Malware Analysis Report

2024-11-16 13:50

Sample ID 240628-jpb7vsyclg
Target @!ⱾetUp_99518__#PaŜṨW0rd!$!$.zip
SHA256 fb271d1da339048a1121c442642610aefaa7047db524998cd190795503c70d99
Tags
stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb271d1da339048a1121c442642610aefaa7047db524998cd190795503c70d99

Threat Level: Known bad

The file @!ⱾetUp_99518__#PaŜṨW0rd!$!$.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer

Stealc

Vidar

Detect Vidar Stealer

Downloads MZ/PE file

Reads data files stored by FTP clients

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 07:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 07:50

Reported

2024-06-28 07:52

Platform

win10v2004-20240508-en

Max time kernel

61s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4236 set thread context of 1940 N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
PID 4468 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
PID 4468 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
PID 4652 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe
PID 4652 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe
PID 4652 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe
PID 4236 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe C:\Windows\SysWOW64\more.com
PID 4236 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe C:\Windows\SysWOW64\more.com
PID 4236 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe C:\Windows\SysWOW64\more.com
PID 4236 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe C:\Windows\SysWOW64\more.com
PID 1940 wrote to memory of 2000 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 1940 wrote to memory of 2000 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 1940 wrote to memory of 2000 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 1940 wrote to memory of 2000 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 1940 wrote to memory of 2000 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 1940 wrote to memory of 2000 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe

C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe

C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe

C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 214.251.201.195.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 professionalresources.pw udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

memory/4468-0-0x0000000001980000-0x0000000001981000-memory.dmp

memory/4468-1-0x0000000000400000-0x00000000016F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c3e23fe6

MD5 d14726d90b3cb06c828a273ae3c7326a
SHA1 77c49f1419946108210cf538c7aac31e87cbc677
SHA256 45c832ed23d706a703c59e0a4a8553640da28dbd12b38b459ed6ab2ecb0b7a67
SHA512 7c7d5b558327342f2f2850fae76c76f04727c256c29a8526a4f967db619868458113e342f7b94ed732266fdcce2810e7ad81019a2abe74afc8b77081ecb54004

memory/4468-7-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

memory/4468-8-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

memory/4468-17-0x0000000073CD2000-0x0000000073CD4000-memory.dmp

memory/4468-10-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

memory/4468-25-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

memory/4468-20-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe

MD5 312707a513f86ed20642f43f8ef4dd14
SHA1 eab360e8a8e8e5b6bf139394ca1409888586d02f
SHA256 9b398917c796083a6005ab3f9d78243dbc0fad12be1e196be2b01041d4c951a7
SHA512 cd11b6cc2d058f5825bd90f342df22fc22fe19f5e3e1cbb197fbbe83a64367bbeaac748ce9d9685403f3c32a36b329e061fabbf54badc5486c442d5df7168f30

memory/4468-53-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nodealt\ImUtilsU.dll

MD5 a7eaba8bc12b2b7ec2a41a4d9e45008a
SHA1 6a96a18bb4f1cd6196517713ed634f37f6b0362b
SHA256 914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a
SHA512 0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8

C:\Users\Admin\AppData\Local\Temp\nodealt\IMHttpComm.dll

MD5 a70d91a9fd7b65baa0355ee559098bd8
SHA1 546127579c06ae0ae4f63f216da422065a859e2f
SHA256 96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a
SHA512 f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa

C:\Users\Admin\AppData\Local\Temp\nodealt\SftTree_IX86_U_60.dll

MD5 92b7e397f5b367371aa4d328584e0352
SHA1 8a4e452b5879569728cd39b42c49b8820b7199ba
SHA256 9f7b9b366a675b5647f8878586f1883791969cacf51117a63294f24135cc64c3
SHA512 9681eadf34d078139739e910a3e83436dd2210cc7a2e606311ebc36bb1f9a49d7b72f681c84d46cece15bc3ad53cd538ce5d86f3b6e2e0db8016548c62893fb8

C:\Users\Admin\AppData\Local\Temp\nodealt\ImWrappU.dll

MD5 cbf4827a5920a5f02c50f78ed46d0319
SHA1 b035770e9d9283c61f8f8bbc041e3add0197de7b
SHA256 7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce
SHA512 d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5

