Analysis Overview
SHA256
fb271d1da339048a1121c442642610aefaa7047db524998cd190795503c70d99
Threat Level: Known bad
The file @!ⱾetUp_99518__#PaŜṨW0rd!$!$.zip was found to be: Known bad.
Malicious Activity Summary
Stealc
Vidar
Detect Vidar Stealer
Downloads MZ/PE file
Reads data files stored by FTP clients
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 07:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 07:50
Reported
2024-06-28 07:52
Platform
win10v2004-20240508-en
Max time kernel
61s
Max time network
65s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4236 set thread context of 1940 | N/A | C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe | C:\Windows\SysWOW64\more.com |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe
C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\AppData\Local\Temp\VIDA.au3
C:\Users\Admin\AppData\Local\Temp\VIDA.au3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.251.201.195.in-addr.arpa | udp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| US | 8.8.8.8:53 | professionalresources.pw | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
memory/4468-0-0x0000000001980000-0x0000000001981000-memory.dmp
memory/4468-1-0x0000000000400000-0x00000000016F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c3e23fe6
| MD5 | d14726d90b3cb06c828a273ae3c7326a |
| SHA1 | 77c49f1419946108210cf538c7aac31e87cbc677 |
| SHA256 | 45c832ed23d706a703c59e0a4a8553640da28dbd12b38b459ed6ab2ecb0b7a67 |
| SHA512 | 7c7d5b558327342f2f2850fae76c76f04727c256c29a8526a4f967db619868458113e342f7b94ed732266fdcce2810e7ad81019a2abe74afc8b77081ecb54004 |
memory/4468-7-0x0000000073CC0000-0x0000000073E3B000-memory.dmp
memory/4468-8-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp
memory/4468-17-0x0000000073CD2000-0x0000000073CD4000-memory.dmp
memory/4468-10-0x0000000073CC0000-0x0000000073E3B000-memory.dmp
memory/4468-25-0x0000000073CC0000-0x0000000073E3B000-memory.dmp
memory/4468-20-0x0000000073CC0000-0x0000000073E3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
| MD5 | 312707a513f86ed20642f43f8ef4dd14 |
| SHA1 | eab360e8a8e8e5b6bf139394ca1409888586d02f |
| SHA256 | 9b398917c796083a6005ab3f9d78243dbc0fad12be1e196be2b01041d4c951a7 |
| SHA512 | cd11b6cc2d058f5825bd90f342df22fc22fe19f5e3e1cbb197fbbe83a64367bbeaac748ce9d9685403f3c32a36b329e061fabbf54badc5486c442d5df7168f30 |
memory/4468-53-0x0000000073CC0000-0x0000000073E3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nodealt\ImUtilsU.dll
| MD5 | a7eaba8bc12b2b7ec2a41a4d9e45008a |
| SHA1 | 6a96a18bb4f1cd6196517713ed634f37f6b0362b |
| SHA256 | 914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a |
| SHA512 | 0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8 |
C:\Users\Admin\AppData\Local\Temp\nodealt\IMHttpComm.dll
| MD5 | a70d91a9fd7b65baa0355ee559098bd8 |
| SHA1 | 546127579c06ae0ae4f63f216da422065a859e2f |
| SHA256 | 96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a |
| SHA512 | f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa |
C:\Users\Admin\AppData\Local\Temp\nodealt\SftTree_IX86_U_60.dll
| MD5 | 92b7e397f5b367371aa4d328584e0352 |
| SHA1 | 8a4e452b5879569728cd39b42c49b8820b7199ba |
| SHA256 | 9f7b9b366a675b5647f8878586f1883791969cacf51117a63294f24135cc64c3 |
| SHA512 | 9681eadf34d078139739e910a3e83436dd2210cc7a2e606311ebc36bb1f9a49d7b72f681c84d46cece15bc3ad53cd538ce5d86f3b6e2e0db8016548c62893fb8 |
C:\Users\Admin\AppData\Local\Temp\nodealt\ImWrappU.dll
| MD5 | cbf4827a5920a5f02c50f78ed46d0319 |
| SHA1 | b035770e9d9283c61f8f8bbc041e3add0197de7b |
| SHA256 | 7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce |
