Malware Analysis Report

2025-01-02 12:15

Sample ID 240417-e54jtsdh24
Target 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA256 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
Tags
amadey asyncrat vidar zgrat default persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70

Threat Level: Known bad

The file 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70 was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat vidar zgrat default persistence rat spyware stealer trojan

ZGRat

AsyncRat

Amadey

Detect ZGRat V1

Detect Vidar Stealer

Vidar

Async RAT payload

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Reads local data of messenger clients

Reads WinSCP keys stored on the system

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 04:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 04:32

Reported

2024-04-17 04:34

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\appBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 4928 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 4928 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2408 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2408 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2408 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 2408 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2408 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2408 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 2408 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2408 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2408 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
PID 2408 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2408 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 2408 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 4348 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3284 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3284 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3284 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2360 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2360 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2360 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 2360 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 2360 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 2408 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 1292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2192 wrote to memory of 1292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1292 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 1292 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 1292 wrote to memory of 4152 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 4152 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe

"C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4928 -ip 4928

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1672

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 2104

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3000 -ip 3000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 444

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1772

C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe

"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1636

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1508

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3384 -ip 3384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 2052

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D9E.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\appBroker.exe

"C:\Users\Admin\AppData\Roaming\appBroker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1664

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1704

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\084619521222_Desktop.zip' -CompressionLevel Optimal

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 96.39.123.93.in-addr.arpa udp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
GB 2.22.99.85:443 steamcommunity.com tcp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 230.28.217.95.in-addr.arpa udp
FI 95.217.28.230:443 95.217.28.230 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FR 94.228.162.82:80 94.228.162.82 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 82.162.228.94.in-addr.arpa udp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
FR 94.228.162.82:8808 tcp
FR 94.228.162.82:8808 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FR 94.228.162.82:8808 tcp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp

Files

memory/4928-1-0x0000000002FA0000-0x00000000030A0000-memory.dmp

memory/4928-2-0x0000000002DA0000-0x0000000002E0F000-memory.dmp

memory/4928-3-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 11dcd8e017b0e067e922cfb6507a8dde
SHA1 80c4e499c9666401a0f9099482c7fa9debe006d5
SHA256 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA512 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0

memory/4928-16-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4928-17-0x0000000002DA0000-0x0000000002E0F000-memory.dmp

memory/2408-18-0x0000000002FF0000-0x00000000030F0000-memory.dmp

memory/2408-19-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\084619521222

MD5 afe85149c9e70a1c571891de76ba8f22
SHA1 7f37756058e649f47f9b078c741a02df6c3a3ec6
SHA256 b18a909a9bc3c0e7f66d72fee4f3ee09b61fcc804d14461a691e956797c31446
SHA512 bf049ca4d7c9230d43ab85e6d25b02ae4d70b161ad383190c480eb21ec05459ff5f8d438c82444f878b74e364d9f06318928ff1397f3f6061f811fdad2026b35

memory/2408-29-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/2408-30-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/2408-31-0x0000000002FF0000-0x00000000030F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

MD5 b099ea0b80ecf49caa0d7003e0c95071
SHA1 228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029

memory/4012-48-0x0000000002D20000-0x0000000002E20000-memory.dmp

memory/4012-49-0x0000000002EF0000-0x0000000002F25000-memory.dmp

memory/4012-50-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/2408-52-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4012-53-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/3000-56-0x0000000002D30000-0x0000000002E30000-memory.dmp

memory/3000-57-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/3000-58-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll

MD5 37976db9d0e6f8bf9db5ae4b56006d9d
SHA1 dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA256 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512 fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47

memory/3384-87-0x0000000002F20000-0x0000000003020000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UWHIVHCX\76561199673019888[1].htm

MD5 91743118bdf874eb686609a23dff2474
SHA1 e8c358db98fc54897d14e8f830b2febf521c6b54
SHA256 d6f29928c04e39d5c9fb69bdaf4fe9f79c521e77140e3c7565954bfb57f60b7c
SHA512 260dc393c39bc7ba587a76dbcce3a0d401014c88b0dc6c97e4aa9be9ba6159c16d8a7229eaad07a8ad0baf97c33ce081ea1b224ef31c1bc0e00f8ed85eaf13d2

memory/3384-89-0x0000000000400000-0x0000000002C2E000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

MD5 7fd8581748cdf137023ef96f1286ce0f
SHA1 c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA256 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512 bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282

memory/4348-119-0x00000000007C0000-0x00000000007D2000-memory.dmp

memory/4348-120-0x0000000071C80000-0x0000000072430000-memory.dmp

memory/3384-121-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/2408-122-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4348-123-0x0000000005260000-0x0000000005270000-memory.dmp

memory/4348-124-0x0000000005180000-0x000000000521C000-memory.dmp

memory/4348-129-0x0000000071C80000-0x0000000072430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4D9E.tmp.bat

