptoKit.CertEnrollment.UD.x86.exe	Get hash	malicious	Browse
	iLividSetup-r1136-n-bi.exe	Get hash	malicious	Browse
	CryptoKit.CertEnrollment.Pro.x86.exe	Get hash	malicious	Browse
	SpdbSuite_v7.3.exe	Get hash	malicious	Browse
	https://download.winzipdriverupdater.com/wzdu/wzdu53.exe	Get hash	malicious	Browse
	http://www.sec.gov.ph/wp-content/uploads/2015/08/Certificate-Chain-of-Trust-2.exe	Get hash	malicious	Browse
	iLividSetup-r1118-t-bi.exe	Get hash	malicious	Browse
	iLividSetup-r1118-t-bi.exe	Get hash	malicious	Browse
	sogou_pinyin_90d.exe	Get hash	malicious	Browse
	http://injector-api.reviversoft.com/api/inject?buildid=34&src=&link=https://dl.reviversoft.com/tools/reviversoft/releases/10bf3cdf-7788-4bb0-922f-600f0b550c36_4.19.6.6/sa/0/RegistryReviverSetup.exe	Get hash	malicious	Browse
	winiso.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\Public\Desktop\iLivid.lnk Download File
Process:	C:\Users\user\Desktop\iLividSetupV1.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:24:19 2020, mtime=Wed May 19 14:11:30 2021, atime=Wed May 19 14:11:29 2021, length=823648, window=hide
Category:	dropped
Size (bytes):	614
Entropy (8bit):	5.1818177479745255
Encrypted:	false
SSDEEP:	12:8c128zYNbRLTLVpN9j1d4rY2EGOjAnQ3cskXIAY2EYwpACBm:8FTnLnVpH1KM1AQ3/hYw5m
MD5:	02926B908E345D6D4BB5AE772FA47088
SHA1:	E2D5DD24AA03BE9542B5C1BFE67C9AE56E22739B
SHA-256:	79428BAAFA8381C69D511B7993D88D6AC5573F96653A317193B570BFBE2DD77B
SHA-512:	548D62F4690889085A5C6583D3D767745661A9B2E2E974BC3422240914A4A0D6482B841047E2C580940EE07D9AD90A253B52A95765BC3909F18A296A470FC114
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....SU.=....xb?.L..wE.>.L..`............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......)...#-....,.=...6>H?.L....p.2.`....Roy .ILIVID~1.EXE..T......>Q.{.Roy....WA.....................wQ.i.L.i.v.i.d.S.e.t.u.p.V.1...e.x.e.......[...............-.......Z..............l.....C:\Users\user\Desktop\iLividSetupV1.exe..).....\.....\.f.r.o.n.t.d.e.s.k.\.D.e.s.k.t.o.p.\.i.L.i.v.i.d.S.e.t.u.p.V.1...e.x.e.`.......X.......579569...........!a..%.H.VZAj....R..0............!a..%.H.VZAj....R..0...........E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Local\Temp\nse91FD.tmp\Helper.dll Download File
Process:	C:\Users\user\Desktop\iLividSetupV1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1069056
Entropy (8bit):	6.632475035569113
Encrypted:	false
SSDEEP:	12288:6atQ0QAsqP85SFuNrC8b+qyPyTlkmn4IiaLgfeC:jtQ06M8Sqy6Tlkmn4IvieC
MD5:	CF0E9192667CDEDFACC8646E38BD9686
SHA1:	4741AC6DE1D309210279795E1C7CD7F21CEE6F17
SHA-256:	D0B3E7F9B304B88FE7DE3B81AFC1C64F40D7B2237721225A15A564AE62B34E66
SHA-512:	B8A47FC2C706822EB0ADFA820D24330901454FE37B6C93270F2FC89AA4B05E9E1527820AF1F3F674B6D8696ED79722CC51EEB12E7E1762E112E7BAD69327D36C
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{...?..Y?..Y?..Y..HY<..Y6.KY#..Y6.ZYn..Y6.]Y...Y6.MY(..Y?..Y6..Y6.TY~..Y6.LY>..Y!.JY>..Y6.OY>..YRich?..Y................PE..L...Y+.P...........!.........h......}x....................................................@................................. ........p....................... ...q.....................................@...............4............................text............................... ..`.rdata..............................@..@.data..............................@....tls.........`......................@....rsrc........p......................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nse91FD.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\iLividSetupV1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.757244749345054
Encrypted:	false
SSDEEP:	192:sRer7uivwq1XpKs4FVWSjMd8tIg2cREbyCsZ8q2R4Sy+Xe:s67Xws4FVWig86/5eCBqSy+Xe
MD5:	959EA64598B9A3E494C00E8FA793BE7E
SHA1:	40F284A3B92C2F04B1038DEF79579D4B3D066EE0
SHA-256:	03CD57AB00236C753E7DDEEE8EE1C10839ACE7C426769982365531042E1F6F8B
SHA-512:	5E765E090F712BEFFCE40C5264674F430B08719940D66E3A4D4A516FD4ADE859F7853F614D9D6BBB602780DE54E11110D66DBB0F9CA20EF6096EDE531F9F6D64
