Malware Analysis Report

2025-01-02 12:16

Sample ID 240417-e4ejbafc6x
Target 11dcd8e017b0e067e922cfb6507a8dde
SHA256 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
Tags
amadey asyncrat vidar zgrat default persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70

Threat Level: Known bad

The file 11dcd8e017b0e067e922cfb6507a8dde was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat vidar zgrat default persistence rat spyware stealer trojan

Detect Vidar Stealer

ZGRat

Amadey

Detect ZGRat V1

Vidar

AsyncRat

Async RAT payload

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 04:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 04:29

Reported

2024-04-17 04:31

Platform

win7-20240220-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\appBroker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 1740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 1740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 1740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2792 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2792 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2792 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2792 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2792 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2792 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2792 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2792 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2792 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2792 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2792 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2792 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2792 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2792 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2792 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2792 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2156 wrote to memory of 904 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 904 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 904 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 904 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 904 wrote to memory of 612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 904 wrote to memory of 612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 904 wrote to memory of 612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1696 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1696 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1696 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1696 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1696 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 1696 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 1696 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 1696 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 2792 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 912 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2008 wrote to memory of 912 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2008 wrote to memory of 912 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe

"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe

"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\appBroker.exe

"C:\Users\Admin\AppData\Roaming\appBroker.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FR 94.228.162.82:80 94.228.162.82 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FR 94.228.162.82:7707 tcp
FR 94.228.162.82:7707 tcp
FR 94.228.162.82:7707 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp

Files

memory/1740-1-0x0000000002E20000-0x0000000002F20000-memory.dmp

memory/1740-2-0x0000000000300000-0x000000000036F000-memory.dmp

memory/1740-3-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/1740-5-0x0000000004620000-0x0000000004621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 11dcd8e017b0e067e922cfb6507a8dde
SHA1 80c4e499c9666401a0f9099482c7fa9debe006d5
SHA256 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA512 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0

memory/1740-17-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/1740-18-0x0000000002E20000-0x0000000002F20000-memory.dmp

memory/1740-20-0x0000000000300000-0x000000000036F000-memory.dmp

memory/2792-21-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

memory/2792-22-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\721934792624

MD5 b5c30c2e48b60f04ef5caffd4b786f6c
SHA1 7db19584bbb17ee7fba43f4798b4b9e781406c0c
SHA256 9a45b114e16fe039d6e4f9ed3ec040dd4c3674744cc63bb8398ef63623272966
SHA512 c674e6c22d6945e2f616fb7dcc8682b2a79bb12d531aa0abd98706fceb4ed3713166888d1ce069030cc2390b15de9d1923aac9ecc1ac7464e92037af3c837d06

memory/2792-33-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/2792-34-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/2792-35-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

MD5 b099ea0b80ecf49caa0d7003e0c95071
SHA1 228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029

memory/1676-53-0x0000000002D80000-0x0000000002E80000-memory.dmp

memory/1676-54-0x0000000000230000-0x0000000000265000-memory.dmp

memory/1676-55-0x0000000000400000-0x0000000002C2E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarA04C.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba8466e6a98783b9cd358a187ae9e2c3
SHA1 fcba75fd251d63927548533f6cd91efb787da9f4
SHA256 4dc6be2875e9490a5083696960034d110b338e3a297aad6fa24d01112d2137c0
SHA512 15578005c572757dffbc87d9f46699b19bec976a267206f24ebe80161690c0046170bcca1e3ef5a433b9fdbd545c3723243d1a9cea0d8f9cd804deb52eddecb9

memory/2792-143-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/1676-184-0x0000000000400000-0x0000000002C2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll

MD5 37976db9d0e6f8bf9db5ae4b56006d9d
SHA1 dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA256 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512 fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47

memory/2792-218-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/1568-219-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

memory/1568-233-0x0000000000400000-0x0000000002C2E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\76561199673019888[1].htm

MD5 1bcc95b1087b78e7278d381e624f2e1e
SHA1 44892824fcea1ff66e4803b822426abac3edd118
SHA256 ed1f88d3c68ce12c34981e84852b518fb90c30b039a7eee57638e970476dac06
SHA512 187f931f6f70e56b51b1d1815d640009a463d34f654e471ea53b8f0adc5166bcf4e6e4eac570569d3d82bb87d02c08c0859606b4262d0580b76a100fa222649f

