General Info

File name

48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe

Full analysis
https://app.any.run/tasks/94fae7f8-9872-49ed-8740-5a1a09875d1d
Verdict
Malicious activity
Threats:

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Analysis date
15/01/2022, 02:27:17
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

stealer

vidar

loader

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

b91df3382fb792927b7a43f595102a68

SHA1

98fc7fd55800a296405da0c4dcfb4aabba017566

SHA256

48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98

SSDEEP

12288:qoge7YMLGdl/7bixf6PVeswgyKS3jpOd2ZHtrpJhZOsujniX9R974WiCr47O/:Vge7YMo57Af0RyVEcHtrpD3u+70WixO/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes settings of System certificates
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Loads dropped or rewritten executable
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Stealing of credential data
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Steals credentials from Web Browsers
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
VIDAR was detected
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Actions looks like stealing of personal data
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Checks supported languages
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
  • cmd.exe (PID: 404)
Reads CPU info
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Adds / modifies Windows certificates
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Drops a file that was compiled in debug mode
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Executable content was dropped or overwritten
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Reads the computer name
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Reads Environment values
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Reads the cookies of Mozilla Firefox
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Creates files in the program directory
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Reads the cookies of Google Chrome
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Searches for installed software
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Starts CMD.EXE for commands execution
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Starts CMD.EXE for self-deleting
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Uses TASKKILL.EXE to kill process
  • cmd.exe (PID: 404)
Reads settings of System Certificates
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Checks Windows Trust Settings
  • 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe (PID: 2220)
Checks supported languages
  • timeout.exe (PID: 2260)
  • taskkill.exe (PID: 2412)
Reads the computer name
  • taskkill.exe (PID: 2412)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2021:03:18 14:23:15+01:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
693248
InitializedDataSize:
1210368
UninitializedDataSize:
null
EntryPoint:
0x87350
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
18-Mar-2021 13:23:15
Detected languages
Divehi - Maldives
Spanish - Colombia
Debug artifacts
C:\bonalaxix99-dulej.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000E8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
7
Time date stamp:
18-Mar-2021 13:23:15
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000A93C6 0x000A9400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 7.799
.data 0x000AB000 0x00119FBC 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.47876
.yunu 0x001C5000 0x00000005 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.tomovah\xea 0x001C6000 0x000000EA 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.diware 0x001C7000 0x00000D93 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x001C8000 0x00007B10 0x00007C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.88994
.reloc 0x001D0000 0x000049EA 0x00004A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 3.51673
Resources
1

2

3

4

5

6

7

8

9

10

11

24

25

26

27

28

124

126

191

429

432

437

446

453

456

497

591

765

Imports
    KERNEL32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
41
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start #VIDAR 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe cmd.exe no specs taskkill.exe no specs timeout.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2220
CMD
"C:\Users\admin\AppData\Local\Temp\48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe"
Path
C:\Users\admin\AppData\Local\Temp\48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcr100.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wininet.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\credssp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\webio.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\version.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\schannel.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wship6.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\programdata\nss3.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\programdata\mozglue.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\programdata\softokn3.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\programdata\freebl3.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\apphelp.dll

PID
404
CMD
"C:\Windows\System32\cmd.exe" /c taskkill /im 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe /f & timeout /t 6 & del /f /q "C:\Users\admin\AppData\Local\Temp\48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe" & del C:\ProgramData\*.dll & exit
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\usp10.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\lpk.dll
c:\windows\system32\timeout.exe
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll

PID
2412
CMD
taskkill /im 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe /f
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\framedynos.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\user32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\lpk.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nsi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\shlwapi.dll

PID
2260
CMD
timeout /t 6
Path
C:\Windows\system32\timeout.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
timeout - pauses command processing
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\usp10.dll
c:\windows\system32\timeout.exe
c:\windows\system32\user32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll