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: LphantSetup-r126-n-bi.exe.0000.exe, Detection: malicious, Browse Filename: V3kT2daGkz.exe, Detection: malicious, Browse Filename: wzdu53.exe, Detection: malicious, Browse Filename: wzdu53.exe, Detection: malicious, Browse Filename: wzdu53.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: wzdu53.exe, Detection: malicious, Browse Filename: A0149815.exe, Detection: malicious, Browse Filename: 7wit6LhMUx.exe, Detection: malicious, Browse Filename: npCryptoKit.CertEnrollment.UD.x86.exe, Detection: malicious, Browse Filename: iLividSetup-r1136-n-bi.exe, Detection: malicious, Browse Filename: CryptoKit.CertEnrollment.Pro.x86.exe, Detection: malicious, Browse Filename: SpdbSuite_v7.3.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: iLividSetup-r1118-t-bi.exe, Detection: malicious, Browse Filename: iLividSetup-r1118-t-bi.exe, Detection: malicious, Browse Filename: sogou_pinyin_90d.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: winiso.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a..............lt.........................................Rich............PE..L.....K...........!................e'.......0...............................`.......................................3.......1..P............................P.......................................................0..\............................text...q........................... ..`.rdata.......0......."..............@..@.data...@....@.......&..............@....reloc..L....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nse91FD.tmp\UAC.dll Download File
Process:	C:\Users\user\Desktop\iLividSetupV1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.952191493801213
Encrypted:	false
SSDEEP:	192:qP6KdXy+Yo7e1J8qC25a5mDFmCLGUCVGpU6uNck87I0S/TDqwyTq+:q/q3Pgd5mx6VkEck87ILCTN
MD5:	A88BAAD3461D2E9928A15753B1D93FD7
SHA1:	BB826E35264968BBC3B981D8430AC55DF1E6D4A6
SHA-256:	C5AB2926C268257122D0342739E73573D7EEDA34C861BC7A68A02CBC69BD41AF
SHA-512:	5EDCF46680716930DA7FD1A41B8B0426F057CF4BECEFB3EE84798EC8B449726AFB822FB626C4942036A1AE3BB937184D1F71D0E45075ABB5BF167F5D833DF43A
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^.O.0.O.0.O.0.O.1...0..m.D.0.....L.0.6.N.0.4.N.0.RichO.0.................PE..L...m.AK...........!.....&...........-.......@...............................p.......................................5..<.......x....P.......................`..........................................................P............................text....%.......&.................. ..`.data...H....@.......*..............@....rsrc........P......................@..@.reloc..\|....`.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nse91FD.tmp\license.txt Download File
Process:	C:\Users\user\Desktop\iLividSetupV1.exe
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	18433
Entropy (8bit):	4.968600211322537
Encrypted:	false
SSDEEP:	384:LdOmrJYeVR7P5/Udi6f8MWBrK3Kx2P74d0jrrK3Qv6c543Sr4cB/EGy5y06:L9rXP2iQ8Xpx2PMqjrhvsNe/EG2yP
MD5:	ADC52E4DF9473983D7C1BBE0F67B2891
SHA1:	70CD5B1954D485C1C5819329C42C2F83F3ADD182
SHA-256:	46AEFAA17E63EF0FBC4EA1ED1C405BD8D55CE1CC107151404AD79FD78838CD1E
SHA-512:	0F00A030B8831C6DDDCF093A1B63BD3D5757B8DE7C41D7C5560872D6F6900EFD9DF77F7A9170E03D7B211CD6CA5EE00DCB0B5762870868A3C8C777CA4C71D4BF
Malicious:	false
Reputation:	low
Preview:	iLivid.com.. ..Welcome to iLivid.com, and thank you for trying out the iLivid.com software...END USER LICENSE / TERMS OF SERVICE AGREEMENT..IMPORTANT NOTICE - PLEASE READ THE FOLLOWING TERMS AND CONDITIONS OF USE CAREFULLY. THEY SHALL GOVERN YOUR USE OF THE iLivid.COM.S SOFTWARE, SERVICE AND SITE. IF, AFTER READING THESE TERMS AND CONDITIONS OF USE, YOU WISH TO USE THE SERVICE AND SOFTWARE PLEASE INDICATE YOUR ACCEPTANCE HEREOF BY CLICKING "I AGREE" AT THE END... ..1. TERMS AND CONDITIONS OF USE.. ..The iLivid Player application and the iLivid Toolbar with respect to all product versions and version updates until further notice, the iLivid Toolbar, as defined herein below, and any accompanying product and/or feature and/or addition thereof (together, the "Service") and the software enabling the use thereof (the "Software"), are provided by iLivid.com and/or its affiliates and subsidiaries (collectively "iLivid.com" or "we") to you ("you" or "your") and others who use the Service and S

