Analysis Overview
SHA256
c445af54b87ce9883c3a71dc27f64b8e976c88deaa0427ea79923025f6d532d8
Threat Level: Shows suspicious behavior
The file ViberSetup.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Looks up external IP address via web service
Blocklisted process makes network request
Enumerates connected drives
Adds Run key to start application
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Drops file in Windows directory
Loads dropped DLL
Checks installed software on the system
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: AddClipboardFormatListener
Modifies Internet Explorer settings
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:10
Reported
2024-11-13 18:40
Platform
win10ltsc2021-20241023-en
Max time kernel
1376s
Max time network
1437s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{71F30FA7-FED5-44C9-9EC1-FEBCFB34056C} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{71F30FA7-FED5-44C9-9EC1-FEBCFB34056C}\\ViberSetup.exe\" /burn.runonce" | C:\Users\Admin\AppData\Local\Temp\ViberSetup.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,4474,19041,0" | C:\Windows\system32\ie4uinit.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\SFXCA03C95AAB2142CE1B5D9F92ED70F52050\ViberCustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\SFXCA03C95AAB2142CE1B5D9F92ED70F52050\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{78B48DCB-25AE-4269-8BEE-FED121023942} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\SFXCA03C95AAB2142CE1B5D9F92ED70F52050\WixToolset.Dtf.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA029.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e579ad8.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e579ad8.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9EE0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA376.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e579adc.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\ViberBA | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\ViberBA | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ViberSetup.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "12" | C:\Windows\system32\ie4uinit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\ = "Open in S&ame Window" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.website | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Installer\Dependencies\{71F30FA7-FED5-44C9-9EC1-FEBCFB34056C}\Dependents | C:\Users\Admin\AppData\Local\Temp\ViberSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Installer\Dependencies\{78B48DCB-25AE-4269-8BEE-FED121023942}_v23.9.0.4\ = "{78B48DCB-25AE-4269-8BEE-FED121023942}" | C:\Users\Admin\AppData\Local\Temp\ViberSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\viber\DefaultIcon | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Installer\Dependencies\{71F30FA7-FED5-44C9-9EC1-FEBCFB34056C}\DisplayName = "Viber" | C:\Users\Admin\AppData\Local\Temp\ViberSetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.partial\OpenWithProgIds | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.website\OpenWithProgIds | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\viber\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Viber\\Viber.