Registry activity

Total events
6755
Read events
0
Write events
40
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
(default)
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionTime
65E4F06DB709D801
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecision
0
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionReason
1
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadNetworkName
Network 4
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
65E4F06DB709D801
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionReason
1
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecision
0
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
Blob
0400000001000000100000000CD2F9E0DA1773E9ED864DA5E370E74E0F00000001000000200000003F0411EDE9C4477057D57E57883B1F205B20CDC0F3263129B1EE0269A2678F63030000000100000014000000CABD2A79A1076A31F21D253635CB039D4329A5E809000000010000000C000000300A06082B060105050703011D000000010000001000000073B6876195F5D18E048510422AEF04E314000000010000001400000079B459E67BB6E5E40173800888C81A58F6E99B6E0B000000010000001A0000004900530052004700200052006F006F007400200058003100000062000000010000002000000096BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C61900000001000000100000002FE1F70BB05D7C92335BC5E05B984DA620000000010000006F0500003082056B30820353A0030201020211008210CFB0D240E3594463E0BB63828B00300D06092A864886F70D01010B0500304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F74205831301E170D3135303630343131303433385A170D3335303630343131303433385A304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F7420583130820222300D06092A864886F70D01010105000382020F003082020A0282020100ADE82473F41437F39B9E2B57281C87BEDCB7DF38908C6E3CE657A078F775C2A2FEF56A6EF6004F28DBDE68866C4493B6B163FD14126BBF1FD2EA319B217ED1333CBA48F5DD79DFB3B8FF12F1219A4BC18A8671694A66666C8F7E3C70BFAD292206F3E4C0E680AEE24B8FB7997E94039FD347977C99482353E838AE4F0A6F832ED149578C8074B6DA2FD0388D7B0370211B75F2303CFA8FAEDDDA63ABEB164FC28E114B7ECF0BE8FFB5772EF4B27B4AE04C12250C708D0329A0E15324EC13D9EE19BF10B34A8C3F89A36151DEAC870794F46371EC2EE26F5B9881E1895C34796C76EF3B906279E6DBA49A2F26C5D010E10EDED9108E16FBB7F7A8F7C7E50207988F360895E7E237960D36759EFB0E72B11D9BBC03F94905D881DD05B42AD641E9AC0176950A0FD8DFD5BD121F352F28176CD298C1A80964776E4737BACEAC595E689D7F72D689C50641293E593EDD26F524C911A75AA34C401F46A199B5A73A516E863B9E7D72A712057859ED3E5178150B038F8DD02F05B23E7B4A1C4B730512FCC6EAE050137C439374B3CA74E78E1F0108D030D45B7136B407BAC130305C48B7823B98A67D608AA2A32982CCBABD83041BA2830341A1D605F11BC2B6F0A87C863B46A8482A88DC769A76BF1F6AA53D198FEB38F