Malware Analysis Report

2025-01-02 12:15

Sample ID 240417-e3netsfc4s
Target 11dcd8e017b0e067e922cfb6507a8dde.exe
SHA256 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
Tags
amadey asyncrat vidar zgrat default persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70

Threat Level: Known bad

The file 11dcd8e017b0e067e922cfb6507a8dde.exe was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat vidar zgrat default persistence rat spyware stealer trojan

Detect Vidar Stealer

Amadey

AsyncRat

ZGRat

Vidar

Detect ZGRat V1

Async RAT payload

Downloads MZ/PE file

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Reads local data of messenger clients

Reads WinSCP keys stored on the system

Adds Run key to start application

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 04:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 04:28

Reported

2024-04-17 04:30

Platform

win10v2004-20240412-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\appBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 3016 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 3016 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 4860 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 4860 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 4860 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 4860 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 4860 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 4860 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 4860 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 4860 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 4860 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 4860 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 4860 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 4860 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2732 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4124 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4124 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4492 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4492 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4492 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4124 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 4124 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 4124 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 4860 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 3592 wrote to memory of 4416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3592 wrote to memory of 4416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4416 wrote to memory of 4364 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4416 wrote to memory of 4364 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4416 wrote to memory of 4172 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 4172 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe

"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3016 -ip 3016

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1656

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 2064

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1800

C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe

"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1792

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1640

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1632

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5080 -ip 5080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 2072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 680 -ip 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 448

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp146D.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'

C:\Users\Admin\AppData\Roaming\appBroker.exe

"C:\Users\Admin\AppData\Roaming\appBroker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1656

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 856 -ip 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1808

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\556644402199_Desktop.zip' -CompressionLevel Optimal

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 96.39.123.93.in-addr.arpa udp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 8.8.8.8:53 230.28.217.95.in-addr.arpa udp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FR 94.228.162.82:80 94.228.162.82 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 82.162.228.94.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
FR 94.228.162.82:8808 tcp
FR 94.228.162.82:8808 tcp
FR 94.228.162.82:8808 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp

Files

memory/3016-1-0x0000000002C70000-0x0000000002D70000-memory.dmp

memory/3016-2-0x00000000048E0000-0x000000000494F000-memory.dmp

memory/3016-3-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 11dcd8e017b0e067e922cfb6507a8dde
SHA1 80c4e499c9666401a0f9099482c7fa9debe006d5
SHA256 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA512 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0

memory/3016-16-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/3016-17-0x00000000048E0000-0x000000000494F000-memory.dmp

memory/4860-18-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

memory/4860-19-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\556644402199

MD5 61c6759b7d1ab0dfcfbccbb328d3108b
SHA1 b1c6cea6b6edc3d496ac4c8dae3b57a38ef58977
SHA256 8f74a77e8e7cc3fcc2c36864aa9a6be195becfa1de3ea989b2ebe74fd2ae25c7
SHA512 5a39fce9387f05ef72b71916dcc560d77abf9c824c8d6ebb4a8e166a5d2cf16b66537a77fa5e4e3682f422ba72c7e0cd106ee4c765c49569d3951b048af20184

memory/4860-29-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4860-30-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4860-31-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

MD5 b099ea0b80ecf49caa0d7003e0c95071
SHA1 228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029

memory/4888-48-0x0000000002E30000-0x0000000002F30000-memory.dmp

memory/4888-49-0x0000000002DD0000-0x0000000002E05000-memory.dmp

memory/4888-50-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/4888-52-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/4860-53-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll

MD5 37976db9d0e6f8bf9db5ae4b56006d9d
SHA1 dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA256 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512 fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47

memory/5080-82-0x0000000002F00000-0x0000000003000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U6QMY0YF\76561199673019888[1].htm

MD5 0f211e72e08c4d3630c15b76c6a7e63a
SHA1 287f558b1ddd01c782ffefa6f33a9e20c26feb8e
SHA256 370736e438efa48dc2a5751a7a5d1e55c40aa8e0bcb6cc26d8c42d8b072af253
SHA512 221359240c9720efafd4ff45f80c75cdab4c4ff506f7b95a5ff7bf412e543bfef32aca5c1a4ff077c9e54220185fa1b9f7ffb2bed74a763cc6905df6fde0af2f

memory/5080-92-0x0000000000400000-0x0000000002C2E000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