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\DefaultIcon | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\EditFlags = "131074" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\print\command | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\Shell\Open\ | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\rlogin\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-908" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,5" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shell | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Installer | C:\Users\Admin\AppData\Local\Temp\ViberSetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\xhtmlfile | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\CommandId = "IE.File" | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\CommandId = "IE.File" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\DefaultIcon | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\ = "URL:File Transfer Protocol" | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-905" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\PropertySheetHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\" \"%2\" \"%3\" \"%4\"" | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\IconHandler | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shell\open | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\ = "open" | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\" \"%2\" \"%3\" \"%4\"" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\shell | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\viber\ = "URL:Viber Link" | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\ = "opennew" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\CommandId = "IE.File" | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\CommandId = "IE.File" | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,0" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\CommandId = "IE.File" | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731" | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\Shell\ | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Installer\Dependencies\{71F30FA7-FED5-44C9-9EC1-FEBCFB34056C} | C:\Users\Admin\AppData\Local\Temp\ViberSetup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\DefaultIcon | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\ = "svgfile" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\xhtmlfile | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1" | C:\Windows\system32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1" | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\tn3270 | C:\Windows\system32\ie4uinit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\DefaultIcon | C:\Windows\system32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\DefaultIcon | C:\Windows\system32\ie4uinit.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\ViberBA | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Viber\Viber.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ViberSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ViberSetup.exe"
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\ViberBA
"C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\ViberBA" -burn.ba.apiver 569705357157400576 -burn.ba.pipe BurnPipe.{5C68AC2D-AE2E-4609-BCAC-C45B3F07AAAA} {E05B1F60-55DC-404A-8810-5D83AD506B5B}
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 606D17CEA5E844165B91B12F740E5A9E