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

MD5 7fd8581748cdf137023ef96f1286ce0f
SHA1 c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA256 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512 bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282

memory/2156-249-0x0000000001380000-0x0000000001392000-memory.dmp

memory/2156-251-0x0000000072DA0000-0x000000007348E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27cc178f86f92ba0f0b7d0c856e2f7fb
SHA1 aef1c0aed6485f3a452ad54bb89d0d00427ce547
SHA256 bac1a65ec671e8b9d638cb92af49a50dae0a616e3c878964d184049ce3b9bf76
SHA512 420d37ee8879b97826b87f1b0a000bd5bfaf29c625013e984499422b2c5cc2a2c1a5c80ea8384ab9a78966bf4c417d97e447879c99be2bd72e4784f2447e6d8c

memory/1568-324-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/1568-325-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

memory/2156-326-0x0000000004BE0000-0x0000000004C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat

MD5 3b007eaf577c6c2c056f08bc120533c7
SHA1 5b8c707bab3cdc69f1d7078a11799958608d9e63
SHA256 fdef3e1ebe873d7757b1f34a0d71a4687c35b9271672aa3e38a7d7e9cb4917f3
SHA512 c28672c0c4929da44a991b706daccbe91199ab263750008e3f030f2193d6f522ba6868808d55ee0b3a35098b8ec4873df9d04de84a7d54efd27e89c8e8a97e36

memory/2156-335-0x0000000072DA0000-0x000000007348E000-memory.dmp

memory/1668-340-0x0000000001340000-0x0000000001352000-memory.dmp

memory/2792-341-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/1668-342-0x0000000073260000-0x000000007394E000-memory.dmp

memory/1668-343-0x0000000004DF0000-0x0000000004E30000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b094ac37678943d494ba78ea70d267f
SHA1 23a839bbc379f4982b40b6cd4c395eb833ab783c
SHA256 eb32d62b3166b37c27135316d47349515adb3922770f109e9dc0a1e8956949f1
SHA512 6c48ba445cf04c70833d39dd7127b259189b62f6fa33fe9b4ddbe9126754af4e4d4c62923d74cb053a4785295ba4cb00631bc6b9f9d84f13d439280de24ef58e

memory/1668-361-0x00000000053E0000-0x000000000547C000-memory.dmp

memory/1668-380-0x0000000000D60000-0x0000000000DA0000-memory.dmp

memory/1668-381-0x0000000000D10000-0x0000000000D1A000-memory.dmp

memory/1668-384-0x0000000073260000-0x000000007394E000-memory.dmp

memory/1668-385-0x00000000057D0000-0x0000000005832000-memory.dmp

memory/1668-404-0x0000000004DF0000-0x0000000004E30000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 5b4af32e0442d4558a0274d634bd9159
SHA1 f5791272526b24671b0130a7559fdf86b89016aa
SHA256 496eea519c2b6efae4d7b2b08cc1e81ab9d03c152b61beb084967fb7e1c981b5
SHA512 650f40a79fd99b0f5f302364f5914ab877c7f6d04f00cdf1d5ddb1bea9bb740f5ccdae87e7ff2b3acf09ed2ab3d673ee28eb0ff66ff101072534c113d5a93e82

memory/2792-415-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

MD5 ca684dc5ebed4381701a39f1cc3a0fb2
SHA1 8c4a375aa583bd1c705597a7f45fd18934276770
SHA256 b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA512 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

memory/2792-429-0x0000000000400000-0x0000000002C4C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 04:29

Reported

2024-04-17 04:31

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\appBroker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 3076 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 3076 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 3120 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 3120 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 3120 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 3120 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 3120 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 3120 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 3120 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 3120 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 3120 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 3120 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 3120 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 3120 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 1524 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4028 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4028 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3668 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3668 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3668 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4028 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 4028 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 4028 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 3120 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4864 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4864 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe

"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3076 -ip 3076

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1312

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1676

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2052 -ip 2052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 2064

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1388

C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe

"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1820

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1652

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4420 -ip 4420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 2064

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5251.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'

C:\Users\Admin\AppData\Roaming\appBroker.exe

"C:\Users\Admin\AppData\Roaming\appBroker.exe"

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1824

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 96.39.123.93.in-addr.arpa udp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 8.8.8.8:53 230.28.217.95.in-addr.arpa udp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FR 94.228.162.82:80 94.228.162.82 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 82.162.228.94.in-addr.arpa udp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FR 94.228.162.82:7707 tcp
FR 94.228.162.82:7707 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FR 94.228.162.82:7707 tcp
US 8.8.8.8:53 udp

Files

memory/3076-1-0x0000000002F40000-0x0000000003040000-memory.dmp

memory/3076-2-0x00000000048E0000-0x000000000494F000-memory.dmp

memory/3076-3-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 11dcd8e017b0e067e922cfb6507a8dde
SHA1 80c4e499c9666401a0f9099482c7fa9debe006d5
SHA256 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA512 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0

memory/3076-16-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/3076-17-0x00000000048E0000-0x000000000494F000-memory.dmp

memory/3120-18-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

memory/3120-19-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\177723727746

