Analysis Overview
SHA256
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
Threat Level: Known bad
The file 11dcd8e017b0e067e922cfb6507a8dde.exe was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Amadey
AsyncRat
ZGRat
Vidar
Detect ZGRat V1
Async RAT payload
Downloads MZ/PE file
Blocklisted process makes network request
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Reads local data of messenger clients
Reads WinSCP keys stored on the system
Adds Run key to start application
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 04:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 04:28
Reported
2024-04-17 04:30
Platform
win10v2004-20240412-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Amadey
AsyncRat
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3016 -ip 3016
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1656
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4888 -ip 4888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 2064
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1800
C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1792
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1640
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1632
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5080 -ip 5080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 2072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 680 -ip 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 448
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp146D.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'
C:\Users\Admin\AppData\Roaming\appBroker.exe
"C:\Users\Admin\AppData\Roaming\appBroker.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1656
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 856 -ip 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1808
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\556644402199_Desktop.zip' -CompressionLevel Optimal
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 96.39.123.93.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.28.217.95.in-addr.arpa | udp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FR | 94.228.162.82:80 | 94.228.162.82 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 82.162.228.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| FR | 94.228.162.82:8808 | tcp | |
| FR | 94.228.162.82:8808 | tcp | |
| FR | 94.228.162.82:8808 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
Files
memory/3016-1-0x0000000002C70000-0x0000000002D70000-memory.dmp
memory/3016-2-0x00000000048E0000-0x000000000494F000-memory.dmp
memory/3016-3-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 11dcd8e017b0e067e922cfb6507a8dde |
| SHA1 | 80c4e499c9666401a0f9099482c7fa9debe006d5 |
| SHA256 | 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70 |
| SHA512 | 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0 |
memory/3016-16-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/3016-17-0x00000000048E0000-0x000000000494F000-memory.dmp
memory/4860-18-0x0000000002DD0000-0x0000000002ED0000-memory.dmp
memory/4860-19-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\556644402199
| MD5 | 61c6759b7d1ab0dfcfbccbb328d3108b |
| SHA1 | b1c6cea6b6edc3d496ac4c8dae3b57a38ef58977 |
| SHA256 | 8f74a77e8e7cc3fcc2c36864aa9a6be195becfa1de3ea989b2ebe74fd2ae25c7 |
| SHA512 | 5a39fce9387f05ef72b71916dcc560d77abf9c824c8d6ebb4a8e166a5d2cf16b66537a77fa5e4e3682f422ba72c7e0cd106ee4c765c49569d3951b048af20184 |
memory/4860-29-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4860-30-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4860-31-0x0000000002DD0000-0x0000000002ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
| MD5 | b099ea0b80ecf49caa0d7003e0c95071 |
| SHA1 | 228a2aec5cf27fd0fca1f23161257f86bd8359ca |
| SHA256 | 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92 |
| SHA512 | 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029 |
memory/4888-48-0x0000000002E30000-0x0000000002F30000-memory.dmp
memory/4888-49-0x0000000002DD0000-0x0000000002E05000-memory.dmp
memory/4888-50-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/4888-52-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/4860-53-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll
| MD5 | 37976db9d0e6f8bf9db5ae4b56006d9d |
| SHA1 | dda3158d09c332c054d01fa08ad9824cb00c7d6a |
| SHA256 | 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687 |
| SHA512 | fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47 |
memory/5080-82-0x0000000002F00000-0x0000000003000000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U6QMY0YF\76561199673019888[1].htm
| MD5 | 0f211e72e08c4d3630c15b76c6a7e63a |
| SHA1 | 287f558b1ddd01c782ffefa6f33a9e20c26feb8e |
| SHA256 | 370736e438efa48dc2a5751a7a5d1e55c40aa8e0bcb6cc26d8c42d8b072af253 |