C:\Users\Admin\AppData\Local\Temp\nodealt\ImLookExU.dll

MD5 6527be4d6a3333dc5a49218c4f80530d
SHA1 97c8965b01d2644fb17a0f818af59bc0471e38a7
SHA256 908ab22cb8fa1b9125cf5746e5591fd84e4853326a812b9431ca1c0b9e997e1f
SHA512 69a57cc28583861b97a02968106f007d56c2b5826fc5aa843978f0bf3a3f155ad9f2b7dfbe8260e38c2a7b1ed759f6f6fadbeef32cec9d7c4ab8f541f645dc5b

memory/4652-81-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/4652-78-0x0000000002240000-0x00000000022CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nodealt\ImABU.dll

MD5 2102382908725f195ce2c3703caa0c5f
SHA1 1b2817c66c9e98e3286498382a7136f1232fc67a
SHA256 c56d37f20069e48eade31236b4d3aa5afda2621bd77760e85964f1e6834be9a6
SHA512 80986592a58856b2e741c88f3d0d89512fa05fe77d2a2ddd2c411593875568e842eba2e8ae2ccf1de52bdf21b6a7227156bf69e40ae1fd20c5d592a8c814974f

C:\Users\Admin\AppData\Local\Temp\nodealt\wlessfp1.dll

MD5 5120c44f241a12a3d5a3e87856477c13
SHA1 cd8a6ef728c48e17d570c8dc582ec49e17104f6d
SHA256 fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c
SHA512 67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1

memory/4652-75-0x00000000021E0000-0x000000000222D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nodealt\sqlite3.dll

MD5 b7fb7eb3cb04e0a086a8d945ff45615e
SHA1 cefaba225deae05b56451f18f11581631147a081
SHA256 8567b0e23fd4178270ca674810755c9dfdae1f4028e01c0c74a4eeb7774a1688
SHA512 54238bb4d3ffb3135703627e53f59bcec25f1d4f73412bb30283c65ba627c42e279be2c3299497b191fe4dec1d1b0d4e4998091a645337c75aa13f1d5f46eee3

C:\Users\Admin\AppData\Local\Temp\nodealt\slub.yml

MD5 02d1879520f22f292a251335a2274035
SHA1 ac7043e5855195f4e311db9e06c708d0abb46898
SHA256 4628be205894281f1b65a1e5af6c19af2f85455ff90c04f72b8ea7af12c0e574
SHA512 02776ea36a4dfd6a3ae16b424ff04a340160b85d45d0c831f9de942bae8efa2994aae3741b0431a380ec267cd77ad5ada6a0aacb5fa8329ba36e27bc973f8ab8

C:\Users\Admin\AppData\Local\Temp\nodealt\finial.csv

MD5 c01b4a4f20d68abf685d8bc79382dbed
SHA1 fd8ddf67b85216a5f72c86fb3c648b3300f5afd7
SHA256 3bcca5ad73bfe1aee10694e087e5cb3f54408c4b08a2a808db76c0dd652b918f
SHA512 f4943cb2d01748017a387e6169e9b34ed5bd21131360e2655174742e1321a569692cf6beec0d2b2385aec59dda8a5b89c071f282f0bda636a2e50a71d970eced

C:\Users\Admin\AppData\Local\Temp\nodealt\ImNtUtilU.dll

MD5 bb326fe795e2c1c19cd79f320e169fd3
SHA1 1c1f2b8d98f01870455712e6eba26d77753adcac
SHA256 a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7
SHA512 a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1

memory/4652-90-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nodealt\msvcr80.dll

MD5 e4fece18310e23b1d8fee993e35e7a6f
SHA1 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564
SHA256 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9
SHA512 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

