Analysis Overview
SHA256
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
Threat Level: Known bad
The file 11dcd8e017b0e067e922cfb6507a8dde was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
ZGRat
Amadey
Detect ZGRat V1
Vidar
AsyncRat
Async RAT payload
Downloads MZ/PE file
Blocklisted process makes network request
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 04:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 04:29
Reported
2024-04-17 04:31
Platform
win7-20240220-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Amadey
AsyncRat
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\appBroker.exe
"C:\Users\Admin\AppData\Roaming\appBroker.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FR | 94.228.162.82:80 | 94.228.162.82 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FR | 94.228.162.82:7707 | tcp | |
| FR | 94.228.162.82:7707 | tcp | |
| FR | 94.228.162.82:7707 | tcp | |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
Files
memory/1740-1-0x0000000002E20000-0x0000000002F20000-memory.dmp
memory/1740-2-0x0000000000300000-0x000000000036F000-memory.dmp
memory/1740-3-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/1740-5-0x0000000004620000-0x0000000004621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 11dcd8e017b0e067e922cfb6507a8dde |
| SHA1 | 80c4e499c9666401a0f9099482c7fa9debe006d5 |
| SHA256 | 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70 |
| SHA512 | 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0 |
memory/1740-17-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/1740-18-0x0000000002E20000-0x0000000002F20000-memory.dmp
memory/1740-20-0x0000000000300000-0x000000000036F000-memory.dmp
memory/2792-21-0x0000000002DB0000-0x0000000002EB0000-memory.dmp
memory/2792-22-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\721934792624
| MD5 | b5c30c2e48b60f04ef5caffd4b786f6c |
| SHA1 | 7db19584bbb17ee7fba43f4798b4b9e781406c0c |
| SHA256 | 9a45b114e16fe039d6e4f9ed3ec040dd4c3674744cc63bb8398ef63623272966 |
| SHA512 | c674e6c22d6945e2f616fb7dcc8682b2a79bb12d531aa0abd98706fceb4ed3713166888d1ce069030cc2390b15de9d1923aac9ecc1ac7464e92037af3c837d06 |
memory/2792-33-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/2792-34-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/2792-35-0x0000000002DB0000-0x0000000002EB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
| MD5 | b099ea0b80ecf49caa0d7003e0c95071 |
| SHA1 | 228a2aec5cf27fd0fca1f23161257f86bd8359ca |
| SHA256 | 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92 |
| SHA512 | 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029 |
memory/1676-53-0x0000000002D80000-0x0000000002E80000-memory.dmp
memory/1676-54-0x0000000000230000-0x0000000000265000-memory.dmp
memory/1676-55-0x0000000000400000-0x0000000002C2E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarA04C.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba8466e6a98783b9cd358a187ae9e2c3 |
| SHA1 | fcba75fd251d63927548533f6cd91efb787da9f4 |
| SHA256 | 4dc6be2875e9490a5083696960034d110b338e3a297aad6fa24d01112d2137c0 |
| SHA512 | 15578005c572757dffbc87d9f46699b19bec976a267206f24ebe80161690c0046170bcca1e3ef5a433b9fdbd545c3723243d1a9cea0d8f9cd804deb52eddecb9 |
memory/2792-143-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/1676-184-0x0000000000400000-0x0000000002C2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll
| MD5 | 37976db9d0e6f8bf9db5ae4b56006d9d |
| SHA1 | dda3158d09c332c054d01fa08ad9824cb00c7d6a |
| SHA256 | 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687 |
| SHA512 | fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47 |
memory/2792-218-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/1568-219-0x0000000002DF0000-0x0000000002EF0000-memory.dmp
memory/1568-233-0x0000000000400000-0x0000000002C2E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\76561199673019888[1].htm
| MD5 | 1bcc95b1087b78e7278d381e624f2e1e |
| SHA1 | 44892824fcea1ff66e4803b822426abac3edd118 |
| SHA256 | ed1f88d3c68ce12c34981e84852b518fb90c30b039a7eee57638e970476dac06 |
| SHA512 | 187f931f6f70e56b51b1d1815d640009a463d34f654e471ea53b8f0adc5166bcf4e6e4eac570569d3d82bb87d02c08c0859606b4262d0580b76a100fa222649f |
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
| MD5 | 7fd8581748cdf137023ef96f1286ce0f |
| SHA1 | c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a |
| SHA256 | 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6 |
| SHA512 | bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282 |
memory/2156-249-0x0000000001380000-0x0000000001392000-memory.dmp
memory/2156-251-0x0000000072DA0000-0x000000007348E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27cc178f86f92ba0f0b7d0c856e2f7fb |