MD5 2460504450c5ee02aa3d0641c72203db
SHA1 b77efb515ffbf393bb2264b4710a00730cd02af9
SHA256 78c05f2239223da7c3b4832aabb8fb7fa933d028aded1c797c9561ae61367d3c
SHA512 576b8c74dd827fee2713c418f00d6b2de73139ec8258f4a656258c887e6affd67507db7e167716d84347a370026bcd419b5124c69073616ac0f7a0cb86ce23f7

memory/3120-29-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/3120-30-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/3120-31-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

memory/4404-34-0x0000000002F60000-0x0000000003060000-memory.dmp

memory/4404-35-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4404-37-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

MD5 b099ea0b80ecf49caa0d7003e0c95071
SHA1 228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029

memory/2052-54-0x0000000003020000-0x0000000003120000-memory.dmp

memory/2052-55-0x0000000002DA0000-0x0000000002DD5000-memory.dmp

memory/2052-56-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/2052-58-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/3120-59-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll

MD5 37976db9d0e6f8bf9db5ae4b56006d9d
SHA1 dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA256 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512 fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47

memory/4420-89-0x0000000002E70000-0x0000000002F70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SMQKEDQF\76561199673019888[1].htm

MD5 45754877126e2fdd6c153d56f2dffbcf
SHA1 eb461e1d29ac00c58500f6b2b0670f131facf17d
SHA256 6e9396ba63aaf6c813d8b83b58f6a73e49c047050201abc8594a1a4d26779a7b
SHA512 f256cb20b91b455dd5f24cc826b77f10040401ba6fed8a5510ed3c213d972ca2dbaa12f91578b3c0fb7005191e497f94893c5c7481a36c9cae6116a86c734e77

memory/4420-91-0x0000000000400000-0x0000000002C2E000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

MD5 7fd8581748cdf137023ef96f1286ce0f
SHA1 c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA256 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512 bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282

memory/1524-121-0x00000000003F0000-0x0000000000402000-memory.dmp

memory/1524-122-0x00000000719E0000-0x0000000072190000-memory.dmp

memory/4420-123-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/1524-124-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/1524-125-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

memory/1524-130-0x00000000719E0000-0x0000000072190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5251.tmp.bat

MD5 e7921ed96e652a36a3f3b21da4bd1bb7
SHA1 9b205ef0235f18015cb672f05993e016aadd9514
SHA256 283d97d7b80495871c6b6fed624f9e03835a3b326ff8518c9cb02283b7bec1c7
SHA512 d9fd9afe11da066440c78cc804a69a0f4777b85be59b5a0daaf7179ec861019028923d8d8677393e05175f35b54799aaf469edbd6d37ada30865f259cbfdd931

memory/3120-132-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4724-136-0x0000000072E60000-0x0000000073610000-memory.dmp

memory/4724-137-0x0000000004C50000-0x0000000004C60000-memory.dmp

memory/4724-138-0x0000000005690000-0x0000000005C34000-memory.dmp

memory/4724-139-0x00000000050E0000-0x0000000005146000-memory.dmp

memory/4724-141-0x0000000006280000-0x00000000062F6000-memory.dmp

memory/4724-142-0x0000000006500000-0x000000000659C000-memory.dmp

memory/4724-143-0x0000000006260000-0x000000000627E000-memory.dmp

memory/4724-144-0x00000000065B0000-0x00000000065F0000-memory.dmp

memory/4724-145-0x00000000065F0000-0x00000000065FA000-memory.dmp

memory/4852-148-0x0000000002F10000-0x0000000003010000-memory.dmp

memory/4724-149-0x0000000072E60000-0x0000000073610000-memory.dmp

memory/4852-150-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4852-152-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4724-153-0x0000000004C50000-0x0000000004C60000-memory.dmp

memory/4724-154-0x0000000006720000-0x0000000006782000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 e9d7e93d329a2d504598ce563bf90039
SHA1 c25a8cf0489ce39e9ef43ab4fad2acd6432e277e
SHA256 c2123dc6c525f0326e1d5e1a0f9eb3d2f26ca2f3678627a9f33aea766d2a035f
SHA512 6daa052fdd2f76d734cf300a22d57503337f65c751efceeea8e7383170dfd5cf8d5d77fd4639f1b1db3289d0cee53dcf6afda3e71aae260a73ba65b413880d2a