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI9EE0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240623453 2 ViberCustomActions!ViberCustomActions.KillViberCustomAction.KillViber
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding F3A432C775FDF4DBC630770F60BDC9CC
C:\Windows\system32\ie4uinit.exe
ie4uinit.exe -ClearIconCache
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
C:\Windows\system32\ie4uinit.exe
ie4uinit.exe -show
C:\Users\Admin\AppData\Local\Viber\Viber.exe
"C:\Users\Admin\AppData\Local\Viber\Viber.exe" AfterInstallation BurnInstaller
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | api.mixpanel.com | udp |
| US | 130.211.34.183:443 | api.mixpanel.com | tcp |
| US | 8.8.8.8:53 | 77.16.231.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.34.211.130.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.cdn.viber.com | udp |
| DE | 18.66.122.96:443 | download.cdn.viber.com | tcp |
| US | 8.8.8.8:53 | 96.122.66.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.142.66.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | in.appcenter.ms | udp |
| US | 52.247.72.241:443 | in.appcenter.ms | tcp |
| US | 52.247.72.241:443 | in.appcenter.ms | tcp |
| US | 8.8.8.8:53 | 241.72.247.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | in.appcenter.ms | udp |
| US | 4.152.45.255:443 | in.appcenter.ms | tcp |
| US | 8.8.8.8:53 | 255.45.152.4.in-addr.arpa | udp |
| N/A | 127.0.0.1:50249 | tcp | |
| US | 8.8.8.8:53 | secure.viber.com | udp |
| DE | 99.86.4.23:443 | secure.viber.com | tcp |
| US | 8.8.8.8:53 | www.cust-service.com | udp |
| US | 8.8.8.8:53 | acr.amplreq.com | udp |
| DE | 143.204.98.61:443 | www.cust-service.com | tcp |
| DE | 18.244.18.29:443 | acr.amplreq.com | tcp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.4.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.98.204.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.18.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.2.138.108.in-addr.arpa | udp |
| DE | 18.66.122.96:443 | download.cdn.viber.com | tcp |
| N/A | 127.0.0.1:50365 | tcp | |
| N/A | 127.0.0.1:50367 | tcp | |
| N/A | 127.0.0.1:50397 | tcp | |
| N/A | 127.0.0.1:50399 | tcp | |
| N/A | 127.0.0.1:50401 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | abtest.api.viber.com | udp |
| US | 8.8.8.8:53 | abff.viber.com | udp |
| US | 34.194.72.138:443 | abtest.api.viber.com | tcp |
| DE | 13.224.189.53:443 | abff.viber.com | tcp |
| US | 8.8.8.8:53 | data-events.cdn.viber.com | udp |
| US | 8.8.8.8:53 | activations-dtp.viber.com | udp |
| US | 8.8.8.8:53 | 53.189.224.13.in-addr.arpa | udp |
| DE | 99.86.4.29:443 | activations-dtp.viber.com | tcp |
| DE | 18.245.60.4:443 | data-events.cdn.viber.com | tcp |
| US | 8.8.8.8:53 | ocsp.r2m03.amazontrust.com | udp |
| DE | 18.245.65.219:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 8.8.8.8:53 | aloha46.viber.com | udp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 52.0.252.1:5242 | aloha46.viber.com | tcp |
| US | 8.8.8.8:53 | aloha46.viber.com | udp |
| US | 52.0.253.138:4244 | tcp | |
| US | 8.8.8.8:53 | 29.4.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.72.194.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.65.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.60.245.18.in-addr.arpa | udp |
| US | 130.211.34.183:443 | api.mixpanel.com | tcp |
| US | 130.211.34.183:443 | api.mixpanel.com | tcp |