C:\Users\user\AppData\Local\Temp\nse91FD.tmp\modern-header.bmp Download File
Process:	C:\Users\user\Desktop\iLividSetupV1.exe
File Type:	PC bitmap, Windows 3.x format, 498 x 58 x 24
Category:	dropped
Size (bytes):	86822
Entropy (8bit):	4.954942158775316
Encrypted:	false
SSDEEP:	768:ENQnm7njG/tbxjtMp0PEUKDNT+OaA23qp44jrlCvlkFH:ENQnm7nj0tdjtxwyNq+lkFH
MD5:	AAD23E408FC3EF789A35569F04484F3E
SHA1:	FF70801973C3A8263A9208DB33C0ABCEF9FFF854
SHA-256:	B336D6CDF362E0A5E4879CB722AFD25ED3F56671C6244FBACDF5A7E8B4F7A05E
SHA-512:	0FD55AC061705BCDB5E82479B625CDF24964C91A0A96C7930B55DCCCC7DF81C84CC3844499555EFEB3DA250EB44F5C92B12590A9FA5CEF2C1B77E8B5324A4382
Malicious:	false
Reputation:	low
Preview:	BM&S......6...(.......:............R..................%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%$$$$$$%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

C:\Users\user\AppData\Local\Temp\nse91FD.tmp\nsDialogs.dll Download File
Process:	C:\Users\user\Desktop\iLividSetupV1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	9728
Entropy (8bit):	5.131946648363094
Encrypted:	false
SSDEEP:	192:y1zQhZDqlJcKISw99ioU3MSfwLF/+nhHUisdz:ozoZDGKYw9goWyFGBU7z
MD5:	F7B92B78F1A00A872C8A38F40AFA7D65
SHA1:	872522498F69AD49270190C74CF3AF28862057F2
SHA-256:	2BEE549B2816BA29F81C47778D9E299C3A364B81769E43D5255310C2BD146D6E
SHA-512:	3AD6AFA6269B48F238B48CF09EEEFDEF03B58BAB4E25282C8C2887B4509856CF5CBB0223FBB06C822FB745AEEA000DD1EEE878DF46AD0BA7F2EF520A7A607F79
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..v&.b%&.b%&.b%.!.%+.b%&.c%..b%/..% .b%/..%'.b%/..%'.b%/..%'.b%Rich&.b%................PE..L....l.K...........!.........................0...............................p...................................... 7..k....2.......P.......................`.......................................................0...............................text............................... ..`.rdata.......0......................@..@.data...0....@......................@....rsrc........P....... ..............@..@.reloc..N....`......."..............@..B................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.970531196412497
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iLividSetupV1.exe
File size:	823648
MD5:	016b0f5e6b3221659c763a2cb6a238da
SHA1:	b120b44b9320e21b9277f8520d0a9f8e0a663f05
SHA256:	03d1e0a1b7bdd49c52fe65917ab7376987b89719722a3e907604be9639900370
SHA512:	c09ff452b1bd0b5320b0fdd939b50363b9583ede927a0e79cd9d57800b54b8163d18e791142838cae586c94821c2682130a74a961621920555d0dd0a6b8597c1
SSDEEP:	24576:M0aNNdDEuDbbETLHzQlrnTfvecXz7tcTIlXdtQO6kldiDDc:MLVDU3HQzeScTIlXdtpji0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7...7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................d.