C:\Users\Admin\AppData\Roaming\nodealt\ImDbU.dll

MD5 8ae8bb143301934a023bc5c9bb160b56
SHA1 228c965619b188cc3c68563bd33691158699416c
SHA256 db890bb2555e0bf3f82b38dc12ecd581348e40e53f9a51dd512149075c7df0a4
SHA512 827729a19f68c732f9ab9e4de90dd5c8cdce9993487c9016ac646c3c4ab966431c51b999e45571efc0ad0380e5d280aa32bcf8b07a73cc52e70a11935ae5356b

memory/4236-149-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

memory/4236-147-0x00000000022E0000-0x00000000022F0000-memory.dmp

memory/4236-150-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

memory/4236-142-0x0000000000760000-0x0000000000774000-memory.dmp

C:\Users\Admin\AppData\Roaming\nodealt\mfc80u.dll

MD5 ccc2e312486ae6b80970211da472268b
SHA1 025b52ff11627760f7006510e9a521b554230fee
SHA256 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a
SHA512 d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

C:\Users\Admin\AppData\Roaming\nodealt\ImLookU.dll

MD5 3ea6d805a18715f7368363dea3cd3f4c
SHA1 30ffafc1dd447172fa91404f07038d759c412464
SHA256 a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d
SHA512 a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070

memory/4652-116-0x0000000060900000-0x0000000060979000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nodealt\msvcp80.dll

MD5 4c8a880eabc0b4d462cc4b2472116ea1
SHA1 d0a27f553c0fe0e507c7df079485b601d5b592e6
SHA256 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08
SHA512 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

C:\Users\Admin\AppData\Local\Temp\nodealt\Microsoft.VC80.MFC.manifest

MD5 97b859f11538bbe20f17dfb9c0979a1c
SHA1 2593ad721d7be3821fd0b40611a467db97be8547
SHA256 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36
SHA512 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541

C:\Users\Admin\AppData\Local\Temp\nodealt\Microsoft.VC80.CRT.manifest

MD5 541423a06efdcd4e4554c719061f82cf
SHA1 2e12c6df7352c3ed3c61a45baf68eace1cc9546e
SHA256 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5
SHA512 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6

memory/4468-151-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

memory/4236-153-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

memory/1940-156-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

memory/1940-158-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

memory/2000-163-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

memory/2000-166-0x0000000000EA0000-0x00000000010E9000-memory.dmp

memory/2000-169-0x0000000020E70000-0x00000000210CF000-memory.dmp

memory/2000-207-0x0000000000EA0000-0x00000000010E9000-memory.dmp

memory/2000-208-0x0000000000EA0000-0x00000000010E9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 07:50

Reported

2024-06-28 07:52

Platform

win10-20240404-en

Max time kernel

63s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4536 set thread context of 5004 N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
PID 2072 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
PID 2072 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
PID 2240 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe
PID 2240 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe
PID 2240 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe
PID 4536 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe C:\Windows\SysWOW64\more.com
PID 4536 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe C:\Windows\SysWOW64\more.com
PID 4536 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe C:\Windows\SysWOW64\more.com
PID 4536 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe C:\Windows\SysWOW64\more.com
PID 5004 wrote to memory of 704 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 5004 wrote to memory of 704 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 5004 wrote to memory of 704 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 5004 wrote to memory of 704 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 5004 wrote to memory of 704 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 5004 wrote to memory of 704 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe

C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe

C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe

C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 214.251.201.195.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 professionalresources.pw udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp

Files

memory/2072-0-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmp

memory/2072-1-0x0000000000400000-0x00000000016F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f0fa68fa

MD5 d14726d90b3cb06c828a273ae3c7326a
SHA1 77c49f1419946108210cf538c7aac31e87cbc677
SHA256 45c832ed23d706a703c59e0a4a8553640da28dbd12b38b459ed6ab2ecb0b7a67
SHA512 7c7d5b558327342f2f2850fae76c76f04727c256c29a8526a4f967db619868458113e342f7b94ed732266fdcce2810e7ad81019a2abe74afc8b77081ecb54004

C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe

MD5 312707a513f86ed20642f43f8ef4dd14
SHA1 eab360e8a8e8e5b6bf139394ca1409888586d02f
SHA256 9b398917c796083a6005ab3f9d78243dbc0fad12be1e196be2b01041d4c951a7
SHA512 cd11b6cc2d058f5825bd90f342df22fc22fe19f5e3e1cbb197fbbe83a64367bbeaac748ce9d9685403f3c32a36b329e061fabbf54badc5486c442d5df7168f30