| SHA512 | d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5 |
C:\Users\Admin\AppData\Local\Temp\nodealt\ImLookExU.dll
| MD5 | 6527be4d6a3333dc5a49218c4f80530d |
| SHA1 | 97c8965b01d2644fb17a0f818af59bc0471e38a7 |
| SHA256 | 908ab22cb8fa1b9125cf5746e5591fd84e4853326a812b9431ca1c0b9e997e1f |
| SHA512 | 69a57cc28583861b97a02968106f007d56c2b5826fc5aa843978f0bf3a3f155ad9f2b7dfbe8260e38c2a7b1ed759f6f6fadbeef32cec9d7c4ab8f541f645dc5b |
memory/4652-81-0x00000000022D0000-0x00000000022E0000-memory.dmp
memory/4652-78-0x0000000002240000-0x00000000022CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nodealt\ImABU.dll
| MD5 | 2102382908725f195ce2c3703caa0c5f |
| SHA1 | 1b2817c66c9e98e3286498382a7136f1232fc67a |
| SHA256 | c56d37f20069e48eade31236b4d3aa5afda2621bd77760e85964f1e6834be9a6 |
| SHA512 | 80986592a58856b2e741c88f3d0d89512fa05fe77d2a2ddd2c411593875568e842eba2e8ae2ccf1de52bdf21b6a7227156bf69e40ae1fd20c5d592a8c814974f |
C:\Users\Admin\AppData\Local\Temp\nodealt\wlessfp1.dll
| MD5 | 5120c44f241a12a3d5a3e87856477c13 |
| SHA1 | cd8a6ef728c48e17d570c8dc582ec49e17104f6d |
| SHA256 | fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c |
| SHA512 | 67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1 |
memory/4652-75-0x00000000021E0000-0x000000000222D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nodealt\sqlite3.dll
| MD5 | b7fb7eb3cb04e0a086a8d945ff45615e |
| SHA1 | cefaba225deae05b56451f18f11581631147a081 |
| SHA256 | 8567b0e23fd4178270ca674810755c9dfdae1f4028e01c0c74a4eeb7774a1688 |
| SHA512 | 54238bb4d3ffb3135703627e53f59bcec25f1d4f73412bb30283c65ba627c42e279be2c3299497b191fe4dec1d1b0d4e4998091a645337c75aa13f1d5f46eee3 |
C:\Users\Admin\AppData\Local\Temp\nodealt\slub.yml
| MD5 | 02d1879520f22f292a251335a2274035 |
| SHA1 | ac7043e5855195f4e311db9e06c708d0abb46898 |
| SHA256 | 4628be205894281f1b65a1e5af6c19af2f85455ff90c04f72b8ea7af12c0e574 |
| SHA512 | 02776ea36a4dfd6a3ae16b424ff04a340160b85d45d0c831f9de942bae8efa2994aae3741b0431a380ec267cd77ad5ada6a0aacb5fa8329ba36e27bc973f8ab8 |
C:\Users\Admin\AppData\Local\Temp\nodealt\finial.csv
| MD5 | c01b4a4f20d68abf685d8bc79382dbed |
| SHA1 | fd8ddf67b85216a5f72c86fb3c648b3300f5afd7 |
| SHA256 | 3bcca5ad73bfe1aee10694e087e5cb3f54408c4b08a2a808db76c0dd652b918f |
| SHA512 | f4943cb2d01748017a387e6169e9b34ed5bd21131360e2655174742e1321a569692cf6beec0d2b2385aec59dda8a5b89c071f282f0bda636a2e50a71d970eced |
C:\Users\Admin\AppData\Local\Temp\nodealt\ImNtUtilU.dll
| MD5 | bb326fe795e2c1c19cd79f320e169fd3 |
| SHA1 | 1c1f2b8d98f01870455712e6eba26d77753adcac |
| SHA256 | a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7 |
| SHA512 | a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1 |
memory/4652-90-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nodealt\msvcr80.dll
| MD5 | e4fece18310e23b1d8fee993e35e7a6f |
| SHA1 | 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564 |
| SHA256 | 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9 |
| SHA512 | 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc |
C:\Users\Admin\AppData\Roaming\nodealt\ImDbU.dll
| MD5 | 8ae8bb143301934a023bc5c9bb160b56 |
| SHA1 | 228c965619b188cc3c68563bd33691158699416c |
| SHA256 | db890bb2555e0bf3f82b38dc12ecd581348e40e53f9a51dd512149075c7df0a4 |
| SHA512 | 827729a19f68c732f9ab9e4de90dd5c8cdce9993487c9016ac646c3c4ab966431c51b999e45571efc0ad0380e5d280aa32bcf8b07a73cc52e70a11935ae5356b |
memory/4236-149-0x0000000073CC0000-0x0000000073E3B000-memory.dmp
memory/4236-147-0x00000000022E0000-0x00000000022F0000-memory.dmp
memory/4236-150-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp
memory/4236-142-0x0000000000760000-0x0000000000774000-memory.dmp
C:\Users\Admin\AppData\Roaming\nodealt\mfc80u.dll
| MD5 | ccc2e312486ae6b80970211da472268b |
| SHA1 | 025b52ff11627760f7006510e9a521b554230fee |
| SHA256 | 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a |
| SHA512 | d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff |
C:\Users\Admin\AppData\Roaming\nodealt\ImLookU.dll
| MD5 | 3ea6d805a18715f7368363dea3cd3f4c |
| SHA1 | 30ffafc1dd447172fa91404f07038d759c412464 |
| SHA256 | a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d |
| SHA512 | a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070 |
memory/4652-116-0x0000000060900000-0x0000000060979000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nodealt\msvcp80.dll
| MD5 | 4c8a880eabc0b4d462cc4b2472116ea1 |
| SHA1 | d0a27f553c0fe0e507c7df079485b601d5b592e6 |
| SHA256 | 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08 |
| SHA512 | 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c |
C:\Users\Admin\AppData\Local\Temp\nodealt\Microsoft.VC80.MFC.manifest
| MD5 | 97b859f11538bbe20f17dfb9c0979a1c |
| SHA1 | 2593ad721d7be3821fd0b40611a467db97be8547 |
| SHA256 | 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36 |
| SHA512 | 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541 |
C:\Users\Admin\AppData\Local\Temp\nodealt\Microsoft.VC80.CRT.manifest
| MD5 | 541423a06efdcd4e4554c719061f82cf |
| SHA1 | 2e12c6df7352c3ed3c61a45baf68eace1cc9546e |
| SHA256 | 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5 |
| SHA512 | 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6 |
memory/4468-151-0x0000000073CC0000-0x0000000073E3B000-memory.dmp
memory/4236-153-0x0000000073CC0000-0x0000000073E3B000-memory.dmp
memory/1940-156-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp
memory/1940-158-0x0000000073CC0000-0x0000000073E3B000-memory.dmp
memory/2000-163-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp
memory/2000-166-0x0000000000EA0000-0x00000000010E9000-memory.dmp
memory/2000-169-0x0000000020E70000-0x00000000210CF000-memory.dmp
memory/2000-207-0x0000000000EA0000-0x00000000010E9000-memory.dmp
memory/2000-208-0x0000000000EA0000-0x00000000010E9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 07:50
Reported
2024-06-28 07:52
Platform
win10-20240404-en
Max time kernel
63s
Max time network
63s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4536 set thread context of 5004 | N/A | C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe | C:\Windows\SysWOW64\more.com |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIDA.au3 | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe
C:\Users\Admin\AppData\Roaming\nodealt\ImApp.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\AppData\Local\Temp\VIDA.au3
C:\Users\Admin\AppData\Local\Temp\VIDA.au3
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.251.201.195.in-addr.arpa | udp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | tcp | |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| US | 8.8.8.8:53 | professionalresources.pw | udp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
Files
memory/2072-0-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmp
memory/2072-1-0x0000000000400000-0x00000000016F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f0fa68fa
| MD5 | d14726d90b3cb06c828a273ae3c7326a |
| SHA1 | 77c49f1419946108210cf538c7aac31e87cbc677 |
| SHA256 | 45c832ed23d706a703c59e0a4a8553640da28dbd12b38b459ed6ab2ecb0b7a67 |
| SHA512 | 7c7d5b558327342f2f2850fae76c76f04727c256c29a8526a4f967db619868458113e342f7b94ed732266fdcce2810e7ad81019a2abe74afc8b77081ecb54004 |