| N/A | 127.0.0.1:50544 | tcp | |
| N/A | 127.0.0.1:50546 | tcp | |
| US | 8.8.8.8:53 | 1.252.0.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.253.0.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
C:\Windows\Temp\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\ViberBA
| MD5 | dd34ec0fe9fe3263d1c46107b1ce9a54 |
| SHA1 | eeb497ac95913692d7c4bcf002cea92c31f900a6 |
| SHA256 | ccfb2645a309296bb8e332cd0a25e70c03fd9cac0fb0944a1446e22c144584e6 |
| SHA512 | 9068175492c55d6713559d935e19322f535f10ff1e430a7f9bbed14eb16559116e7ee4400ef498ec50d21fcdb296fa5b12ce69e7430ccc7f5fdd9ea3b5b31385 |
memory/3876-119-0x0000000073A5E000-0x0000000073A5F000-memory.dmp
memory/3876-120-0x0000000000110000-0x00000000001C8000-memory.dmp
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\WixToolset.BootstrapperApplicationApi.dll
| MD5 | b025bd1a052b53ab272f9c106fc4bcef |
| SHA1 | 4712e5965347246273757c849b15bb941c230dcf |
| SHA256 | 701722bb7de42022f3f1b399aa8b1e964ad0bc270dd173ef3cdc93cc0c6ab2dc |
| SHA512 | 11ec485716682393e878fb127c3b56de6e29270e87f8447c606dde14ea1db35e27ff335853daa725e4cf2a65bfd67dc2ee1e52cbc6d6a52c4e35f8289ef939bc |
memory/3876-124-0x0000000004B00000-0x0000000004B2E000-memory.dmp
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\mbanative.dll
| MD5 | d8b07217ca579cae75cde20d3ac240ac |
| SHA1 | ad4bf45f0d2b00323104a0dfa7ff8abeeae6d22c |
| SHA256 | 0a603c00247aaef230c9b508ed46b5f8bccd2de7b95ddb9add75fa1a09cd97bc |
| SHA512 | 45d3ee3be59cf2418790cd004b04ea0414a7d8adcae15e3b5475f7e26aab135e7ff27deaca936bfe2d4375315e76cce2d77562330357847789e043079f8e63b6 |
memory/3876-127-0x0000000073A50000-0x0000000074201000-memory.dmp
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\Microsoft.AppCenter.dll
| MD5 | d318fbf1708e6dbcc1a6d199cf90e4a7 |
| SHA1 | f1f9b966be0b819ad73f5f8fdfddeda32905524c |
| SHA256 | 05586d3b941eefccecd476394d254374c9715eb47570ce1749171cd7c91bdbaa |
| SHA512 | 737e996a4bde70eb66e95492c86edba8d39a7f9179954f69d0092eb520f14936ba878f3d1d35d6568d91b9340ce83a4521734f6891f856eb3284aa9dfe27211d |
memory/3876-131-0x0000000004C70000-0x0000000004C98000-memory.dmp
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\Microsoft.AppCenter.Analytics.dll
| MD5 | 5d60fae0323c73aecf3b997c2faa08ca |
| SHA1 | 877a3871f4f866500d0de806fe121bae090cce0b |
| SHA256 | 1ef2215c1c9db9ea010c8f6461febf860f57b7cbc7cdb0dcb67bed10d0fd7165 |
| SHA512 | db80f9aac235869bd47d4e0caa765bb3ac8396479824278a651d0e65ef6c8a4f276674648ecceb8d8f3c30831fb7e58f05b78f6ad11005fb962c2b18419e0562 |
memory/3876-139-0x0000000004D50000-0x0000000004D62000-memory.dmp
C:\Windows\Temp\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\Microsoft.AppCenter.Crashes.dll
| MD5 | 9b884ada1fde0e961204b575e68d1461 |
| SHA1 | 63e60a6a0c072df481041d480e0ad0c5305f585b |
| SHA256 | d41332aecc4830cce6cdde7aa6f17db4c28e12116352cd001bd283c615fac44d |
| SHA512 | d391a7044766994e16794f7930d61649d4a5761d1c2cb63cbe43ae13e772806863427b751f32991271777ba82fb1375b46827f1b0494f630d5f5ab4792b6576f |
memory/3876-135-0x0000000004C50000-0x0000000004C5A000-memory.dmp
memory/3876-140-0x0000000073A50000-0x0000000074201000-memory.dmp
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\Newtonsoft.Json.dll
| MD5 | 081d9558bbb7adce142da153b2d5577a |
| SHA1 | 7d0ad03fbda1c24f883116b940717e596073ae96 |
| SHA256 | b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3 |