C:\Users\Admin\AppData\Local\Temp\nodealt\ImNtUtilU.dll

MD5 bb326fe795e2c1c19cd79f320e169fd3
SHA1 1c1f2b8d98f01870455712e6eba26d77753adcac
SHA256 a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7
SHA512 a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1

C:\Users\Admin\AppData\Local\Temp\nodealt\MFC80U.DLL

MD5 ccc2e312486ae6b80970211da472268b
SHA1 025b52ff11627760f7006510e9a521b554230fee
SHA256 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a
SHA512 d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

\Users\Admin\AppData\Local\Temp\nodealt\ImABU.dll

MD5 2102382908725f195ce2c3703caa0c5f
SHA1 1b2817c66c9e98e3286498382a7136f1232fc67a
SHA256 c56d37f20069e48eade31236b4d3aa5afda2621bd77760e85964f1e6834be9a6
SHA512 80986592a58856b2e741c88f3d0d89512fa05fe77d2a2ddd2c411593875568e842eba2e8ae2ccf1de52bdf21b6a7227156bf69e40ae1fd20c5d592a8c814974f

C:\Users\Admin\AppData\Local\Temp\nodealt\wlessfp1.dll

MD5 5120c44f241a12a3d5a3e87856477c13
SHA1 cd8a6ef728c48e17d570c8dc582ec49e17104f6d
SHA256 fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c
SHA512 67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1

\Users\Admin\AppData\Local\Temp\nodealt\SftTree_IX86_U_60.dll

MD5 92b7e397f5b367371aa4d328584e0352
SHA1 8a4e452b5879569728cd39b42c49b8820b7199ba
SHA256 9f7b9b366a675b5647f8878586f1883791969cacf51117a63294f24135cc64c3
SHA512 9681eadf34d078139739e910a3e83436dd2210cc7a2e606311ebc36bb1f9a49d7b72f681c84d46cece15bc3ad53cd538ce5d86f3b6e2e0db8016548c62893fb8

\Users\Admin\AppData\Local\Temp\nodealt\ImWrappU.dll

MD5 cbf4827a5920a5f02c50f78ed46d0319
SHA1 b035770e9d9283c61f8f8bbc041e3add0197de7b
SHA256 7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce
SHA512 d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5

\Users\Admin\AppData\Local\Temp\nodealt\ImLookExU.dll

MD5 6527be4d6a3333dc5a49218c4f80530d
SHA1 97c8965b01d2644fb17a0f818af59bc0471e38a7
SHA256 908ab22cb8fa1b9125cf5746e5591fd84e4853326a812b9431ca1c0b9e997e1f
SHA512 69a57cc28583861b97a02968106f007d56c2b5826fc5aa843978f0bf3a3f155ad9f2b7dfbe8260e38c2a7b1ed759f6f6fadbeef32cec9d7c4ab8f541f645dc5b

\Users\Admin\AppData\Local\Temp\nodealt\IMHttpComm.dll

MD5 a70d91a9fd7b65baa0355ee559098bd8
SHA1 546127579c06ae0ae4f63f216da422065a859e2f
SHA256 96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a
SHA512 f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa

memory/2240-57-0x0000000002170000-0x0000000002180000-memory.dmp

memory/2240-54-0x00000000020E0000-0x000000000216E000-memory.dmp

memory/2240-51-0x0000000002080000-0x00000000020CD000-memory.dmp

\Users\Admin\AppData\Local\Temp\nodealt\sqlite3.dll

MD5 b7fb7eb3cb04e0a086a8d945ff45615e
SHA1 cefaba225deae05b56451f18f11581631147a081
SHA256 8567b0e23fd4178270ca674810755c9dfdae1f4028e01c0c74a4eeb7774a1688
SHA512 54238bb4d3ffb3135703627e53f59bcec25f1d4f73412bb30283c65ba627c42e279be2c3299497b191fe4dec1d1b0d4e4998091a645337c75aa13f1d5f46eee3