364DEC82B0D0A28FFF7DBE21542D422D0275DE179FE18E77088AD4EE6D98B3AC6DD27516EFFBC64F533434F0203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E0416041479B459E67BB6E5E40173800888C81A58F6E99B6E300D06092A864886F70D01010B05000382020100551F58A9BCB2A850D00CB1D81A6920272908AC61755C8A6EF882E5692FD5F6564BB9B8731059D321977EE74C71FBB2D260AD39A80BEA17215685F1500E59EBCEE059E9BAC915EF869D8F8480F6E4E99190DC179B621B45F06695D27C6FC2EA3BEF1FCFCBD6AE27F1A9B0C8AEFD7D7E9AFA2204EBFFD97FEA912B22B1170E8FF28A345B58D8FC01C954B9B826CC8A8833894C2D843C82DFEE965705BA2CBBF7C4B7C74E3B82BE31C822737392D1C280A43939103323824C3C9F86B255981DBE29868C229B9EE26B3B573A82704DDC09C789CB0A074D6CE85D8EC9EFCEABC7BBB52B4E45D64AD026CCE572CA086AA595E315A1F7A4EDC92C5FA5FBFFAC28022EBED77BBBE3717B9016D3075E46537C3707428CD3C4969CD599B52AE0951A8048AE4C3907CECC47A452952BBAB8FBADD233537DE51D4D6DD5A1B1C7426FE64027355CA328B7078DE78D3390E7239FFB509C796C46D5B415B3966E7E9B0C963AB8522D3FD65BE1FB08C284FE24A8A389DAAC6AE1182AB1A843615BD31FDC3B8D76F22DE88D75DF17336C3D53FB7BCB415FFFDCA2D06138E196B8AC5D8B37D775D533C09911AE9D41C1727584BE0241425F67244894D19B27BE073FB9B84F817451E17AB7ED9D23E2BEE0D52804133C31039EDD7A6C8FC60718C67FDE478E3F289E0406CFA5543477BDEC899BE91743DF5BDB5FFE8E1E57A2CD409D7E6222DADE1827
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
Blob
5C0000000100000004000000001000000F00000001000000200000003F0411EDE9C4477057D57E57883B1F205B20CDC0F3263129B1EE0269A2678F63030000000100000014000000CABD2A79A1076A31F21D253635CB039D4329A5E809000000010000000C000000300A06082B060105050703011D000000010000001000000073B6876195F5D18E048510422AEF04E314000000010000001400000079B459E67BB6E5E40173800888C81A58F6E99B6E0B000000010000001A0000004900530052004700200052006F006F007400200058003100000062000000010000002000000096BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C61900000001000000100000002FE1F70BB05D7C92335BC5E05B984DA620000000010000006F0500003082056B30820353A0030201020211008210CFB0D240E3594463E0BB63828B00300D06092A864886F70D01010B0500304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F74205831301E170D3135303630343131303433385A170D3335303630343131303433385A304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F7420583130820222300D06092A864886F70D01010105000382020F003082020A0282020100ADE82473F41437F39B9E2B57281C87BEDCB7DF38908C6E3CE657A078F775C2A2FEF56A6EF6004F28DBDE68866C4493B6B163FD14126BBF1FD2EA319B217ED1333CBA48F5DD79DFB3B8FF12F1219A4BC18A8671694A66666C8F7E3C70BFAD292206F3E4C0E680AEE24B8FB7997E94039FD347977C99482353E838AE4F0A6F832ED149578C8074B6DA2FD0388D7B0370211B75F2303CFA8FAEDDDA63ABEB164