| SHA512 | 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511 |
memory/3876-144-0x0000000005170000-0x0000000005220000-memory.dmp
memory/3876-145-0x00000000057D0000-0x0000000005D76000-memory.dmp
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\SQLitePCLRaw.batteries_v2.dll
| MD5 | 7d9bb7ad7644bcd2da7286b0daeeeb12 |
| SHA1 | c3fb732ea00b615ff0ed8e1388f02fc11e851fa0 |
| SHA256 | 89da4e64bfe2e772605abe6c73fb1473f5221cdea3f36860dd3e434a365ad94e |
| SHA512 | e865afc9f8686bbe7f2cdc88c74fca2f4e182cb47fb87c2e3c1fe285cf636b8c1f553186c2c96741f7930576736e263b5c9bfaf88483fcc6507ec4b86f5df0de |
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\SQLitePCLRaw.core.dll
| MD5 | 13903dca676ca64697f26cedfd5480b2 |
| SHA1 | 4ec3463331259d01ed21bdb5793674e933588694 |
| SHA256 | 0a418e3323a3a76678c912c39b2fbac7ad4fc71bf3eb870fc0337333ca64e7c5 |
| SHA512 | d834f6cb0c3c26d3b45f6bf597188722678f65f45bf8173906d8c61ef989d826ac28efac920627c7b7a105398878c2266e16f80d333a73b0e6a6d081cf4a91d6 |
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\SQLitePCLRaw.provider.dynamic_cdecl.dll
| MD5 | a0babbe156e7f9993e87794da50b2c31 |
| SHA1 | 17615c37a99bacd9927e34b3ff461d586470a2ad |
| SHA256 | 7a79ee23dde8f6d3940d347a691fb1c68e1901bcfb18cec488150fad05e304f3 |
| SHA512 | 8e513cd3c55351872908e7d32964cd8c59d6f545563a20a0163bf8a9e679c10943e709206eeadef8bdce537c79fc9e36f6192d07322217eca7017acdcc7aa7c3 |
memory/3876-159-0x00000000053F0000-0x0000000005406000-memory.dmp
memory/3876-164-0x0000000005460000-0x0000000005486000-memory.dmp
memory/3876-166-0x0000000005430000-0x0000000005438000-memory.dmp
memory/3876-165-0x0000000005440000-0x0000000005448000-memory.dmp
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\e_sqlite3.dll
| MD5 | c56968fa0843ed78aca5200e0ba16b82 |
| SHA1 | 8da2761e28ccf307c71015a14038176516f60f25 |
| SHA256 | d25475871bc5e0d7182671f1e7b8ea9cf858cc7b75446103739e7f31afca91ff |
| SHA512 | 7f78350b8dc8fa449983e1f80db49f739a7fb7825a41e819f22073f68b9cb2d6d3270931f1adf5106b6a3c417aef2f8592cbfb33f4eb7480a4aaec489fcbc3d3 |
C:\Windows\Temp\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\System.Memory.dll
| MD5 | 592a822d0136b14f8d661891ff17c33b |
| SHA1 | f05ce2a5891b62c968d30fad13d37fbeb42a4389 |
| SHA256 | 41b5e1a4c59abdb1ce1467f58c3d9fd06d39dff4fc61d500a2410fece8037f4b |
| SHA512 | 6071c4d30283c9cf9c25023240fca97b33efbe51e2e4d1fd1d3692354e7f85963d87f38512260b37e71d7a7f5ac7a61396c8eeb1f862fefeaac90c53fef9e6a6 |
C:\Windows\Temp\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\System.Runtime.CompilerServices.Unsafe.dll
| MD5 | d9e308fe5f1ac35ce823964288da1ba5 |
| SHA1 | b23c26aa1739d02ba4216cc5b80a47fd1251ab41 |
| SHA256 | 1ad2dd7225d5162a0fd3a3b337a1949448520e3130a4bc8e010ec02f76097500 |
| SHA512 | 22768d92838a0061435520faae7ab9a8747050776dd1aca00ff874a51be2119a89876c41c1b540dc60354b2741540e1ca88e8e447d81e555ee535a5b92f8ea06 |
memory/3876-173-0x0000000005740000-0x000000000574A000-memory.dmp
memory/3876-174-0x0000000005F80000-0x0000000005FE6000-memory.dmp
memory/3876-172-0x0000000005750000-0x0000000005758000-memory.dmp
memory/3876-160-0x0000000005410000-0x000000000542A000-memory.dmp
memory/3876-155-0x00000000053D0000-0x00000000053E2000-memory.dmp
memory/3876-151-0x00000000053A0000-0x00000000053AA000-memory.dmp
memory/3876-177-0x0000000073A50000-0x0000000074201000-memory.dmp
memory/3876-178-0x0000000007380000-0x0000000007412000-memory.dmp
