Analysis Overview
SHA256
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
Threat Level: Known bad
The file 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70 was found to be: Known bad.
Malicious Activity Summary
ZGRat
AsyncRat
Amadey
Detect ZGRat V1
Detect Vidar Stealer
Vidar
Async RAT payload
Blocklisted process makes network request
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Reads local data of messenger clients
Reads WinSCP keys stored on the system
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Delays execution with timeout.exe
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 04:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 04:32
Reported
2024-04-17 04:34
Platform
win10v2004-20240412-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Amadey
AsyncRat
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
"C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4928 -ip 4928
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1672
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4012 -ip 4012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 2104
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3000 -ip 3000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 444
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1772
C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1636
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1508
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3384 -ip 3384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 2052
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D9E.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\appBroker.exe
"C:\Users\Admin\AppData\Roaming\appBroker.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1664
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5044 -ip 5044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1704
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\084619521222_Desktop.zip' -CompressionLevel Optimal
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 96.39.123.93.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 230.28.217.95.in-addr.arpa | udp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FR | 94.228.162.82:80 | 94.228.162.82 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 82.162.228.94.in-addr.arpa | udp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| FR | 94.228.162.82:8808 | tcp | |
| FR | 94.228.162.82:8808 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FR | 94.228.162.82:8808 | tcp | |
| US | 8.8.8.8:53 | 3.17.178.52.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
Files
memory/4928-1-0x0000000002FA0000-0x00000000030A0000-memory.dmp
memory/4928-2-0x0000000002DA0000-0x0000000002E0F000-memory.dmp
memory/4928-3-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 11dcd8e017b0e067e922cfb6507a8dde |
| SHA1 | 80c4e499c9666401a0f9099482c7fa9debe006d5 |
| SHA256 | 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70 |
| SHA512 | 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0 |
memory/4928-16-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4928-17-0x0000000002DA0000-0x0000000002E0F000-memory.dmp
memory/2408-18-0x0000000002FF0000-0x00000000030F0000-memory.dmp
memory/2408-19-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\084619521222
| MD5 | afe85149c9e70a1c571891de76ba8f22 |
| SHA1 | 7f37756058e649f47f9b078c741a02df6c3a3ec6 |
| SHA256 | b18a909a9bc3c0e7f66d72fee4f3ee09b61fcc804d14461a691e956797c31446 |
| SHA512 | bf049ca4d7c9230d43ab85e6d25b02ae4d70b161ad383190c480eb21ec05459ff5f8d438c82444f878b74e364d9f06318928ff1397f3f6061f811fdad2026b35 |
memory/2408-29-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/2408-30-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/2408-31-0x0000000002FF0000-0x00000000030F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
| MD5 | b099ea0b80ecf49caa0d7003e0c95071 |
| SHA1 | 228a2aec5cf27fd0fca1f23161257f86bd8359ca |
| SHA256 | 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92 |
| SHA512 | 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029 |
memory/4012-48-0x0000000002D20000-0x0000000002E20000-memory.dmp
memory/4012-49-0x0000000002EF0000-0x0000000002F25000-memory.dmp