| SHA512 | 221359240c9720efafd4ff45f80c75cdab4c4ff506f7b95a5ff7bf412e543bfef32aca5c1a4ff077c9e54220185fa1b9f7ffb2bed74a763cc6905df6fde0af2f |
memory/5080-92-0x0000000000400000-0x0000000002C2E000-memory.dmp
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
| MD5 | 7fd8581748cdf137023ef96f1286ce0f |
| SHA1 | c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a |
| SHA256 | 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6 |
| SHA512 | bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282 |
memory/2732-114-0x0000000000C20000-0x0000000000C32000-memory.dmp
memory/2732-115-0x00000000715D0000-0x0000000071D80000-memory.dmp
memory/680-118-0x0000000002F20000-0x0000000003020000-memory.dmp
memory/680-120-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/5080-119-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/4860-121-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/680-122-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/2732-123-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2732-124-0x0000000005630000-0x00000000056CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp146D.tmp.bat
| MD5 | 2de12864e056681a7aac7ea1c0de88f6 |
| SHA1 | 8b3b3fcb9a2fc1d10a4a6aa5c0f8832e3a8a7cf0 |
| SHA256 | 21d7f784e4b9990683377a96ddbacc0788b6459f16263c60ec289f79de6d0f2b |
| SHA512 | 80a656c50090aafbd2532c797e96f8e6a14d92f3aae024902c534e7b8ca380bdfea009af6a7118010460ccbeb32209c0942e673b6e982e90b6c0ea8c9205eee7 |
memory/2732-130-0x00000000715D0000-0x0000000071D80000-memory.dmp
memory/2060-134-0x0000000072860000-0x0000000073010000-memory.dmp
memory/2060-135-0x0000000004D60000-0x0000000004D70000-memory.dmp
memory/2060-136-0x0000000005660000-0x0000000005C04000-memory.dmp
memory/2060-137-0x0000000005120000-0x0000000005186000-memory.dmp
memory/2060-139-0x0000000006290000-0x0000000006306000-memory.dmp
memory/2060-140-0x0000000006510000-0x00000000065AC000-memory.dmp
memory/2060-141-0x0000000006260000-0x000000000627E000-memory.dmp
memory/2060-142-0x00000000065B0000-0x00000000065F0000-memory.dmp
memory/2060-143-0x00000000065F0000-0x00000000065FA000-memory.dmp
memory/2060-145-0x0000000072860000-0x0000000073010000-memory.dmp
memory/2060-146-0x0000000006720000-0x0000000006782000-memory.dmp
memory/2060-148-0x0000000004D60000-0x0000000004D70000-memory.dmp
memory/856-153-0x0000000002EE0000-0x0000000002FE0000-memory.dmp
memory/856-154-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/856-156-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4876ee75ce2712147c41ff1277cd2d30 |
| SHA1 | 3733dc92318f0c6b92cb201e49151686281acda6 |
| SHA256 | bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed |
| SHA512 | 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3j3c32vi.yie.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4172-174-0x00000116D1600000-0x00000116D1622000-memory.dmp
memory/4172-179-0x00007FF8B6700000-0x00007FF8B71C1000-memory.dmp
memory/4172-180-0x00000116B73B0000-0x00000116B73C0000-memory.dmp
memory/4172-181-0x00000116B73B0000-0x00000116B73C0000-memory.dmp
memory/4172-182-0x00000116D1AE0000-0x00000116D1AF2000-memory.dmp
memory/4172-183-0x00000116D18C0000-0x00000116D18CA000-memory.dmp
memory/4172-189-0x00007FF8B6700000-0x00007FF8B71C1000-memory.dmp
memory/4860-190-0x0000000000400000-0x0000000002C4C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 04:28
Reported
2024-04-17 04:30
Platform
win7-20240215-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Amadey
AsyncRat
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'
C:\Users\Admin\AppData\Roaming\appBroker.exe
"C:\Users\Admin\AppData\Roaming\appBroker.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FR | 94.228.162.82:80 | 94.228.162.82 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FR | 94.228.162.82:6606 | tcp | |
| FR | 94.228.162.82:6606 | tcp | |
| FR | 94.228.162.82:6606 | tcp | |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
Files
memory/2240-1-0x00000000030B0000-0x00000000031B0000-memory.dmp
memory/2240-2-0x0000000000220000-0x000000000028F000-memory.dmp
memory/2240-3-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/2240-5-0x0000000002E30000-0x0000000002E31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 11dcd8e017b0e067e922cfb6507a8dde |
| SHA1 | 80c4e499c9666401a0f9099482c7fa9debe006d5 |
| SHA256 | 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70 |
| SHA512 | 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0 |
memory/2240-17-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/2240-19-0x00000000030B0000-0x00000000031B0000-memory.dmp
memory/2548-20-0x00000000030B0000-0x00000000031B0000-memory.dmp
memory/2548-21-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\248906074286
| MD5 | 6d9522c9251f292af2c380ff042fde38 |
| SHA1 | 3038da236ae759a7dd67cd2f2ddcdf537e266b5a |
| SHA256 | f70795f1e0061f2a7bcfb337ac10313c514abb55053dc10092ce428036e21107 |