memory/3876-179-0x0000000007310000-0x0000000007318000-memory.dmp
memory/3876-181-0x0000000073A50000-0x0000000074201000-memory.dmp
memory/3876-180-0x00000000078B0000-0x0000000007A38000-memory.dmp
memory/3876-182-0x0000000007880000-0x00000000078A2000-memory.dmp
memory/3876-183-0x0000000008130000-0x0000000008487000-memory.dmp
memory/3876-185-0x00000000074C0000-0x00000000074CE000-memory.dmp
memory/3876-184-0x00000000074E0000-0x0000000007518000-memory.dmp
memory/3876-190-0x0000000073A50000-0x0000000074201000-memory.dmp
memory/3876-191-0x0000000073A50000-0x0000000074201000-memory.dmp
memory/3876-192-0x0000000073A50000-0x0000000074201000-memory.dmp
C:\Windows\TEMP\{7809AC21-1D5B-440A-89A5-23E182A02CF8}\.ba\ViberCA.dll
| MD5 | d077728bc3e22bfeb35fb9cf77ded5d5 |
| SHA1 | b64851cc67ba43a491a106d58fbb5508be153387 |
| SHA256 | 321ae77f823e0c2ca13817f36297a6d3ae321940f7fd88aba8b27c2e8ec74dc9 |
| SHA512 | 9bc154e256467ed17ba60f96275dca0d35f26752c8ae0c5690062704adb22dfbc39e4573eb4468f5eba9f2597b09b1fdcd102cdd3fc9475c68dc98a2fc4d2553 |
memory/3876-212-0x00000000098B0000-0x000000000996A000-memory.dmp
memory/3876-213-0x0000000009810000-0x000000000982C000-memory.dmp
memory/3876-220-0x0000000073A5E000-0x0000000073A5F000-memory.dmp
memory/3876-221-0x0000000073A50000-0x0000000074201000-memory.dmp
memory/3876-222-0x0000000073A50000-0x0000000074201000-memory.dmp
memory/3876-223-0x0000000073A50000-0x0000000074201000-memory.dmp
memory/3876-230-0x0000000073A50000-0x0000000074201000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Viber_20241113181041_000_ViberSetup.log
| MD5 | edd1e1b2ebc3916408c8f69cf864564e |
| SHA1 | 963435b3f0e9665c7cfa08f27871965004b8ebd1 |
| SHA256 | b7ede9d5b3f1dadb88055f4f0c95adb33a9b376afb3a0cfbc83121859868b4f7 |
| SHA512 | fbcea99c8a37c6f80d7d0a119dd9c811ecebfa3154e77c2bc7cbccebac4138993ed4d461901918c2249618ee4ba154c41e422ccdd5c845f743e02246796d6a95 |
memory/3876-238-0x0000000073A50000-0x0000000074201000-memory.dmp
C:\Windows\Installer\MSI9EE0.tmp
| MD5 | 85b14d36208bcec1e477f718a6bfc745 |
| SHA1 | 8e70101bb7d165325441c3c483816c6d6854ea73 |
| SHA256 | 4f25acda5cf1e2a484126915eda4700bbef256fea323a1c6a3bd89d095db0e48 |
| SHA512 | 86f88f594ac1bb6218b801e758bcaed6bf3cb00f526fab52f17be33b2219c03473c17e09c129bd6900cb25eb3df1ba13d292fa798f7b81d6b5794c530c75cdc7 |
memory/3008-262-0x0000000005C50000-0x0000000005C84000-memory.dmp
C:\Windows\Installer\SFXCA03C95AAB2142CE1B5D9F92ED70F52050\WixToolset.Dtf.WindowsInstaller.dll
| MD5 | ef8d5785ac8669f5fd54e22f52770e6b |
| SHA1 | 4c94ae7ef233be33a56c0a5d9b8e2211d5d5792c |
| SHA256 | a614884ea627da1925131ebf41e8ae202caeac0fe543b86384f5eb2bfaf1aa75 |
| SHA512 | ab3b140bd6531f22e994606820e6511442c23d9015b1e1a38aaed43aa42ba29a996511151d0b3a383c05c2b11f670e52cdd7f507ad1a1ad8cebea57fb22ade5a |
memory/3008-266-0x0000000005C90000-0x0000000005C98000-memory.dmp
C:\Windows\Installer\SFXCA03C95AAB2142CE1B5D9F92ED70F52050\ViberCustomActions.dll
| MD5 | 7acd65c197839fcaf477bc951e9589de |
| SHA1 | a7990f5455c5b41df1301ed9ff14eb2406657ffd |
| SHA256 | 67b6306dfe4bb1642fd3929e238faa7f02c2b9bbd6eb8c1005788061a06c895e |
| SHA512 | e30f2e017eb03774103609d4258c930cc98d67c2b0392100b33a3e70ab46ada63c4ed152d91b768a08b8293ae45c90f09eaf6f43d8cc0f658ad2f4ac86cedf55 |
C:\Windows\Installer\MSIA029.tmp
| MD5 | e8dc682f2c486075c6aba658971a62cc |