memory/4012-50-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/2408-52-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4012-53-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/3000-56-0x0000000002D30000-0x0000000002E30000-memory.dmp
memory/3000-57-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/3000-58-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll
| MD5 | 37976db9d0e6f8bf9db5ae4b56006d9d |
| SHA1 | dda3158d09c332c054d01fa08ad9824cb00c7d6a |
| SHA256 | 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687 |
| SHA512 | fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47 |
memory/3384-87-0x0000000002F20000-0x0000000003020000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UWHIVHCX\76561199673019888[1].htm
| MD5 | 91743118bdf874eb686609a23dff2474 |
| SHA1 | e8c358db98fc54897d14e8f830b2febf521c6b54 |
| SHA256 | d6f29928c04e39d5c9fb69bdaf4fe9f79c521e77140e3c7565954bfb57f60b7c |
| SHA512 | 260dc393c39bc7ba587a76dbcce3a0d401014c88b0dc6c97e4aa9be9ba6159c16d8a7229eaad07a8ad0baf97c33ce081ea1b224ef31c1bc0e00f8ed85eaf13d2 |
memory/3384-89-0x0000000000400000-0x0000000002C2E000-memory.dmp
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
| MD5 | 7fd8581748cdf137023ef96f1286ce0f |
| SHA1 | c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a |
| SHA256 | 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6 |
| SHA512 | bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282 |
memory/4348-119-0x00000000007C0000-0x00000000007D2000-memory.dmp
memory/4348-120-0x0000000071C80000-0x0000000072430000-memory.dmp
memory/3384-121-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/2408-122-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4348-123-0x0000000005260000-0x0000000005270000-memory.dmp
memory/4348-124-0x0000000005180000-0x000000000521C000-memory.dmp
memory/4348-129-0x0000000071C80000-0x0000000072430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4D9E.tmp.bat
| MD5 | a07278971d6ba8fc3d4a320185f7e129 |
| SHA1 | 284ff25c910d2c9830f7e4fa45137a01e1dd1f21 |
| SHA256 | 570ad432376f7e4ca05c82d198b901fbe3e90388e4b7909c68a90c5491b89e18 |
| SHA512 | 6a4774739c2aee27e8b5ae2275850937c1d7b29f35b7ac567ce1cc372aff172e9c178b92d946d4582f9b8f98b2ef23c117377d8482a8cd9104b2c50c23ef0b47 |
memory/1144-134-0x0000000072F00000-0x00000000736B0000-memory.dmp
memory/1144-136-0x00000000050E0000-0x00000000050F0000-memory.dmp
memory/1144-137-0x00000000059E0000-0x0000000005F84000-memory.dmp
memory/1144-138-0x0000000005430000-0x0000000005496000-memory.dmp
memory/1144-139-0x0000000006590000-0x0000000006606000-memory.dmp
memory/1144-140-0x0000000006810000-0x00000000068AC000-memory.dmp
memory/1144-141-0x0000000006560000-0x000000000657E000-memory.dmp
memory/1144-142-0x00000000068B0000-0x00000000068F0000-memory.dmp
memory/1144-143-0x00000000068F0000-0x00000000068FA000-memory.dmp
memory/1144-145-0x0000000006B20000-0x0000000006B82000-memory.dmp
memory/1144-146-0x0000000072F00000-0x00000000736B0000-memory.dmp
memory/1144-148-0x00000000050E0000-0x00000000050F0000-memory.dmp
memory/5044-152-0x0000000002F80000-0x0000000003080000-memory.dmp
memory/5044-153-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/5044-154-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4876ee75ce2712147c41ff1277cd2d30 |
| SHA1 | 3733dc92318f0c6b92cb201e49151686281acda6 |
| SHA256 | bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed |
| SHA512 | 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9 |
memory/2408-169-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_btwlepma.fd4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4152-175-0x0000024E7E7B0000-0x0000024E7E7D2000-memory.dmp
memory/4152-180-0x00007FFCDA350000-0x00007FFCDAE11000-memory.dmp
memory/4152-181-0x0000024E7EDD0000-0x0000024E7EDE0000-memory.dmp
memory/4152-182-0x0000024E7EDD0000-0x0000024E7EDE0000-memory.dmp
memory/4152-183-0x0000024E7EDD0000-0x0000024E7EDE0000-memory.dmp
memory/4152-184-0x0000024E7CFD0000-0x0000024E7CFE2000-memory.dmp
memory/4152-185-0x0000024E7CFB0000-0x0000024E7CFBA000-memory.dmp
memory/4152-191-0x00007FFCDA350000-0x00007FFCDAE11000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 04:32
Reported
2024-04-17 04:35
Platform