| SHA512 | 4ed4ce0bd24541539cbbac2f9e1c32250f20ccd2bd005515d1ba1bf50f66fc7ccb7ba77a890962af2eb39198d9a5e6c5b1563bc1541fbfad25e80c57ed6a5989 |
memory/2548-32-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/2548-33-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/2548-34-0x00000000030B0000-0x00000000031B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
| MD5 | b099ea0b80ecf49caa0d7003e0c95071 |
| SHA1 | 228a2aec5cf27fd0fca1f23161257f86bd8359ca |
| SHA256 | 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92 |
| SHA512 | 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029 |
memory/2936-54-0x0000000002CA0000-0x0000000002DA0000-memory.dmp
memory/2936-55-0x00000000002B0000-0x00000000002E5000-memory.dmp
memory/2936-56-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/2548-57-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarE1DE.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2708f99555a19f62161d1ec74b98b025 |
| SHA1 | bee3c268c1edc30dac20df7fbc0d96927ce1cc42 |
| SHA256 | c69168882c16d825b72a3187da94dc7981b4cc26e9377f40aee4dbd61371af07 |
| SHA512 | c934526e5df8573c34510c72fbf7f95b4512b1aa4a488787dc69dfe932189599c720f973716f09215346fa18bbe5c09ec8b2ccf735858a799b25a43c500dfbd8 |
memory/2936-194-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/2936-195-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/2936-196-0x0000000002CA0000-0x0000000002DA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll
| MD5 | 37976db9d0e6f8bf9db5ae4b56006d9d |
| SHA1 | dda3158d09c332c054d01fa08ad9824cb00c7d6a |
| SHA256 | 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687 |
| SHA512 | fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47 |
memory/1732-231-0x0000000002CC0000-0x0000000002DC0000-memory.dmp
memory/2548-230-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\76561199673019888[1].htm
| MD5 | c2d3beea5e1fa27b3fc1d4a3584dacf2 |
| SHA1 | 848c4db90300cd6f08188b8045c0bba40f309bb1 |
| SHA256 | 345fbfb05b3d1966a6d26463a5a542f2d6d62658982352705d735f546b1cf291 |
| SHA512 | 996fdc6929fce1aeaad7d93c6a2436137d67c7c7ab7ed0b60e389542e4cf6e620407dfac6cf68f0184aadd94975ac4f3737765c9db2110a6bffcbf002fea0739 |
memory/1732-246-0x0000000000400000-0x0000000002C2E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | def1a3452107faeeac2e09e0a4c0c4f5 |
| SHA1 | ee2ec5ded1799471c8e4d59f33b247d9a2f49f71 |
| SHA256 | 649f6ca82a92705c13ef05e5e72b7809c19861809f83c3ea7fa82c02dcc19b33 |
| SHA512 | 0e4e8a2a0b6a3335c1d57d7656bf831ebcd47d5e5d7972f7f671b3bd6d0fbccddb44544b8053d8edec85ef8f1877104c8d72f45532641ca7cba5aeb64daeb31f |
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
| MD5 | 7fd8581748cdf137023ef96f1286ce0f |
| SHA1 | c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a |
| SHA256 | 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6 |
| SHA512 | bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282 |
memory/2916-298-0x0000000000AC0000-0x0000000000AD2000-memory.dmp
memory/2916-299-0x00000000729A0000-0x000000007308E000-memory.dmp
memory/1732-336-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/1732-337-0x0000000002CC0000-0x0000000002DC0000-memory.dmp
memory/2916-338-0x0000000004BC0000-0x0000000004C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp.bat
| MD5 | 483005d6b92b516b1564868184cddb86 |
| SHA1 | 59dbb37843bbdfafef6b1be8123ed228493968ba |
| SHA256 | 1a668230519b3f83596da41024b12550b92e39acbb029995eb3f29fde3994fd0 |
| SHA512 | 7fa093f068b6a9a10f1078927ef3f7d06ca2024d388bdcb948b01180e468f4ab560ebe06716d4c45c274c6f8c159767358ede6178182a78fdfa6e667c857fff5 |
memory/2916-348-0x00000000729A0000-0x000000007308E000-memory.dmp
memory/1516-353-0x00000000008B0000-0x00000000008C2000-memory.dmp
memory/2548-352-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/1516-354-0x0000000072E60000-0x000000007354E000-memory.dmp
memory/1516-355-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a3aa3f98d2bd55d77772562dd0deab3e |
| SHA1 | 942ff9f21a5cfa4a701345539bd869c4360e6e42 |
| SHA256 | 19c01700c14a839d796a17a03885b33abba850f194da07371c17d722ed5d3827 |
| SHA512 | 86778e0a7aa2f0d7439f6100a1af7078ab9a80ed8e83b6e36f403bc7b4cd2e292d3b0ea65d4f96115ac5536230c76e750162b2c9659955fb4b3dc9b1d63eddb6 |
memory/1516-373-0x00000000064E0000-0x000000000657C000-memory.dmp
memory/1516-393-0x0000000000510000-0x000000000051A000-memory.dmp
memory/1516-392-0x0000000004690000-0x00000000046D0000-memory.dmp
memory/1516-396-0x0000000072E60000-0x000000007354E000-memory.dmp
memory/1516-397-0x0000000005490000-0x00000000054F2000-memory.dmp
memory/1516-416-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4876ee75ce2712147c41ff1277cd2d30 |
| SHA1 | 3733dc92318f0c6b92cb201e49151686281acda6 |
| SHA256 | bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed |
| SHA512 | 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9 |