FC28E114B7ECF0BE8FFB5772EF4B27B4AE04C12250C708D0329A0E15324EC13D9EE19BF10B34A8C3F89A36151DEAC870794F46371EC2EE26F5B9881E1895C34796C76EF3B906279E6DBA49A2F26C5D010E10EDED9108E16FBB7F7A8F7C7E50207988F360895E7E237960D36759EFB0E72B11D9BBC03F94905D881DD05B42AD641E9AC0176950A0FD8DFD5BD121F352F28176CD298C1A80964776E4737BACEAC595E689D7F72D689C50641293E593EDD26F524C911A75AA34C401F46A199B5A73A516E863B9E7D72A712057859ED3E5178150B038F8DD02F05B23E7B4A1C4B730512FCC6EAE050137C439374B3CA74E78E1F0108D030D45B7136B407BAC130305C48B7823B98A67D608AA2A32982CCBABD83041BA2830341A1D605F11BC2B6F0A87C863B46A8482A88DC769A76BF1F6AA53D198FEB38F364DEC82B0D0A28FFF7DBE21542D422D0275DE179FE18E77088AD4EE6D98B3AC6DD27516EFFBC64F533434F0203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E0416041479B459E67BB6E5E40173800888C81A58F6E99B6E300D06092A864886F70D01010B05000382020100551F58A9BCB2A850D00CB1D81A6920272908AC61755C8A6EF882E5692FD5F6564BB9B8731059D321977EE74C71FBB2D260AD39A80BEA17215685F1500E59EBCEE059E9BAC915EF869D8F8480F6E4E99190DC179B621B45F06695D27C6FC2EA3BEF1FCFCBD6AE27F1A9B0C8AEFD7D7E9AFA2204EBFFD97FEA912B22B1170E8FF28A345B58D8FC01C954B9B826CC8A8833894C2D843C82DFEE965705BA2CBBF7C4B7C74E3B82BE31C822737392D1C280A43939103323824C3C9F86B255981DBE29868C229B9EE26B3B573A82704DDC09C789CB0A074D6CE85D8EC9EFCEABC7BBB52B4E45D64AD026CCE572CA086AA595E315A1F7A4EDC92C5FA5FBFFAC28022EBED77BBBE3717B9016D3075E46537C3707428CD3C4969CD599B52AE0951A8048AE4C3907CECC47A452952BBAB8FBADD233537DE51D4D6DD5A1B1C7426FE64027355CA328B7078DE78D3390E7239FFB509C796C46D5B415B3966E7E9B0C963AB8522D3FD65BE1FB08C284FE24A8A389DAAC6AE1182AB1A843615BD31FDC3B8D76F22DE88D75DF17336C3D53FB7BCB415FFFDCA2D06138E196B8AC5D8B37D775D533C09911AE9D41C1727584BE0241425F67244894D19B27BE073FB9B84F817451E17AB7ED9D23E2BEE0D52804133C31039EDD7A6C8FC60718C67FDE478E3F289E0406CFA5543477BDEC899BE91743DF5BDB5FFE8E1E57A2CD409D7E6222DADE1827
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
Blob
5C0000000100000004000000001000001900000001000000100000002FE1F70BB05D7C92335BC5E05B984DA662000000010000002000000096BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C60B000000010000001A0000004900530052004700200052006F006F007400200058003100000014000000010000001400000079B459E67BB6E5E40173800888C81A58F6E99B6E1D000000010000001000000073B6876195F5D18E048510422AEF04E3030000000100000014000000CABD2A79A1076A31F21D253635CB039D4329A5E80F00000001000000200000003F0411EDE9C4477057D57E57883B1F205B20CDC0F3263129B1EE0269A2678F63090000000100000016000000301406082B0601050507030206082B0601050507030120000000010000006F0500003082056B30820353A0030201020211