win11-20240412-en
Max time kernel
152s
Max time network
161s
Command Line
Signatures
Amadey
AsyncRat
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\appBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
"C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1116
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 580
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1768
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4684 -ip 4684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 2156
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1592
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4396 -ip 4396
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4396 -ip 4396
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1720
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 476
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE2E9.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\appBroker.exe
"C:\Users\Admin\AppData\Roaming\appBroker.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1916
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\258603162493_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4264 -ip 4264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 476
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| FI | 95.217.28.230:443 | 95.217.28.230 | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| FR | 94.228.162.82:80 | 94.228.162.82 | tcp |
| FR | 94.228.162.82:8808 | tcp | |
| FR | 94.228.162.82:8808 | tcp | |
| FR | 94.228.162.82:8808 | tcp | |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| N/A | 192.229.221.95:80 | tcp |
Files
memory/436-1-0x0000000002CE0000-0x0000000002DE0000-memory.dmp
memory/436-2-0x0000000004AF0000-0x0000000004B5F000-memory.dmp
memory/436-3-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/436-5-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 11dcd8e017b0e067e922cfb6507a8dde |
| SHA1 | 80c4e499c9666401a0f9099482c7fa9debe006d5 |
| SHA256 | 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70 |
| SHA512 | 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0 |
memory/436-18-0x0000000004AF0000-0x0000000004B5F000-memory.dmp
memory/436-17-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4396-19-0x0000000002DE0000-0x0000000002EE0000-memory.dmp
memory/4396-20-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4612-23-0x0000000002EF0000-0x0000000002FF0000-memory.dmp
memory/4612-24-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4612-25-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4396-27-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4396-31-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\258603162493
| MD5 | 7d74fd00faa07ab82bf844e66f8adfeb |
| SHA1 | 8076a9f3e766f2b1d01f53ea7fa20363ac115775 |
| SHA256 | eca62539e9f14cd9e31568694b697a76676a132a1c43b9f9e0cd76853238d1de |
| SHA512 | 3ebb204e3d03443f3fd6ed28ce627e3a48da9b37e0ff61f59c2f3cbb97d30d6c9765df197b1876ce0b4a9ebf92c34d0e1e2f73f6a864102092ffaa6d5dbc96ff |
memory/4396-37-0x0000000002DE0000-0x0000000002EE0000-memory.dmp
memory/4396-38-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4396-39-0x0000000000400000-0x0000000002C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
| MD5 | b099ea0b80ecf49caa0d7003e0c95071 |
| SHA1 | 228a2aec5cf27fd0fca1f23161257f86bd8359ca |
| SHA256 | 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92 |
| SHA512 | 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029 |
memory/4396-57-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4684-58-0x0000000002E60000-0x0000000002F60000-memory.dmp
memory/4684-59-0x00000000030A0000-0x00000000030D5000-memory.dmp
memory/4684-60-0x0000000000400000-0x0000000002C2E000-memory.dmp
memory/4684-64-0x0000000000400000-0x0000000002C2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll
| MD5 | 37976db9d0e6f8bf9db5ae4b56006d9d |
| SHA1 | dda3158d09c332c054d01fa08ad9824cb00c7d6a |
| SHA256 | 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687 |
| SHA512 | fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47 |
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
| MD5 | 7fd8581748cdf137023ef96f1286ce0f |
| SHA1 | c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a |