File Icon


Icon Hash:	8888c6e66470b0b9

Static PE Info

General
Entrypoint:	0x4033e9
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4BC06CCB [Sat Apr 10 12:19:23 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	bf95d1fc1d10de18b32654b123ad5e1f

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	10/5/2010 5:00:00 PM 10/5/2012 4:59:59 PM
Subject Chain	CN=Bandoo Media Inc, O=Bandoo Media Inc, L=Panama City, S=Panama, C=PA
Version:	3
Thumbprint MD5:	72CFCB254DFBDF38B2994B2AA8B976B1
Thumbprint SHA-1:	BD3C53D780FA1AAE7F29BAFE81622A440DF89977
Thumbprint SHA-256:	C88C86FF88BED46F9693669438711D2245A8D06DB5CC63E11D389F1B6AE6D5DC
Serial:	5915CD3A113B9B2AE7B497DDDFCDF8F5

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00408570h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082B0h]
push 00000008h
mov dword ptr [00470678h], eax
call 00007F4190B8C23Ch
push ebp
push 000002B4h
mov dword ptr [00470590h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040856Ch
call dword ptr [00408180h]
push 00408554h
push 00468580h
call 00007F4190B8C10Ah
call dword ptr [004080B0h]
push eax
mov edi, 004C10A0h
push edi
call 00007F4190B8C0F8h
push ebp
call dword ptr [00408130h]
cmp word ptr [004C10A0h], 0022h
mov dword ptr [00470598h], eax
mov eax, edi
jne 00007F4190B89ADAh
push 00000022h
pop esi
mov eax, 004C10A2h
push esi
push eax
call 00007F4190B8BDCCh
push eax
call dword ptr [00408250h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F4190B89B61h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F4190B89AD9h
inc esi
inc esi
cmp word ptr [esi], bx
je 00007F4190B89ACBh

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[ C ] VS2005 build 50727
[ C ] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89f0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x242000	0x3188	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc75a0	0x1bc0	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6240	0x6400	False	0.656640625	data	6.42173757604	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x18ca	0x1a00	False	0.424278846154	data	4.87836739949	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x6667c	0x200	False	0.193359375	data	1.35871626133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x71000	0x1d1000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x242000	0x3188	0x3200	False	0.384453125	data	4.27381392653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2421d8	0x25a8	data	English	United States
RT_DIALOG	0x244780	0x200	data	English	United States
RT_DIALOG	0x244980	0xf8	data	English	United States
RT_DIALOG	0x244a78	0xee	data	English	United States
RT_GROUP_ICON	0x244b68	0x14	data	English	United States
RT_VERSION	0x244b80	0x240	data
RT_MANIFEST	0x244dc0	0x3c6	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, MulDiv, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, FindWindowExW, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, IsWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Version Infos