008210CFB0D240E3594463E0BB63828B00300D06092A864886F70D01010B0500304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F74205831301E170D3135303630343131303433385A170D3335303630343131303433385A304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F7420583130820222300D06092A864886F70D01010105000382020F003082020A0282020100ADE82473F41437F39B9E2B57281C87BEDCB7DF38908C6E3CE657A078F775C2A2FEF56A6EF6004F28DBDE68866C4493B6B163FD14126BBF1FD2EA319B217ED1333CBA48F5DD79DFB3B8FF12F1219A4BC18A8671694A66666C8F7E3C70BFAD292206F3E4C0E680AEE24B8FB7997E94039FD347977C99482353E838AE4F0A6F832ED149578C8074B6DA2FD0388D7B0370211B75F2303CFA8FAEDDDA63ABEB164FC28E114B7ECF0BE8FFB5772EF4B27B4AE04C12250C708D0329A0E15324EC13D9EE19BF10B34A8C3F89A36151DEAC870794F46371EC2EE26F5B9881E1895C34796C76EF3B906279E6DBA49A2F26C5D010E10EDED9108E16FBB7F7A8F7C7E50207988F360895E7E237960D36759EFB0E72B11D9BBC03F94905D881DD05B42AD641E9AC0176950A0FD8DFD5BD121F352F28176CD298C1A80964776E4737BACEAC595E689D7F72D689C50641293E593EDD26F524C911A75AA34C401F46A199B5A73A516E863B9E7D72A712057859ED3E5178150B038F8DD02F05B23E7B4A1C4B730512FCC6EAE050137C439374B3CA74E78E1F0108D030D45B7136B407BAC130305C48B7823B98A67D608AA2A32982CCBABD83041BA2830341A1D605F11BC2B6F0A87C863B46A8482A88DC769A76BF1F6AA53D198FEB38F364DEC82B0D0A28FFF7DBE21542D422D0275DE179FE18E77088AD4EE6D98B3AC6DD27516EFFBC64F533434F0203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E0416041479B459E67BB6E5E40173800888C81A58F6E99B6E300D06092A864886F70D01010B05000382020100551F58A9BCB2A850D00CB1D81A6920272908AC61755C8A6EF882E5692FD5F6564BB9B8731059D321977EE74C71FBB2D260AD39A80BEA17215685F1500E59EBCEE059E9BAC915EF869D8F8480F6E4E99190DC179B621B45F06695D27C6FC2EA3BEF1FCFCBD6AE27F1A9B0C8AEFD7D7E9AFA2204EBFFD97FEA912B22B1170E8FF28A345B58D8FC01C954B9B826CC8A8833894C2D843C82DFEE965705BA2CBBF7C4B7C74E3B82BE31C822737392D1C280A43939103323824C3C9F86B255981DBE29868C229B9EE26B3B573A82704DDC09C789CB0A074D6CE85D8EC9EFCEABC7BBB52B4E45D64AD026CCE572CA086AA595E315A1F7A4EDC92C5FA5FBFFAC28022EBED77BBBE3717B9016D3075E46537C3707428CD3C4969CD599B52AE0951A8048AE4C3907CECC47A452952BBAB8FBADD233537DE51D4D6DD5A1B1C7426FE64027355CA328B7078DE78D3390E7239FFB509C796C46D5B415B3966E7E9B0C963AB8522D3FD65BE1FB08C284FE24A8A389DAAC6AE1182AB1A843615BD31FDC3B8D76F22DE88D75DF17336C3D53FB7BCB415FFFDCA2D06138E196B8AC5D8B37D775D533C09911AE9D41C1727584BE0241425F67244894D19B27BE073FB9B84F817451E17AB7ED9D23E2BEE0D52804133C31039EDD7A6C8FC60718C67FDE478E3F289E0406CFA5543477BDEC899BE91743DF5BDB5FFE8E1E57A2CD409D7E6222DADE1827
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US