| SHA1 | 7cd0a2b5047a4074aa06a6caa3bb69124851e95d |
| SHA256 | 7aacd4c18710e9bc4ff2034895a0a0c8f80f21809fb177d520e93f7688216e6d |
| SHA512 | a0a1f0f418bf2d4ffd079b840aeb0142c7faab7fa72b5e33b1841798569f55a25dfd305abf9c2ca89792f6499f695b69975882697dc53e99d5a975a9fa8c7d75 |
memory/3876-279-0x0000000073A50000-0x0000000074201000-memory.dmp
C:\Config.Msi\e579adb.rbs
| MD5 | 35f80018bd93bc02fe7f9e4d4548ec91 |
| SHA1 | aa649a2b1cefa03d5a57203f069e39e011f21aa6 |
| SHA256 | 866f6585500954ee2d3466acc74e472788f3d1d3742d4cf997a875afa04b693a |
| SHA512 | 243faa3e01883948c413376df1f913fa759a01e5b0ee6ddbf94fe5bc45765d8daaf8db9d749f3a723aef3d6b46f7770a609e3d31d19137741571b92069db0e5f |
C:\Users\Admin\AppData\Local\Viber\icuin74.dll
| MD5 | 1524fc42c43cd38a0aaef4f75aacf2d7 |
| SHA1 | 569f9b4c0b8bc91de7ef13acd7dcbc20e4bfe6b7 |
| SHA256 | b32999113a26adaf2516853c9d5b517449ffb12557eab9023d0f8dc4c57f4498 |
| SHA512 | 5ff4e76023377741b747ee794f089f7e9f7b1b0c937232d0eb452fe40f427d34b11e5d044d513840f9d685bb5f75bb58f37fa8850205fddacb2decad6e9881b5 |
C:\Users\Admin\AppData\Local\Viber\icuuc74.dll
| MD5 | 9a8c245e47bd3708c517117719ef1ee5 |
| SHA1 | 827659a21eaec5376d2da74f509b988d5f6a60a6 |
| SHA256 | 6b90f51b118ab2733100b1f0086a710fbaa41d823df9a247b2db063c538d1996 |
| SHA512 | 7f6755d6ee72c9a4b20fbe6affc6bc8633f4c85eb743d6794afd54059c1c76927d53d11e0a7f6437617b6f604fda74a41ff4059bfc21ff456e30e0cff921d7b1 |
C:\Users\Admin\AppData\Local\Viber\Qt6QuickTemplates2.dll
| MD5 | 406b346cd1d22355b14cf5aad732647c |
| SHA1 | bba8df4553f8a1049f75e43e9e0046407ab20907 |
| SHA256 | f42ea4f600248eb4203e0541e3683959e7b03a9518eaa727d96895c2443ac71e |
| SHA512 | 53aa66cb395658a2fa05bbc7d95449ea50fdd18bb987f433a07fabbc3154aca4d39fdbd0f35d5c0f00cb567b2945f4b65f9e7869d6306f2051b0b76627a0d10b |
memory/3876-491-0x0000000073A50000-0x0000000074201000-memory.dmp
C:\Users\Admin\AppData\Local\Viber\Qt6Sql.dll
| MD5 | b4009008575200161300e2c5da81c160 |
| SHA1 | e30be81bab9abe33508557d56ffe9b0100a0bf2a |
| SHA256 | f7648f526fb9acc7d539751bdadcf693d02e1eee7f3378b9375dba2032833406 |
| SHA512 | bc86d3f0deb2aaf742c047d357dcc33f95bd4148cfe91ce1ef749f97535d992812358fad95c70c2ede48ccbf0ae2505bbf68bd2a29d676f530142758666e4f80 |
memory/1300-483-0x00007FFDF3110000-0x00007FFDF368B000-memory.dmp
C:\Users\Admin\AppData\Local\Viber\Qt6StateMachine.dll
| MD5 | cdc71cc20f1f1f5bb628f2494118137d |
| SHA1 | eb42c8a889a388eba847be8487673f4a3ecb5c38 |
| SHA256 | bc349684847b12c2419edaf91b32132b51e7776bd8df3ffb2e0d31a131e33128 |
| SHA512 | 3a613f7113e2256b87aed3a918021fd7f65ad1bc45f466db0e1d2d6c3b64b482be192d1ade3cb370c0b2d2843c8ef13c042a95d0b9800c341e5ee5382d9ccc64 |
C:\Users\Admin\AppData\Local\Viber\Qt6Concurrent.dll
| MD5 | b7b5fe333249e4cb205f0e781735fcae |
| SHA1 | ce4f411703aec692353225fc76497be52830b4bb |
| SHA256 | ca98aceed72544b6308e41a4ec7ca59f439b3671fc7275b165f1459599096907 |
| SHA512 | 96af8d5b5e98e42b2bda7221859c56e7d4a45c7075884b818b77d5511429bac3c0875819c0dd25ffa98125af653eaed7603cd43a412116ffac90a096c812fa72 |
C:\Users\Admin\AppData\Local\Viber\cld_wrapper_shared.dll
| MD5 | d66b863da1b2ee165bba59647a590f39 |
| SHA1 | 69e579737fa5b757e050eaa9857000847686e378 |
| SHA256 | 36a83c571457085fc5a0cfd7bdb180131230188e19be85f4aad5298891eda1bb |
| SHA512 | cf00b6004c98a896fd89c9bc8446fc8957a5a38668e60175f476bc883f8da3498f90ccdf6cbe1c0466e25cd5726f19e344518f7fdf57a447b3ab6b3122e78149 |