C:\Users\Admin\AppData\Local\Temp\nodealt\ImApp.exe
| MD5 | 312707a513f86ed20642f43f8ef4dd14 |
| SHA1 | eab360e8a8e8e5b6bf139394ca1409888586d02f |
| SHA256 | 9b398917c796083a6005ab3f9d78243dbc0fad12be1e196be2b01041d4c951a7 |
| SHA512 | cd11b6cc2d058f5825bd90f342df22fc22fe19f5e3e1cbb197fbbe83a64367bbeaac748ce9d9685403f3c32a36b329e061fabbf54badc5486c442d5df7168f30 |
C:\Users\Admin\AppData\Local\Temp\nodealt\ImNtUtilU.dll
| MD5 | bb326fe795e2c1c19cd79f320e169fd3 |
| SHA1 | 1c1f2b8d98f01870455712e6eba26d77753adcac |
| SHA256 | a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7 |
| SHA512 | a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1 |
C:\Users\Admin\AppData\Local\Temp\nodealt\MFC80U.DLL
| MD5 | ccc2e312486ae6b80970211da472268b |
| SHA1 | 025b52ff11627760f7006510e9a521b554230fee |
| SHA256 | 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a |
| SHA512 | d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff |
\Users\Admin\AppData\Local\Temp\nodealt\ImABU.dll
| MD5 | 2102382908725f195ce2c3703caa0c5f |
| SHA1 | 1b2817c66c9e98e3286498382a7136f1232fc67a |
| SHA256 | c56d37f20069e48eade31236b4d3aa5afda2621bd77760e85964f1e6834be9a6 |
| SHA512 | 80986592a58856b2e741c88f3d0d89512fa05fe77d2a2ddd2c411593875568e842eba2e8ae2ccf1de52bdf21b6a7227156bf69e40ae1fd20c5d592a8c814974f |
C:\Users\Admin\AppData\Local\Temp\nodealt\wlessfp1.dll
| MD5 | 5120c44f241a12a3d5a3e87856477c13 |
| SHA1 | cd8a6ef728c48e17d570c8dc582ec49e17104f6d |
| SHA256 | fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c |
| SHA512 | 67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1 |
\Users\Admin\AppData\Local\Temp\nodealt\SftTree_IX86_U_60.dll
| MD5 | 92b7e397f5b367371aa4d328584e0352 |
| SHA1 | 8a4e452b5879569728cd39b42c49b8820b7199ba |
| SHA256 | 9f7b9b366a675b5647f8878586f1883791969cacf51117a63294f24135cc64c3 |
| SHA512 | 9681eadf34d078139739e910a3e83436dd2210cc7a2e606311ebc36bb1f9a49d7b72f681c84d46cece15bc3ad53cd538ce5d86f3b6e2e0db8016548c62893fb8 |
\Users\Admin\AppData\Local\Temp\nodealt\ImWrappU.dll
| MD5 | cbf4827a5920a5f02c50f78ed46d0319 |
| SHA1 | b035770e9d9283c61f8f8bbc041e3add0197de7b |
| SHA256 | 7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce |
| SHA512 | d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5 |
\Users\Admin\AppData\Local\Temp\nodealt\ImLookExU.dll
| MD5 | 6527be4d6a3333dc5a49218c4f80530d |
| SHA1 | 97c8965b01d2644fb17a0f818af59bc0471e38a7 |
| SHA256 | 908ab22cb8fa1b9125cf5746e5591fd84e4853326a812b9431ca1c0b9e997e1f |
| SHA512 | 69a57cc28583861b97a02968106f007d56c2b5826fc5aa843978f0bf3a3f155ad9f2b7dfbe8260e38c2a7b1ed759f6f6fadbeef32cec9d7c4ab8f541f645dc5b |
\Users\Admin\AppData\Local\Temp\nodealt\IMHttpComm.dll
| MD5 | a70d91a9fd7b65baa0355ee559098bd8 |
| SHA1 | 546127579c06ae0ae4f63f216da422065a859e2f |
| SHA256 | 96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a |
| SHA512 | f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa |
memory/2240-57-0x0000000002170000-0x0000000002180000-memory.dmp
memory/2240-54-0x00000000020E0000-0x000000000216E000-memory.dmp
memory/2240-51-0x0000000002080000-0x00000000020CD000-memory.dmp
\Users\Admin\AppData\Local\Temp\nodealt\sqlite3.dll
| MD5 | b7fb7eb3cb04e0a086a8d945ff45615e |
| SHA1 | cefaba225deae05b56451f18f11581631147a081 |
| SHA256 | 8567b0e23fd4178270ca674810755c9dfdae1f4028e01c0c74a4eeb7774a1688 |
| SHA512 | 54238bb4d3ffb3135703627e53f59bcec25f1d4f73412bb30283c65ba627c42e279be2c3299497b191fe4dec1d1b0d4e4998091a645337c75aa13f1d5f46eee3 |
\Users\Admin\AppData\Local\Temp\nodealt\ImDbU.dll
| MD5 | 8ae8bb143301934a023bc5c9bb160b56 |
| SHA1 | 228c965619b188cc3c68563bd33691158699416c |