MD5 a07278971d6ba8fc3d4a320185f7e129
SHA1 284ff25c910d2c9830f7e4fa45137a01e1dd1f21
SHA256 570ad432376f7e4ca05c82d198b901fbe3e90388e4b7909c68a90c5491b89e18
SHA512 6a4774739c2aee27e8b5ae2275850937c1d7b29f35b7ac567ce1cc372aff172e9c178b92d946d4582f9b8f98b2ef23c117377d8482a8cd9104b2c50c23ef0b47

memory/1144-134-0x0000000072F00000-0x00000000736B0000-memory.dmp

memory/1144-136-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/1144-137-0x00000000059E0000-0x0000000005F84000-memory.dmp

memory/1144-138-0x0000000005430000-0x0000000005496000-memory.dmp

memory/1144-139-0x0000000006590000-0x0000000006606000-memory.dmp

memory/1144-140-0x0000000006810000-0x00000000068AC000-memory.dmp

memory/1144-141-0x0000000006560000-0x000000000657E000-memory.dmp

memory/1144-142-0x00000000068B0000-0x00000000068F0000-memory.dmp

memory/1144-143-0x00000000068F0000-0x00000000068FA000-memory.dmp

memory/1144-145-0x0000000006B20000-0x0000000006B82000-memory.dmp

memory/1144-146-0x0000000072F00000-0x00000000736B0000-memory.dmp

memory/1144-148-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/5044-152-0x0000000002F80000-0x0000000003080000-memory.dmp

memory/5044-153-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/5044-154-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 4876ee75ce2712147c41ff1277cd2d30
SHA1 3733dc92318f0c6b92cb201e49151686281acda6
SHA256 bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA512 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

memory/2408-169-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_btwlepma.fd4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4152-175-0x0000024E7E7B0000-0x0000024E7E7D2000-memory.dmp

memory/4152-180-0x00007FFCDA350000-0x00007FFCDAE11000-memory.dmp

memory/4152-181-0x0000024E7EDD0000-0x0000024E7EDE0000-memory.dmp

memory/4152-182-0x0000024E7EDD0000-0x0000024E7EDE0000-memory.dmp

memory/4152-183-0x0000024E7EDD0000-0x0000024E7EDE0000-memory.dmp

memory/4152-184-0x0000024E7CFD0000-0x0000024E7CFE2000-memory.dmp

memory/4152-185-0x0000024E7CFB0000-0x0000024E7CFBA000-memory.dmp

memory/4152-191-0x00007FFCDA350000-0x00007FFCDAE11000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 04:32

Reported

2024-04-17 04:35

Platform

win11-20240412-en

Max time kernel

152s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\appBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 436 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 436 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 436 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 4396 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 4396 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 4396 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
PID 4396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4396 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 4396 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 4396 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
PID 4396 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4396 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4396 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4396 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 4396 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 4396 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 4396 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 4396 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 4396 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
PID 1972 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4656 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4656 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4656 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4656 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 4656 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 4656 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\appBroker.exe
PID 4396 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4396 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 4396 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Windows\SysWOW64\rundll32.exe
PID 3692 wrote to memory of 2368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3692 wrote to memory of 2368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2368 wrote to memory of 1212 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2368 wrote to memory of 1212 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2368 wrote to memory of 3496 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3496 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe

"C:\Users\Admin\AppData\Local\Temp\2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1116

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 580

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1768

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4684 -ip 4684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 2156

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1592

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4396 -ip 4396

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4396 -ip 4396

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1720

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 476

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE2E9.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\appBroker.exe

"C:\Users\Admin\AppData\Roaming\appBroker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1916

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\258603162493_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 476

Network

Country Destination Domain Proto
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
GB 2.22.99.85:443 steamcommunity.com tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
FI 95.217.28.230:443 95.217.28.230 tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
FI 95.217.28.230:443 95.217.28.230 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
FR 94.228.162.82:80 94.228.162.82 tcp
FR 94.228.162.82:8808 tcp
FR 94.228.162.82:8808 tcp
FR 94.228.162.82:8808 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
N/A 192.229.221.95:80 tcp

Files

memory/436-1-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/436-2-0x0000000004AF0000-0x0000000004B5F000-memory.dmp

memory/436-3-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/436-5-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 11dcd8e017b0e067e922cfb6507a8dde
SHA1 80c4e499c9666401a0f9099482c7fa9debe006d5
SHA256 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA512 52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0

memory/436-18-0x0000000004AF0000-0x0000000004B5F000-memory.dmp

memory/436-17-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4396-19-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

memory/4396-20-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4612-23-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

memory/4612-24-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4612-25-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4396-27-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4396-31-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\258603162493

MD5 7d74fd00faa07ab82bf844e66f8adfeb
SHA1 8076a9f3e766f2b1d01f53ea7fa20363ac115775
SHA256 eca62539e9f14cd9e31568694b697a76676a132a1c43b9f9e0cd76853238d1de
SHA512 3ebb204e3d03443f3fd6ed28ce627e3a48da9b37e0ff61f59c2f3cbb97d30d6c9765df197b1876ce0b4a9ebf92c34d0e1e2f73f6a864102092ffaa6d5dbc96ff

memory/4396-37-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

memory/4396-38-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4396-39-0x0000000000400000-0x0000000002C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