| SHA256 | 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6 |
| SHA512 | bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282 |
memory/1972-113-0x00000000009B0000-0x00000000009C2000-memory.dmp
memory/1972-114-0x0000000071770000-0x0000000071F21000-memory.dmp
memory/1852-116-0x0000000071770000-0x0000000071F21000-memory.dmp
memory/1972-119-0x0000000005430000-0x0000000005440000-memory.dmp
memory/4516-120-0x0000000002E00000-0x0000000002F00000-memory.dmp
memory/1972-122-0x00000000057E0000-0x000000000587C000-memory.dmp
memory/4396-121-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/4516-123-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/1852-124-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/4516-125-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/1852-127-0x0000000071770000-0x0000000071F21000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient.exe.log
| MD5 | bb27934be8860266d478c13f2d65f45e |
| SHA1 | a69a0e171864dcac9ade1b04fc0313e6b4024ccb |
| SHA256 | 85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4 |
| SHA512 | 87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb |
C:\Users\Admin\AppData\Local\Temp\tmpE2E9.tmp.bat
| MD5 | 82550e030f42f5e7bacb54af59cedb52 |
| SHA1 | 3eaa16bbf3c4207411d88869b0ed46b81f278642 |
| SHA256 | e23fe0fc8594dbec0849207a8370adc2bb924ec6cac83c01de019dba46db1d90 |
| SHA512 | 0d76afe564417ef4314b983036fee5801b2f5246c4db95c4e164ee7d7d8178cb10567e934dc765c5d8ace04632b9fb0dd90e39de977a020396ff2c4f5292e60e |
memory/1972-132-0x0000000071770000-0x0000000071F21000-memory.dmp
memory/3088-137-0x00000000724B0000-0x0000000072C61000-memory.dmp
memory/3088-139-0x0000000004F00000-0x0000000004F10000-memory.dmp
memory/3088-140-0x0000000005850000-0x0000000005DF6000-memory.dmp
memory/3088-141-0x0000000005310000-0x0000000005376000-memory.dmp
memory/3088-142-0x0000000006680000-0x00000000066F6000-memory.dmp
memory/3088-143-0x0000000006700000-0x000000000679C000-memory.dmp
memory/3088-144-0x0000000006630000-0x000000000664E000-memory.dmp
memory/3088-145-0x0000000006800000-0x0000000006840000-memory.dmp
memory/3088-146-0x0000000006660000-0x000000000666A000-memory.dmp
memory/3088-149-0x0000000006A70000-0x0000000006AD2000-memory.dmp
memory/3088-150-0x00000000724B0000-0x0000000072C61000-memory.dmp
memory/3088-151-0x0000000004F00000-0x0000000004F10000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4876ee75ce2712147c41ff1277cd2d30 |
| SHA1 | 3733dc92318f0c6b92cb201e49151686281acda6 |
| SHA256 | bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed |
| SHA512 | 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9 |
memory/4396-164-0x0000000000400000-0x0000000002C4C000-memory.dmp
memory/3496-166-0x00007FFBBF6C0000-0x00007FFBC0182000-memory.dmp
memory/3496-167-0x000001CC4BDD0000-0x000001CC4BDE0000-memory.dmp
memory/3496-168-0x000001CC4BDD0000-0x000001CC4BDE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iazfxq2n.alv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3496-177-0x000001CC65B80000-0x000001CC65BA2000-memory.dmp
memory/3496-178-0x000001CC4BDD0000-0x000001CC4BDE0000-memory.dmp
memory/3496-179-0x000001CC65C10000-0x000001CC65C22000-memory.dmp
memory/3496-180-0x000001CC65BF0000-0x000001CC65BFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Files_\SyncPing.xls
| MD5 | 6bcbcbd38a160f31a983baf685317119 |
| SHA1 | bdcd302c4a9b2f498a210b33c5289352d10135bc |
| SHA256 | b7412915875632d11fefc9271a7a2c95a1e130d84886d057f02d2b44f5106132 |
| SHA512 | 9fc1ff8e677078b888cc26a1801bb3969b337931ce1ee3381a41cd2411fff053fdd66a1717b0eefdc94729bceac91279089d17cfe5bfe75f859c7aa214d4cca3 |
memory/3496-186-0x00007FFBBF6C0000-0x00007FFBC0182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\258603162493_Desktop.zip
| MD5 | 888109621445b833b7a421884fa630d2 |
| SHA1 | 14aded356b697a143e35099467cc4f283672fd09 |
| SHA256 | 88d0a3a21ad28a90e082a4cb3874006c0fcc35ab07476c802ecc63ff8117a1a0 |
| SHA512 | 0736eefc0aaa440b3c6619f55f94d5e9eeb9fb8cb379cd1fbfa31fcb27558acb22c44b8427219a943ced3c6da9635a27bdb509339e0bb59ddf58119f5cd8cd99 |
memory/4264-190-0x0000000002F80000-0x0000000003080000-memory.dmp
memory/4264-191-0x0000000000400000-0x0000000002C4C000-memory.dmp