Files activity

Executable files
12
Suspicious files
11
Text files
7
Unknown types
11

Dropped files

PID
Process
Filename
Type
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\vcruntime140[1].dll
executable
MD5: 7587bf9cb4147022cd5681b015183046
SHA256: c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\vcruntime140.dll
executable
MD5: 7587bf9cb4147022cd5681b015183046
SHA256: c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\softokn3[1].dll
executable
MD5: a2ee53de9167bf0d6c019303b7ca84e5
SHA256: 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\softokn3.dll
executable
MD5: a2ee53de9167bf0d6c019303b7ca84e5
SHA256: 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\freebl3[1].dll
executable
MD5: ef2834ac4ee7d6724f255beaf527e635
SHA256: a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\mozglue[1].dll
executable
MD5: 8f73c08a9660691143661bf7332c3c27
SHA256: 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\mozglue.dll
executable
MD5: 8f73c08a9660691143661bf7332c3c27
SHA256: 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\nss3[1].dll
executable
MD5: bfac4e3c5908856ba17d41edcd455a51
SHA256: e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\freebl3.dll
executable
MD5: ef2834ac4ee7d6724f255beaf527e635
SHA256: a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\nss3.dll
executable
MD5: bfac4e3c5908856ba17d41edcd455a51
SHA256: e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\msvcp140.dll
executable
MD5: 109f0f02fd37c84bfc7508d4227d7ed5
SHA256: 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\msvcp140[1].dll
executable
MD5: 109f0f02fd37c84bfc7508d4227d7ed5
SHA256: 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\files\passwords.txt
text
MD5: 2caec6d52d6f62bb1ce6b07d5d6f7524
SHA256: b625f7956958324df9093a7eea0ba791010026bcba4d2f305c5b8207c2ae5973
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\files\screenshot.jpg
image
MD5: 4eae590944cad277eea13910a052bfb3
SHA256: 36260df2560b20bf830cb23b4192354372f8ea734dc0fc80b740827495e8b520
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\files\temp-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\files\temp
sqlite
MD5: d02907be1c995e1e51571eedb82fa281
SHA256: 2189977f6ea58bdad5883720b099e12b869f223fb9b18ac40e7d37c5954a55dd
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\files\History\Mozilla Firefox_qldyz51w.default.txt
text
MD5: 30ff4b561a67f060a525ba8a982771fc
SHA256: 819c2d4f4208c3daef9a1415ac4851abfa1486af28f3f05e79bee2a3dcc2981b
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\files\History\Google Chrome_Default.txt
text
MD5: 5cfa669c958aa578ec40550d36f99ba1
SHA256: 38c8bd75da51a0c4d74220cbf6df69d1e027e2697ef48399f4e0bb562d4b6126
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\files\Files\Default.zip
compressed
MD5: 03384077ad5c931be594992568d70c54
SHA256: 20bf7da8db0c20f60e58ee74f58388b85e418c9b1d5f6237fc6761a3e6ef5797
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\files\information.txt
text
MD5: b220fbd8d8d8b4c5794577a6ea920a00
SHA256: 52480ac320b5a8e12bdae18f04f705a9fcbdb8ef43331f183ab0cb1b88396caa
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\files\Cookies\Google Chrome_Default.txt
text
MD5: dbadd707dce579f6e4265512d968e4a4
SHA256: 246e9d04abf10999294d136f7c5b506ad516fdd7d9c95eae8058399bca0282d8
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\90059c37-1320-41a4-b58d-2b75a9850d2f3799612175.zip
compressed
MD5: 793c94fe71187116bf207c86b68d6c7b
SHA256: 7ef5dc1f769a80ad4cd4fc20bce5d07eaceb2eae8adf7b2233d70c5245501ac9
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\ProgramData\UQP5HTSBMZ95KBY191HJUR5N1\files\Cookies\IE_Cookies.txt
text
MD5: 0d72e234c4db9fedefa991a4988161a4
SHA256: b804b10cf46a35c7f8deffa262544d58c9419d431cbfbbed7ff9a313a5d3daed
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1BC9AB181787262A231C535045C7F569
binary
MD5: fa219a2daa9a121c4023d56357db5a7c
SHA256: 2bd3bb067168d9d8e44d1a41049ceb95c790542e54fb293749967369cb8714cd
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BC9AB181787262A231C535045C7F569
der
MD5: 645b08addc6e99426cd222b6c5927637
SHA256: 7724b4c182cacf3103b20813226e21afacd663401941da0ecf3616b32cd5318d
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\Local\Temp\Tar3526.tmp
cat
MD5: d99661d0893a52a0700b8ae68457351a
SHA256: bdd5111162a6fa25682e18fa74e37e676d49cafcb5b7207e98e5256d1ef0d003
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
compressed
MD5: f7dcb24540769805e5bb30d193944dce
SHA256: 6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
der
MD5: 54e9306f95f32e50ccd58af19753d929
SHA256: 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
binary
MD5: 6f7691625ce1b8fe201822b6127062a6
SHA256: 4b39323d069c2f03bfe54a8a1127991081cb0995bdf9890a1fd16b64fcaa02b5
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
binary
MD5: 60d2e771b3d96d2302daae50b4b8a87f
SHA256: 12209527227d2db0540f2f86eb9e9e7540bd22ffce9ba9f1591731177104e7f7
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
binary
MD5: 5ab9314689895c7da3b45ae1f08a109c
SHA256: 7f299acceee4c6678b3aa2a25894551666d01c94133e6e3c603fbc9618946373
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
compressed
MD5: acaeda60c79c6bcac925eeb3653f45e0
SHA256: 6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658
2220
48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe
C:\Users\admin\AppData\Local\Temp\Cab3525.tmp
compressed
MD5: acaeda60c79c6bcac925eeb3653f45e0
SHA256: 6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
12
TCP/UDP connections
5
DNS requests
4
Threats
26