| SHA256 | db890bb2555e0bf3f82b38dc12ecd581348e40e53f9a51dd512149075c7df0a4 |
| SHA512 | 827729a19f68c732f9ab9e4de90dd5c8cdce9993487c9016ac646c3c4ab966431c51b999e45571efc0ad0380e5d280aa32bcf8b07a73cc52e70a11935ae5356b |
\Users\Admin\AppData\Local\Temp\nodealt\ImUtilsU.dll
| MD5 | a7eaba8bc12b2b7ec2a41a4d9e45008a |
| SHA1 | 6a96a18bb4f1cd6196517713ed634f37f6b0362b |
| SHA256 | 914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a |
| SHA512 | 0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8 |
\Users\Admin\AppData\Local\Temp\nodealt\ImLookU.dll
| MD5 | 3ea6d805a18715f7368363dea3cd3f4c |
| SHA1 | 30ffafc1dd447172fa91404f07038d759c412464 |
| SHA256 | a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d |
| SHA512 | a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070 |
C:\Users\Admin\AppData\Local\Temp\nodealt\slub.yml
| MD5 | 02d1879520f22f292a251335a2274035 |
| SHA1 | ac7043e5855195f4e311db9e06c708d0abb46898 |
| SHA256 | 4628be205894281f1b65a1e5af6c19af2f85455ff90c04f72b8ea7af12c0e574 |
| SHA512 | 02776ea36a4dfd6a3ae16b424ff04a340160b85d45d0c831f9de942bae8efa2994aae3741b0431a380ec267cd77ad5ada6a0aacb5fa8329ba36e27bc973f8ab8 |
C:\Users\Admin\AppData\Local\Temp\nodealt\finial.csv
| MD5 | c01b4a4f20d68abf685d8bc79382dbed |
| SHA1 | fd8ddf67b85216a5f72c86fb3c648b3300f5afd7 |
| SHA256 | 3bcca5ad73bfe1aee10694e087e5cb3f54408c4b08a2a808db76c0dd652b918f |
| SHA512 | f4943cb2d01748017a387e6169e9b34ed5bd21131360e2655174742e1321a569692cf6beec0d2b2385aec59dda8a5b89c071f282f0bda636a2e50a71d970eced |
C:\Users\Admin\AppData\Local\Temp\nodealt\msvcr80.dll
| MD5 | e4fece18310e23b1d8fee993e35e7a6f |
| SHA1 | 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564 |
| SHA256 | 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9 |
| SHA512 | 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc |
C:\Users\Admin\AppData\Local\Temp\nodealt\msvcp80.dll
| MD5 | 4c8a880eabc0b4d462cc4b2472116ea1 |
| SHA1 | d0a27f553c0fe0e507c7df079485b601d5b592e6 |
| SHA256 | 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08 |
| SHA512 | 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c |
memory/2240-91-0x0000000060900000-0x0000000060979000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nodealt\Microsoft.VC80.MFC.manifest
| MD5 | 97b859f11538bbe20f17dfb9c0979a1c |
| SHA1 | 2593ad721d7be3821fd0b40611a467db97be8547 |
| SHA256 | 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36 |
| SHA512 | 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541 |
C:\Users\Admin\AppData\Local\Temp\nodealt\Microsoft.VC80.CRT.manifest
| MD5 | 541423a06efdcd4e4554c719061f82cf |
| SHA1 | 2e12c6df7352c3ed3c61a45baf68eace1cc9546e |
| SHA256 | 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5 |
| SHA512 | 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6 |
memory/2240-66-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmp
memory/4536-115-0x00000000021F0000-0x000000000223D000-memory.dmp
memory/4536-121-0x0000000002240000-0x00000000022CE000-memory.dmp
memory/4536-118-0x0000000000730000-0x0000000000740000-memory.dmp
memory/4536-126-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmp
memory/5004-130-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmp
memory/5004-132-0x0000000072500000-0x000000007267B000-memory.dmp
memory/704-137-0x00007FF90EED0000-0x00007FF90F0AB000-memory.dmp
memory/704-140-0x0000000001150000-0x0000000001399000-memory.dmp
memory/704-155-0x0000000023630000-0x000000002388F000-memory.dmp
memory/704-179-0x0000000001150000-0x0000000001399000-memory.dmp
memory/704-180-0x0000000001150000-0x0000000001399000-memory.dmp