| SHA1 | aef1c0aed6485f3a452ad54bb89d0d00427ce547 |
| SHA256 | bac1a65ec671e8b9d638cb92af49a50dae0a616e3c878964d184049ce3b9bf76 |
| SHA512 | 420d37ee8879b97826b87f1b0a000bd5bfaf29c625013e984499422b2c5cc2a2c1a5c80ea8384ab9a78966bf4c417d97e447879c99be2bd72e4784f2447e6d8c |
memory/1568-324-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/1568-325-0x0000000002DF0000-0x0000000002EF0000-memory.dmp
memory/2156-326-0x0000000004BE0000-0x0000000004C20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat
| MD5 | 3b007eaf577c6c2c056f08bc120533c7 |
| SHA1 | 5b8c707bab3cdc69f1d7078a11799958608d9e63 |
| SHA256 | fdef3e1ebe873d7757b1f34a0d71a4687c35b9271672aa3e38a7d7e9cb4917f3 |
| SHA512 | c28672c0c4929da44a991b706daccbe91199ab263750008e3f030f2193d6f522ba6868808d55ee0b3a35098b8ec4873df9d04de84a7d54efd27e89c8e8a97e36 |
memory/2156-335-0x0000000072DA0000-0x000000007348E000-memory.dmp
memory/1668-340-0x0000000001340000-0x0000000001352000-memory.dmp
memory/2792-341-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/1668-342-0x0000000073260000-0x000000007394E000-memory.dmp
memory/1668-343-0x0000000004DF0000-0x0000000004E30000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b094ac37678943d494ba78ea70d267f |
| SHA1 | 23a839bbc379f4982b40b6cd4c395eb833ab783c |
| SHA256 | eb32d62b3166b37c27135316d47349515adb3922770f109e9dc0a1e8956949f1 |
| SHA512 | 6c48ba445cf04c70833d39dd7127b259189b62f6fa33fe9b4ddbe9126754af4e4d4c62923d74cb053a4785295ba4cb00631bc6b9f9d84f13d439280de24ef58e |
memory/1668-361-0x00000000053E0000-0x000000000547C000-memory.dmp
memory/1668-380-0x0000000000D60000-0x0000000000DA0000-memory.dmp
memory/1668-381-0x0000000000D10000-0x0000000000D1A000-memory.dmp
memory/1668-384-0x0000000073260000-0x000000007394E000-memory.dmp
memory/1668-385-0x00000000057D0000-0x0000000005832000-memory.dmp
memory/1668-404-0x0000000004DF0000-0x0000000004E30000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 5b4af32e0442d4558a0274d634bd9159 |
| SHA1 | f5791272526b24671b0130a7559fdf86b89016aa |
| SHA256 | 496eea519c2b6efae4d7b2b08cc1e81ab9d03c152b61beb084967fb7e1c981b5 |
| SHA512 | 650f40a79fd99b0f5f302364f5914ab877c7f6d04f00cdf1d5ddb1bea9bb740f5ccdae87e7ff2b3acf09ed2ab3d673ee28eb0ff66ff101072534c113d5a93e82 |
memory/2792-415-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll
| MD5 | ca684dc5ebed4381701a39f1cc3a0fb2 |
| SHA1 | 8c4a375aa583bd1c705597a7f45fd18934276770 |
| SHA256 | b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2 |
| SHA512 | 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510 |
memory/2792-429-0x0000000000400000-0x0000000002C4C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 04:29
Reported
2024-04-17 04:31
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Amadey
AsyncRat
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3076 -ip 3076
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1312
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1676
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2052 -ip 2052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 2064
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1388
C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1820
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1652
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 2064
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5251.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'
C:\Users\Admin\AppData\Roaming\appBroker.exe
"C:\Users\Admin\AppData\Roaming\appBroker.exe"
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4852 -ip 4852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1824
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 96.39.123.93.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.28.217.95.in-addr.arpa | udp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FR | 94.228.162.82:80 | 94.228.162.82 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 82.162.228.94.in-addr.arpa | udp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FR | 94.228.162.82:7707 | tcp | |
| FR | 94.228.162.82:7707 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FR | 94.228.162.82:7707 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/3076-1-0x0000000002F40000-0x0000000003040000-memory.dmp
memory/3076-2-0x00000000048E0000-0x000000000494F000-memory.dmp
memory/3076-3-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 11dcd8e017b0e067e922cfb6507a8dde |
| SHA1 | 80c4e499c9666401a0f9099482c7fa9debe006d5 |
| SHA256 | 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70 |
| SHA512 | 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0 |