MD5 7fd8581748cdf137023ef96f1286ce0f
SHA1 c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA256 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512 bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282

memory/2732-114-0x0000000000C20000-0x0000000000C32000-memory.dmp

memory/2732-115-0x00000000715D0000-0x0000000071D80000-memory.dmp

memory/680-118-0x0000000002F20000-0x0000000003020000-memory.dmp

memory/680-120-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/5080-119-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/4860-121-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/680-122-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/2732-123-0x0000000005620000-0x0000000005630000-memory.dmp

memory/2732-124-0x0000000005630000-0x00000000056CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp146D.tmp.bat

MD5 2de12864e056681a7aac7ea1c0de88f6
SHA1 8b3b3fcb9a2fc1d10a4a6aa5c0f8832e3a8a7cf0
SHA256 21d7f784e4b9990683377a96ddbacc0788b6459f16263c60ec289f79de6d0f2b
SHA512 80a656c50090aafbd2532c797e96f8e6a14d92f3aae024902c534e7b8ca380bdfea009af6a7118010460ccbeb32209c0942e673b6e982e90b6c0ea8c9205eee7

memory/2732-130-0x00000000715D0000-0x0000000071D80000-memory.dmp

memory/2060-134-0x0000000072860000-0x0000000073010000-memory.dmp

memory/2060-135-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/2060-136-0x0000000005660000-0x0000000005C04000-memory.dmp

memory/2060-137-0x0000000005120000-0x0000000005186000-memory.dmp

memory/2060-139-0x0000000006290000-0x0000000006306000-memory.dmp

memory/2060-140-0x0000000006510000-0x00000000065AC000-memory.dmp

memory/2060-141-0x0000000006260000-0x000000000627E000-memory.dmp

memory/2060-142-0x00000000065B0000-0x00000000065F0000-memory.dmp

memory/2060-143-0x00000000065F0000-0x00000000065FA000-memory.dmp

memory/2060-145-0x0000000072860000-0x0000000073010000-memory.dmp

memory/2060-146-0x0000000006720000-0x0000000006782000-memory.dmp

memory/2060-148-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/856-153-0x0000000002EE0000-0x0000000002FE0000-memory.dmp

memory/856-154-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/856-156-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 4876ee75ce2712147c41ff1277cd2d30
SHA1 3733dc92318f0c6b92cb201e49151686281acda6
SHA256 bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA512 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3j3c32vi.yie.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4172-174-0x00000116D1600000-0x00000116D1622000-memory.dmp

memory/4172-179-0x00007FF8B6700000-0x00007FF8B71C1000-memory.dmp

memory/4172-180-0x00000116B73B0000-0x00000116B73C0000-memory.dmp

memory/4172-181-0x00000116B73B0000-0x00000116B73C0000-memory.dmp

memory/4172-182-0x00000116D1AE0000-0x00000116D1AF2000-memory.dmp

memory/4172-183-0x00000116D18C0000-0x00000116D18CA000-memory.dmp

memory/4172-189-0x00007FF8B6700000-0x00007FF8B71C1000-memory.dmp

memory/4860-190-0x0000000000400000-0x0000000002C4C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 04:28

Reported

2024-04-17 04:30

Platform

win7-20240215-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\appBroker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2240 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2240 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2240 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2548 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2548 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2548 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2548 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2548 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2548 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2548 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2548 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2548 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2548 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2548 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2548 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2548 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2548 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2548 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2548 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2916 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2116 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2116 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2116 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1756 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 2116 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 2116 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 2116 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 2548 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 2672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2604 wrote to memory of 2672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2604 wrote to memory of 2672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe

"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe

"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'

C:\Users\Admin\AppData\Roaming\appBroker.exe

"C:\Users\Admin\AppData\Roaming\appBroker.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

Network

Country Destination Domain Proto
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FR 94.228.162.82:80 94.228.162.82 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FR 94.228.162.82:6606 tcp
FR 94.228.162.82:6606 tcp
FR 94.228.162.82:6606 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp

Files

memory/2240-1-0x00000000030B0000-0x00000000031B0000-memory.dmp

memory/2240-2-0x0000000000220000-0x000000000028F000-memory.dmp

memory/2240-3-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/2240-5-0x0000000002E30000-0x0000000002E31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 11dcd8e017b0e067e922cfb6507a8dde
SHA1 80c4e499c9666401a0f9099482c7fa9debe006d5
SHA256 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA512 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0

memory/2240-17-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/2240-19-0x00000000030B0000-0x00000000031B0000-memory.dmp

memory/2548-20-0x00000000030B0000-0x00000000031B0000-memory.dmp

memory/2548-21-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\248906074286