memory/1300-489-0x00007FF6787A0000-0x00007FF67C156000-memory.dmp
memory/1300-604-0x0000015ED9BE0000-0x0000015ED9DE2000-memory.dmp
memory/1300-602-0x0000015ED9790000-0x0000015ED9BD2000-memory.dmp
memory/1300-646-0x0000015EDADD0000-0x0000015EDADD1000-memory.dmp
memory/1300-647-0x0000015EDADD0000-0x0000015EDADD1000-memory.dmp
memory/1300-652-0x0000015EDADF0000-0x0000015EDADF1000-memory.dmp
memory/1300-651-0x0000015EDADF0000-0x0000015EDADF1000-memory.dmp
memory/1300-650-0x0000015EDADF0000-0x0000015EDADF1000-memory.dmp
memory/1300-649-0x0000015EDADF0000-0x0000015EDADF1000-memory.dmp
memory/1300-654-0x0000015EDAE00000-0x0000015EDAE01000-memory.dmp
memory/1300-655-0x0000015EDADF0000-0x0000015EDADF1000-memory.dmp
memory/1300-656-0x0000015EDAE00000-0x0000015EDAE01000-memory.dmp
memory/1300-659-0x0000015EDADF0000-0x0000015EDADF1000-memory.dmp
memory/1300-660-0x0000015EDAE00000-0x0000015EDAE01000-memory.dmp
memory/1300-663-0x0000015EDC680000-0x0000015EDC681000-memory.dmp
memory/1300-666-0x0000015EDC680000-0x0000015EDC681000-memory.dmp
memory/1300-665-0x0000015EDC680000-0x0000015EDC681000-memory.dmp
memory/1300-664-0x0000015EDC680000-0x0000015EDC681000-memory.dmp
memory/1300-662-0x0000015EDC680000-0x0000015EDC681000-memory.dmp
memory/1300-668-0x0000015EDC690000-0x0000015EDC691000-memory.dmp
memory/1300-669-0x0000015EDC690000-0x0000015EDC691000-memory.dmp
memory/1300-671-0x0000015EDC6A0000-0x0000015EDC6A1000-memory.dmp
memory/1300-672-0x0000015EDC690000-0x0000015EDC691000-memory.dmp
memory/1300-673-0x0000015EDC6A0000-0x0000015EDC6A1000-memory.dmp
memory/1300-674-0x0000015EDC6A0000-0x0000015EDC6A1000-memory.dmp
memory/1300-675-0x0000015EDAE00000-0x0000015EDAE01000-memory.dmp
memory/1300-693-0x0000015EDC9B0000-0x0000015EDC9B2000-memory.dmp
memory/1300-692-0x0000015EDC9B0000-0x0000015EDC9B2000-memory.dmp
memory/1300-696-0x0000015EDC690000-0x0000015EDC691000-memory.dmp
memory/1300-718-0x0000015EDC9D0000-0x0000015EDC9D1000-memory.dmp
memory/1300-721-0x0000015EDC9E0000-0x0000015EDC9E2000-memory.dmp
memory/1300-720-0x0000015EDC9F0000-0x0000015EDC9F1000-memory.dmp
memory/1300-717-0x0000015EDC9C0000-0x0000015EDC9C1000-memory.dmp
memory/1300-716-0x0000015EDC9E0000-0x0000015EDC9E2000-memory.dmp
memory/1300-715-0x0000015EDC9E0000-0x0000015EDC9E2000-memory.dmp
memory/1300-713-0x0000015EDC9D0000-0x0000015EDC9D1000-memory.dmp
memory/1300-712-0x0000015EDC9D0000-0x0000015EDC9D1000-memory.dmp
memory/1300-711-0x0000015EDC9D0000-0x0000015EDC9D1000-memory.dmp
memory/1300-710-0x0000015EDC9D0000-0x0000015EDC9D1000-memory.dmp
memory/1300-709-0x0000015EDC9D0000-0x0000015EDC9D1000-memory.dmp
memory/1300-708-0x0000015EDC9D0000-0x0000015EDC9D1000-memory.dmp
memory/1300-707-0x0000015EDC9D0000-0x0000015EDC9D1000-memory.dmp
memory/1300-706-0x0000015EDC9B0000-0x0000015EDC9B2000-memory.dmp
memory/1300-705-0x0000015EDC9B0000-0x0000015EDC9B2000-memory.dmp
memory/1300-704-0x0000015EDC9D0000-0x0000015EDC9D1000-memory.dmp
memory/1300-702-0x0000015EDC9C0000-0x0000015EDC9C1000-memory.dmp
memory/1300-701-0x0000015EDC9C0000-0x0000015EDC9C1000-memory.dmp
memory/1300-699-0x0000015EDADF0000-0x0000015EDADF1000-memory.dmp
memory/1300-698-0x0000015EDC9B0000-0x0000015EDC9B2000-memory.dmp
memory/1300-697-0x0000015EDC680000-0x0000015EDC681000-memory.dmp
memory/1300-695-0x0000015EDC690000-0x0000015EDC691000-memory.dmp
memory/1300-694-0x0000015EDC9B0000-0x0000015EDC9B2000-memory.dmp