Description	Data
LegalCopyright	Copyright (c) 2011
FileVersion	1.92
CompanyName	Bandoo Media Inc
ProductName	iLivid
ProductVersion	1.92
FileDescription	iLivid Install
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 19, 2021 08:11:23.437958002 CEST	56590	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:23.487483978 CEST	53	56590	8.8.8.8	192.168.2.7
May 19, 2021 08:11:23.667807102 CEST	60501	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:23.724040985 CEST	53775	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:23.728879929 CEST	53	60501	8.8.8.8	192.168.2.7
May 19, 2021 08:11:23.785218954 CEST	53	53775	8.8.8.8	192.168.2.7
May 19, 2021 08:11:24.349945068 CEST	51837	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:24.402496099 CEST	53	51837	8.8.8.8	192.168.2.7
May 19, 2021 08:11:25.281192064 CEST	55411	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:25.331451893 CEST	53	55411	8.8.8.8	192.168.2.7
May 19, 2021 08:11:37.441731930 CEST	63668	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:37.491609097 CEST	53	63668	8.8.8.8	192.168.2.7
May 19, 2021 08:11:38.297208071 CEST	54640	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:38.349421978 CEST	53	54640	8.8.8.8	192.168.2.7
May 19, 2021 08:11:38.985270023 CEST	58739	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:39.035059929 CEST	53	58739	8.8.8.8	192.168.2.7
May 19, 2021 08:11:39.197057009 CEST	60338	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:39.257184982 CEST	53	60338	8.8.8.8	192.168.2.7
May 19, 2021 08:11:39.360924959 CEST	58717	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:39.402041912 CEST	59762	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:39.412823915 CEST	53	58717	8.8.8.8	192.168.2.7
May 19, 2021 08:11:39.462865114 CEST	53	59762	8.8.8.8	192.168.2.7
May 19, 2021 08:11:39.600907087 CEST	54329	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:39.661725998 CEST	53	54329	8.8.8.8	192.168.2.7
May 19, 2021 08:11:39.819581985 CEST	58052	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:39.881650925 CEST	53	58052	8.8.8.8	192.168.2.7
May 19, 2021 08:11:39.912091970 CEST	54008	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:39.972060919 CEST	53	54008	8.8.8.8	192.168.2.7
May 19, 2021 08:11:40.021215916 CEST	59451	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:40.080660105 CEST	53	59451	8.8.8.8	192.168.2.7
May 19, 2021 08:11:40.169728041 CEST	52914	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:40.218997955 CEST	53	52914	8.8.8.8	192.168.2.7
May 19, 2021 08:11:40.233288050 CEST	64569	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:40.296129942 CEST	53	64569	8.8.8.8	192.168.2.7
May 19, 2021 08:11:40.445727110 CEST	52816	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:40.503844976 CEST	53	52816	8.8.8.8	192.168.2.7
May 19, 2021 08:11:41.206981897 CEST	50781	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:41.268367052 CEST	53	50781	8.8.8.8	192.168.2.7
May 19, 2021 08:11:42.084594965 CEST	54230	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:42.135618925 CEST	53	54230	8.8.8.8	192.168.2.7
May 19, 2021 08:11:42.955171108 CEST	54911	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:43.004581928 CEST	53	54911	8.8.8.8	192.168.2.7
May 19, 2021 08:11:43.913204908 CEST	49958	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:43.983396053 CEST	50860	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:43.992063999 CEST	53	49958	8.8.8.8	192.168.2.7