MD5 6d9522c9251f292af2c380ff042fde38
SHA1 3038da236ae759a7dd67cd2f2ddcdf537e266b5a
SHA256 f70795f1e0061f2a7bcfb337ac10313c514abb55053dc10092ce428036e21107
SHA512 4ed4ce0bd24541539cbbac2f9e1c32250f20ccd2bd005515d1ba1bf50f66fc7ccb7ba77a890962af2eb39198d9a5e6c5b1563bc1541fbfad25e80c57ed6a5989

memory/2548-32-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/2548-33-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/2548-34-0x00000000030B0000-0x00000000031B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

MD5 b099ea0b80ecf49caa0d7003e0c95071
SHA1 228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029

memory/2936-54-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

memory/2936-55-0x00000000002B0000-0x00000000002E5000-memory.dmp

memory/2936-56-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/2548-57-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarE1DE.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2708f99555a19f62161d1ec74b98b025
SHA1 bee3c268c1edc30dac20df7fbc0d96927ce1cc42
SHA256 c69168882c16d825b72a3187da94dc7981b4cc26e9377f40aee4dbd61371af07
SHA512 c934526e5df8573c34510c72fbf7f95b4512b1aa4a488787dc69dfe932189599c720f973716f09215346fa18bbe5c09ec8b2ccf735858a799b25a43c500dfbd8

memory/2936-194-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/2936-195-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/2936-196-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll

MD5 37976db9d0e6f8bf9db5ae4b56006d9d
SHA1 dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA256 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512 fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47

memory/1732-231-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

memory/2548-230-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\76561199673019888[1].htm

MD5 c2d3beea5e1fa27b3fc1d4a3584dacf2
SHA1 848c4db90300cd6f08188b8045c0bba40f309bb1
SHA256 345fbfb05b3d1966a6d26463a5a542f2d6d62658982352705d735f546b1cf291
SHA512 996fdc6929fce1aeaad7d93c6a2436137d67c7c7ab7ed0b60e389542e4cf6e620407dfac6cf68f0184aadd94975ac4f3737765c9db2110a6bffcbf002fea0739

memory/1732-246-0x0000000000400000-0x0000000002C2E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 def1a3452107faeeac2e09e0a4c0c4f5
SHA1 ee2ec5ded1799471c8e4d59f33b247d9a2f49f71
SHA256 649f6ca82a92705c13ef05e5e72b7809c19861809f83c3ea7fa82c02dcc19b33
SHA512 0e4e8a2a0b6a3335c1d57d7656bf831ebcd47d5e5d7972f7f671b3bd6d0fbccddb44544b8053d8edec85ef8f1877104c8d72f45532641ca7cba5aeb64daeb31f

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

MD5 7fd8581748cdf137023ef96f1286ce0f
SHA1 c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA256 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512 bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282

memory/2916-298-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

memory/2916-299-0x00000000729A0000-0x000000007308E000-memory.dmp

memory/1732-336-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/1732-337-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

memory/2916-338-0x0000000004BC0000-0x0000000004C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp.bat

MD5 483005d6b92b516b1564868184cddb86
SHA1 59dbb37843bbdfafef6b1be8123ed228493968ba
SHA256 1a668230519b3f83596da41024b12550b92e39acbb029995eb3f29fde3994fd0
SHA512 7fa093f068b6a9a10f1078927ef3f7d06ca2024d388bdcb948b01180e468f4ab560ebe06716d4c45c274c6f8c159767358ede6178182a78fdfa6e667c857fff5

memory/2916-348-0x00000000729A0000-0x000000007308E000-memory.dmp

memory/1516-353-0x00000000008B0000-0x00000000008C2000-memory.dmp

memory/2548-352-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/1516-354-0x0000000072E60000-0x000000007354E000-memory.dmp

memory/1516-355-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3aa3f98d2bd55d77772562dd0deab3e
SHA1 942ff9f21a5cfa4a701345539bd869c4360e6e42
SHA256 19c01700c14a839d796a17a03885b33abba850f194da07371c17d722ed5d3827
SHA512 86778e0a7aa2f0d7439f6100a1af7078ab9a80ed8e83b6e36f403bc7b4cd2e292d3b0ea65d4f96115ac5536230c76e750162b2c9659955fb4b3dc9b1d63eddb6

memory/1516-373-0x00000000064E0000-0x000000000657C000-memory.dmp

memory/1516-393-0x0000000000510000-0x000000000051A000-memory.dmp

memory/1516-392-0x0000000004690000-0x00000000046D0000-memory.dmp

memory/1516-396-0x0000000072E60000-0x000000007354E000-memory.dmp

memory/1516-397-0x0000000005490000-0x00000000054F2000-memory.dmp

memory/1516-416-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 4876ee75ce2712147c41ff1277cd2d30
SHA1 3733dc92318f0c6b92cb201e49151686281acda6
SHA256 bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA512 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9