memory/3076-16-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/3076-17-0x00000000048E0000-0x000000000494F000-memory.dmp
memory/3120-18-0x0000000002EC0000-0x0000000002FC0000-memory.dmp
memory/3120-19-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\177723727746
| MD5 | 2460504450c5ee02aa3d0641c72203db |
| SHA1 | b77efb515ffbf393bb2264b4710a00730cd02af9 |
| SHA256 | 78c05f2239223da7c3b4832aabb8fb7fa933d028aded1c797c9561ae61367d3c |
| SHA512 | 576b8c74dd827fee2713c418f00d6b2de73139ec8258f4a656258c887e6affd67507db7e167716d84347a370026bcd419b5124c69073616ac0f7a0cb86ce23f7 |
memory/3120-29-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/3120-30-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/3120-31-0x0000000002EC0000-0x0000000002FC0000-memory.dmp
memory/4404-34-0x0000000002F60000-0x0000000003060000-memory.dmp
memory/4404-35-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4404-37-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
| MD5 | b099ea0b80ecf49caa0d7003e0c95071 |
| SHA1 | 228a2aec5cf27fd0fca1f23161257f86bd8359ca |
| SHA256 | 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92 |
| SHA512 | 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029 |
memory/2052-54-0x0000000003020000-0x0000000003120000-memory.dmp
memory/2052-55-0x0000000002DA0000-0x0000000002DD5000-memory.dmp
memory/2052-56-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/2052-58-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/3120-59-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll
| MD5 | 37976db9d0e6f8bf9db5ae4b56006d9d |
| SHA1 | dda3158d09c332c054d01fa08ad9824cb00c7d6a |
| SHA256 | 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687 |
| SHA512 | fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47 |
memory/4420-89-0x0000000002E70000-0x0000000002F70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SMQKEDQF\76561199673019888[1].htm
| MD5 | 45754877126e2fdd6c153d56f2dffbcf |
| SHA1 | eb461e1d29ac00c58500f6b2b0670f131facf17d |
| SHA256 | 6e9396ba63aaf6c813d8b83b58f6a73e49c047050201abc8594a1a4d26779a7b |
| SHA512 | f256cb20b91b455dd5f24cc826b77f10040401ba6fed8a5510ed3c213d972ca2dbaa12f91578b3c0fb7005191e497f94893c5c7481a36c9cae6116a86c734e77 |
memory/4420-91-0x0000000000400000-0x0000000002C2E000-memory.dmp
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
| MD5 | 7fd8581748cdf137023ef96f1286ce0f |
| SHA1 | c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a |
| SHA256 | 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6 |
| SHA512 | bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282 |
memory/1524-121-0x00000000003F0000-0x0000000000402000-memory.dmp
memory/1524-122-0x00000000719E0000-0x0000000072190000-memory.dmp
memory/4420-123-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/1524-124-0x0000000004CB0000-0x0000000004CC0000-memory.dmp
memory/1524-125-0x0000000004CC0000-0x0000000004D5C000-memory.dmp
memory/1524-130-0x00000000719E0000-0x0000000072190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5251.tmp.bat
| MD5 | e7921ed96e652a36a3f3b21da4bd1bb7 |
| SHA1 | 9b205ef0235f18015cb672f05993e016aadd9514 |
| SHA256 | 283d97d7b80495871c6b6fed624f9e03835a3b326ff8518c9cb02283b7bec1c7 |
| SHA512 | d9fd9afe11da066440c78cc804a69a0f4777b85be59b5a0daaf7179ec861019028923d8d8677393e05175f35b54799aaf469edbd6d37ada30865f259cbfdd931 |
memory/3120-132-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4724-136-0x0000000072E60000-0x0000000073610000-memory.dmp
memory/4724-137-0x0000000004C50000-0x0000000004C60000-memory.dmp
memory/4724-138-0x0000000005690000-0x0000000005C34000-memory.dmp
memory/4724-139-0x00000000050E0000-0x0000000005146000-memory.dmp
memory/4724-141-0x0000000006280000-0x00000000062F6000-memory.dmp
memory/4724-142-0x0000000006500000-0x000000000659C000-memory.dmp
memory/4724-143-0x0000000006260000-0x000000000627E000-memory.dmp
memory/4724-144-0x00000000065B0000-0x00000000065F0000-memory.dmp
memory/4724-145-0x00000000065F0000-0x00000000065FA000-memory.dmp
memory/4852-148-0x0000000002F10000-0x0000000003010000-memory.dmp
memory/4724-149-0x0000000072E60000-0x0000000073610000-memory.dmp
memory/4852-150-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4852-152-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4724-153-0x0000000004C50000-0x0000000004C60000-memory.dmp
memory/4724-154-0x0000000006720000-0x0000000006782000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | e9d7e93d329a2d504598ce563bf90039 |
| SHA1 | c25a8cf0489ce39e9ef43ab4fad2acd6432e277e |
| SHA256 | c2123dc6c525f0326e1d5e1a0f9eb3d2f26ca2f3678627a9f33aea766d2a035f |
| SHA512 | 6daa052fdd2f76d734cf300a22d57503337f65c751efceeea8e7383170dfd5cf8d5d77fd4639f1b1db3289d0cee53dcf6afda3e71aae260a73ba65b413880d2a |