MD5 b099ea0b80ecf49caa0d7003e0c95071
SHA1 228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256 810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512 539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029

memory/4396-57-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4684-58-0x0000000002E60000-0x0000000002F60000-memory.dmp

memory/4684-59-0x00000000030A0000-0x00000000030D5000-memory.dmp

memory/4684-60-0x0000000000400000-0x0000000002C2E000-memory.dmp

memory/4684-64-0x0000000000400000-0x0000000002C2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll

MD5 37976db9d0e6f8bf9db5ae4b56006d9d
SHA1 dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA256 2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512 fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47

C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

MD5 7fd8581748cdf137023ef96f1286ce0f
SHA1 c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA256 0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512 bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282

memory/1972-113-0x00000000009B0000-0x00000000009C2000-memory.dmp

memory/1972-114-0x0000000071770000-0x0000000071F21000-memory.dmp

memory/1852-116-0x0000000071770000-0x0000000071F21000-memory.dmp

memory/1972-119-0x0000000005430000-0x0000000005440000-memory.dmp

memory/4516-120-0x0000000002E00000-0x0000000002F00000-memory.dmp

memory/1972-122-0x00000000057E0000-0x000000000587C000-memory.dmp

memory/4396-121-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/4516-123-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/1852-124-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/4516-125-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/1852-127-0x0000000071770000-0x0000000071F21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient.exe.log

MD5 bb27934be8860266d478c13f2d65f45e
SHA1 a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA256 85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA512 87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

C:\Users\Admin\AppData\Local\Temp\tmpE2E9.tmp.bat

MD5 82550e030f42f5e7bacb54af59cedb52
SHA1 3eaa16bbf3c4207411d88869b0ed46b81f278642
SHA256 e23fe0fc8594dbec0849207a8370adc2bb924ec6cac83c01de019dba46db1d90
SHA512 0d76afe564417ef4314b983036fee5801b2f5246c4db95c4e164ee7d7d8178cb10567e934dc765c5d8ace04632b9fb0dd90e39de977a020396ff2c4f5292e60e

memory/1972-132-0x0000000071770000-0x0000000071F21000-memory.dmp

memory/3088-137-0x00000000724B0000-0x0000000072C61000-memory.dmp

memory/3088-139-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3088-140-0x0000000005850000-0x0000000005DF6000-memory.dmp

memory/3088-141-0x0000000005310000-0x0000000005376000-memory.dmp

memory/3088-142-0x0000000006680000-0x00000000066F6000-memory.dmp

memory/3088-143-0x0000000006700000-0x000000000679C000-memory.dmp

memory/3088-144-0x0000000006630000-0x000000000664E000-memory.dmp

memory/3088-145-0x0000000006800000-0x0000000006840000-memory.dmp

memory/3088-146-0x0000000006660000-0x000000000666A000-memory.dmp

memory/3088-149-0x0000000006A70000-0x0000000006AD2000-memory.dmp

memory/3088-150-0x00000000724B0000-0x0000000072C61000-memory.dmp

memory/3088-151-0x0000000004F00000-0x0000000004F10000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 4876ee75ce2712147c41ff1277cd2d30
SHA1 3733dc92318f0c6b92cb201e49151686281acda6
SHA256 bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA512 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

memory/4396-164-0x0000000000400000-0x0000000002C4C000-memory.dmp

memory/3496-166-0x00007FFBBF6C0000-0x00007FFBC0182000-memory.dmp

memory/3496-167-0x000001CC4BDD0000-0x000001CC4BDE0000-memory.dmp

memory/3496-168-0x000001CC4BDD0000-0x000001CC4BDE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iazfxq2n.alv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3496-177-0x000001CC65B80000-0x000001CC65BA2000-memory.dmp

memory/3496-178-0x000001CC4BDD0000-0x000001CC4BDE0000-memory.dmp

memory/3496-179-0x000001CC65C10000-0x000001CC65C22000-memory.dmp

memory/3496-180-0x000001CC65BF0000-0x000001CC65BFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Files_\SyncPing.xls

MD5 6bcbcbd38a160f31a983baf685317119
SHA1 bdcd302c4a9b2f498a210b33c5289352d10135bc
SHA256 b7412915875632d11fefc9271a7a2c95a1e130d84886d057f02d2b44f5106132
SHA512 9fc1ff8e677078b888cc26a1801bb3969b337931ce1ee3381a41cd2411fff053fdd66a1717b0eefdc94729bceac91279089d17cfe5bfe75f859c7aa214d4cca3

memory/3496-186-0x00007FFBBF6C0000-0x00007FFBC0182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\258603162493_Desktop.zip

MD5 888109621445b833b7a421884fa630d2
SHA1 14aded356b697a143e35099467cc4f283672fd09
SHA256 88d0a3a21ad28a90e082a4cb3874006c0fcc35ab07476c802ecc63ff8117a1a0
SHA512 0736eefc0aaa440b3c6619f55f94d5e9eeb9fb8cb379cd1fbfa31fcb27558acb22c44b8427219a943ced3c6da9635a27bdb509339e0bb59ddf58119f5cd8cd99

memory/4264-190-0x0000000002F80000-0x0000000003080000-memory.dmp

memory/4264-191-0x0000000000400000-0x0000000002C4C000-memory.dmp