May 19, 2021 08:11:44.043899059 CEST	53	50860	8.8.8.8	192.168.2.7
May 19, 2021 08:11:44.844269037 CEST	50452	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:44.894095898 CEST	53	50452	8.8.8.8	192.168.2.7
May 19, 2021 08:11:46.671765089 CEST	59730	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:46.721375942 CEST	53	59730	8.8.8.8	192.168.2.7
May 19, 2021 08:11:48.900346041 CEST	59310	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:48.950057030 CEST	53	59310	8.8.8.8	192.168.2.7
May 19, 2021 08:11:49.754013062 CEST	51919	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:49.803761959 CEST	53	51919	8.8.8.8	192.168.2.7
May 19, 2021 08:11:50.591068983 CEST	64296	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:50.640804052 CEST	53	64296	8.8.8.8	192.168.2.7
May 19, 2021 08:11:51.506058931 CEST	56680	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:51.557172060 CEST	53	56680	8.8.8.8	192.168.2.7
May 19, 2021 08:11:52.584475040 CEST	58820	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:52.645016909 CEST	53	58820	8.8.8.8	192.168.2.7
May 19, 2021 08:11:53.431426048 CEST	60983	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:53.481242895 CEST	53	60983	8.8.8.8	192.168.2.7
May 19, 2021 08:11:54.368607998 CEST	49247	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:54.420929909 CEST	53	49247	8.8.8.8	192.168.2.7
May 19, 2021 08:11:55.489237070 CEST	52286	53	192.168.2.7	8.8.8.8
May 19, 2021 08:11:55.541595936 CEST	53	52286	8.8.8.8	192.168.2.7
May 19, 2021 08:12:09.974675894 CEST	56064	53	192.168.2.7	8.8.8.8
May 19, 2021 08:12:10.041209936 CEST	53	56064	8.8.8.8	192.168.2.7
May 19, 2021 08:12:18.919238091 CEST	63744	53	192.168.2.7	8.8.8.8
May 19, 2021 08:12:18.978482962 CEST	53	63744	8.8.8.8	192.168.2.7
May 19, 2021 08:12:48.194960117 CEST	61457	53	192.168.2.7	8.8.8.8
May 19, 2021 08:12:48.253403902 CEST	53	61457	8.8.8.8	192.168.2.7
May 19, 2021 08:12:57.742561102 CEST	58367	53	192.168.2.7	8.8.8.8
May 19, 2021 08:12:57.803287029 CEST	53	58367	8.8.8.8	192.168.2.7
May 19, 2021 08:13:17.220089912 CEST	60599	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:17.274543047 CEST	53	60599	8.8.8.8	192.168.2.7
May 19, 2021 08:13:17.821556091 CEST	59571	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:17.871439934 CEST	53	59571	8.8.8.8	192.168.2.7
May 19, 2021 08:13:18.452068090 CEST	52689	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:18.511581898 CEST	53	52689	8.8.8.8	192.168.2.7
May 19, 2021 08:13:18.974159956 CEST	50290	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:19.002716064 CEST	60427	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:19.023545027 CEST	53	50290	8.8.8.8	192.168.2.7
May 19, 2021 08:13:19.075825930 CEST	53	60427	8.8.8.8	192.168.2.7
May 19, 2021 08:13:19.568823099 CEST	56209	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:19.627227068 CEST	53	56209	8.8.8.8	192.168.2.7
May 19, 2021 08:13:20.357403994 CEST	59582	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:20.407136917 CEST	53	59582	8.8.8.8	192.168.2.7
May 19, 2021 08:13:20.986258030 CEST	60949	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:21.044718027 CEST	53	60949	8.8.8.8	192.168.2.7
May 19, 2021 08:13:22.027832031 CEST	58542	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:22.088813066 CEST	53	58542	8.8.8.8	192.168.2.7