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe GET 200 23.32.238.178:80 http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fc5a84046367cfc9 US
compressed
whitelisted
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe GET 200 23.32.238.178:80 http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a43ca681334e0740 US
compressed
whitelisted
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe GET 200 23.45.105.185:80 http://x1.c.lencr.org/ NL
der
whitelisted
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe GET 200 195.138.255.16:80 http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgRzWdYTnuTwhcI83w5HkN2ckQ%3D%3D DE
der
shared
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe POST 200 78.46.160.87:80 http://78.46.160.87/565 DE
text
text
malicious
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe GET 200 78.46.160.87:80 http://78.46.160.87/freebl3.dll DE
text
executable
malicious
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe GET 200 78.46.160.87:80 http://78.46.160.87/mozglue.dll DE
text
executable
malicious
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe GET 200 78.46.160.87:80 http://78.46.160.87/msvcp140.dll DE
text
executable
malicious
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe GET 200 78.46.160.87:80 http://78.46.160.87/nss3.dll DE
text
executable
malicious
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe GET 200 78.46.160.87:80 http://78.46.160.87/softokn3.dll DE
text
executable
malicious
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe GET 200 78.46.160.87:80 http://78.46.160.87/vcruntime140.dll DE
text
executable
malicious
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe POST 200 78.46.160.87:80 http://78.46.160.87/ DE
binary
text
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe 149.28.78.238:443 US suspicious
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe 23.32.238.178:80 XO Communications US unknown
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe 23.45.105.185:80 Akamai International B.V. NL unknown
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe 195.138.255.16:80 AS33891 Netzbetrieb GmbH DE suspicious
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe 78.46.160.87:80 Hetzner Online GmbH DE malicious

DNS requests

Domain IP Reputation
noc.social 149.28.78.238
suspicious
ctldl.windowsupdate.com 23.32.238.178
23.32.238.201
whitelisted
x1.c.lencr.org 23.45.105.185
whitelisted
r3.o.lencr.org 195.138.255.16
195.138.255.18
shared

Threats

PID Process Class Message
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe A Network Trojan was detected ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potentially Bad Traffic ET INFO Dotted Quad Host DLL Request
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potential Corporate Privacy Violation AV POLICY HTTP request for .dll file with no User-Agent
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potentially Bad Traffic ET INFO Dotted Quad Host DLL Request
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potential Corporate Privacy Violation AV POLICY HTTP request for .dll file with no User-Agent
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potentially Bad Traffic ET INFO Dotted Quad Host DLL Request
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potential Corporate Privacy Violation AV POLICY HTTP request for .dll file with no User-Agent
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potentially Bad Traffic ET INFO Dotted Quad Host DLL Request
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potential Corporate Privacy Violation AV POLICY HTTP request for .dll file with no User-Agent
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potentially Bad Traffic ET INFO Dotted Quad Host DLL Request
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potential Corporate Privacy Violation AV POLICY HTTP request for .dll file with no User-Agent
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potentially Bad Traffic ET INFO Dotted Quad Host DLL Request
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potential Corporate Privacy Violation AV POLICY HTTP request for .dll file with no User-Agent
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe A Network Trojan was detected ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe A Network Trojan was detected ET TROJAN Vidar/Arkei Stealer Client Data Upload
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe A Network Trojan was detected ET TROJAN Vidar/Arkei/Megumin/Oski Stealer Data Exfil
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe A Network Trojan was detected ET TROJAN Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
2220 48c7a0f90aeb87e9ba5feb08b5bedbcb70aacf2632636f71a62e2ffdd551ec98.exe Potentially Bad Traffic ET INFO Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)

7 ETPRO signatures available at the full report

Debug output strings

No debug info.