\Users\Admin\AppData\Local\Temp\nodealt\ImDbU.dll

MD5 8ae8bb143301934a023bc5c9bb160b56
SHA1 228c965619b188cc3c68563bd33691158699416c
SHA256 db890bb2555e0bf3f82b38dc12ecd581348e40e53f9a51dd512149075c7df0a4
SHA512 827729a19f68c732f9ab9e4de90dd5c8cdce9993487c9016ac646c3c4ab966431c51b999e45571efc0ad0380e5d280aa32bcf8b07a73cc52e70a11935ae5356b

\Users\Admin\AppData\Local\Temp\nodealt\ImUtilsU.dll

MD5 a7eaba8bc12b2b7ec2a41a4d9e45008a
SHA1 6a96a18bb4f1cd6196517713ed634f37f6b0362b
SHA256 914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a
SHA512 0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8

\Users\Admin\AppData\Local\Temp\nodealt\ImLookU.dll

MD5 3ea6d805a18715f7368363dea3cd3f4c
SHA1 30ffafc1dd447172fa91404f07038d759c412464
SHA256 a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d
SHA512 a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070

C:\Users\Admin\AppData\Local\Temp\nodealt\slub.yml

MD5 02d1879520f22f292a251335a2274035
SHA1 ac7043e5855195f4e311db9e06c708d0abb46898
SHA256 4628be205894281f1b65a1e5af6c19af2f85455ff90c04f72b8ea7af12c0e574
SHA512 02776ea36a4dfd6a3ae16b424ff04a340160b85d45d0c831f9de942bae8efa2994aae3741b0431a380ec267cd77ad5ada6a0aacb5fa8329ba36e27bc973f8ab8

C:\Users\Admin\AppData\Local\Temp\nodealt\finial.csv

MD5 c01b4a4f20d68abf685d8bc79382dbed
SHA1 fd8ddf67b85216a5f72c86fb3c648b3300f5afd7
SHA256 3bcca5ad73bfe1aee10694e087e5cb3f54408c4b08a2a808db76c0dd652b918f
SHA512 f4943cb2d01748017a387e6169e9b34ed5bd21131360e2655174742e1321a569692cf6beec0d2b2385aec59dda8a5b89c071f282f0bda636a2e50a71d970eced

C:\Users\Admin\AppData\Local\Temp\nodealt\msvcr80.dll

MD5 e4fece18310e23b1d8fee993e35e7a6f
SHA1 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564
SHA256 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9
SHA512 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

C:\Users\Admin\AppData\Local\Temp\nodealt\msvcp80.dll

MD5 4c8a880eabc0b4d462cc4b2472116ea1
SHA1 d0a27f553c0fe0e507c7df079485b601d5b592e6
SHA256 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08
SHA512 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

memory/2240-91-0x0000000060900000-0x0000000060979000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nodealt\Microsoft.VC80.MFC.manifest

MD5 97b859f11538bbe20f17dfb9c0979a1c
SHA1 2593ad721d7be3821fd0b40611a467db97be8547
SHA256 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36
SHA512 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541

C:\Users\Admin\AppData\Local\Temp\nodealt\Microsoft.VC80.CRT.manifest

MD5 541423a06efdcd4e4554c719061f82cf
SHA1 2e12c6df7352c3ed3c61a45baf68eace1cc9546e
SHA256 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5
SHA512 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6

memory/2240-66-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmp

memory/4536-115-0x00000000021F0000-0x000000000223D000-memory.dmp

memory/4536-121-0x0000000002240000-0x00000000022CE000-memory.dmp

memory/4536-118-0x0000000000730000-0x0000000000740000-memory.dmp

memory/4536-126-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmp

memory/5004-130-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmp

memory/5004-132-0x0000000072500000-0x000000007267B000-memory.dmp

memory/704-137-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmp

memory/704-140-0x0000000001150000-0x0000000001399000-memory.dmp

memory/704-155-0x0000000023630000-0x000000002388F000-memory.dmp

memory/704-179-0x0000000001150000-0x0000000001399000-memory.dmp

memory/704-180-0x0000000001150000-0x0000000001399000-memory.dmp