May 19, 2021 08:13:23.095395088 CEST	59179	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:23.195583105 CEST	53	59179	8.8.8.8	192.168.2.7
May 19, 2021 08:13:23.889240026 CEST	60927	53	192.168.2.7	8.8.8.8
May 19, 2021 08:13:23.973160982 CEST	53	60927	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 19, 2021 08:11:38.985270023 CEST	192.168.2.7	8.8.8.8	0x37cd	Standard query (0)	download.cdn.ilivid.com	A (IP address)	IN (0x0001)
May 19, 2021 08:11:39.197057009 CEST	192.168.2.7	8.8.8.8	0x81be	Standard query (0)	download.cdn.ilivid.com	A (IP address)	IN (0x0001)
May 19, 2021 08:11:39.402041912 CEST	192.168.2.7	8.8.8.8	0x4757	Standard query (0)	download.cdn.ilivid.com	A (IP address)	IN (0x0001)
May 19, 2021 08:11:39.600907087 CEST	192.168.2.7	8.8.8.8	0x4942	Standard query (0)	download.cdn.ilivid.com	A (IP address)	IN (0x0001)
May 19, 2021 08:11:39.819581985 CEST	192.168.2.7	8.8.8.8	0xa330	Standard query (0)	download.cdn.ilivid.com	A (IP address)	IN (0x0001)
May 19, 2021 08:11:40.021215916 CEST	192.168.2.7	8.8.8.8	0xabe5	Standard query (0)	download.cdn.ilivid.com	A (IP address)	IN (0x0001)
May 19, 2021 08:11:40.233288050 CEST	192.168.2.7	8.8.8.8	0xefac	Standard query (0)	download.cdn.ilivid.com	A (IP address)	IN (0x0001)
May 19, 2021 08:11:40.445727110 CEST	192.168.2.7	8.8.8.8	0x2434	Standard query (0)	download.cdn.ilivid.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 19, 2021 08:11:39.035059929 CEST	8.8.8.8	192.168.2.7	0x37cd	Name error (3)	download.cdn.ilivid.com	none	none	A (IP address)	IN (0x0001)
May 19, 2021 08:11:39.257184982 CEST	8.8.8.8	192.168.2.7	0x81be	Name error (3)	download.cdn.ilivid.com	none	none	A (IP address)	IN (0x0001)
May 19, 2021 08:11:39.462865114 CEST	8.8.8.8	192.168.2.7	0x4757	Name error (3)	download.cdn.ilivid.com	none	none	A (IP address)	IN (0x0001)
May 19, 2021 08:11:39.661725998 CEST	8.8.8.8	192.168.2.7	0x4942	Name error (3)	download.cdn.ilivid.com	none	none	A (IP address)	IN (0x0001)
May 19, 2021 08:11:39.881650925 CEST	8.8.8.8	192.168.2.7	0xa330	Name error (3)	download.cdn.ilivid.com	none	none	A (IP address)	IN (0x0001)
May 19, 2021 08:11:40.080660105 CEST	8.8.8.8	192.168.2.7	0xabe5	Name error (3)	download.cdn.ilivid.com	none	none	A (IP address)	IN (0x0001)
May 19, 2021 08:11:40.296129942 CEST	8.8.8.8	192.168.2.7	0xefac	Name error (3)	download.cdn.ilivid.com	none	none	A (IP address)	IN (0x0001)
May 19, 2021 08:11:40.503844976 CEST	8.8.8.8	192.168.2.7	0x2434	Name error (3)	download.cdn.ilivid.com	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

• iLividSetupV1.exe

Click to jump to process

Memory Usage

• iLividSetupV1.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

System Behavior

Analysis Process: iLividSetupV1.exe PID: 5056 Parent PID: 5724

Function Logs

General

Start time:	08:11:30
Start date:	19/05/2021
Path:	C:\Users\user\Desktop\iLividSetupV1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\iLividSetupV1.exe'
Imagebase:	0x400000
File size:	823648 bytes
MD5 hash:	016B0F5E6B3221659C763A2CB6A238DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Message Posted to Windows UI

Show Windows behavior

Network Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report iLividSetupV1.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: iLividSetupV1.exe PID: 5056 Parent PID: 5724

General

File Activities

File Opened

File Created