Malware Analysis Report

2024-09-11 11:13

Sample ID 240610-nnwx4ahb9z
Target fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01
SHA256 fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01
Tags
amadey 9a3efc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01

Threat Level: Known bad

The file fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01 was found to be: Known bad.

Malicious Activity Summary

amadey 9a3efc trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-10 11:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 11:33

Reported

2024-06-10 11:35

Platform

win11-20240508-en

Max time kernel

144s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2180 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2180 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe

"C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1132

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1452

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 904 -ip 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 472

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2896 -ip 2896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 856

Network

Country Destination Domain Proto
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 techolivls.in udp
BR 179.152.58.121:80 check-ftp.ru tcp
BR 179.152.58.121:80 check-ftp.ru tcp
N/A 127.0.0.127:80 tcp
BR 179.152.58.121:80 check-ftp.ru tcp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp

Files

memory/2180-1-0x0000000000840000-0x0000000000940000-memory.dmp

memory/2180-2-0x00000000023B0000-0x000000000241B000-memory.dmp

memory/2180-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5 95fc6ec18023c695a33b54d2950e22a3
SHA1 cd06f2953921da8dd8a62ef55a7467722f58e799
SHA256 fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01
SHA512 12209c540b81dde16d252040cbbe80e87645d1862d1e773df3cbe1f68b08240f50170d71723171469fb1a12be6c2e12a3e4ce960ddbd6be5911b9dac4a2c3c06

memory/812-20-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/812-19-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2180-23-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2180-22-0x00000000023B0000-0x000000000241B000-memory.dmp

memory/2180-21-0x0000000000400000-0x00000000006AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\433428765247

MD5 d2f1acacd12411b72d42d56325265f9b
SHA1 1558448a7c1a8b3915248eb7f9a35007105d72e5
SHA256 fc162ea81a133e1d2ecbff81d530972680c1146d9f714ba0e5b4b089dedc5cc8
SHA512 621414b7bc39393a8d872f2f4c56517e3a3cf2714e9c8e9590fa1f069fe00be77a30383d2f12a14629ce3b40111c4c8ccbd1cde4cff09ec97b05a200a51aa0af

memory/812-36-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/812-40-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/904-46-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/904-47-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2896-56-0x0000000000400000-0x00000000006AA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 11:33

Reported

2024-06-10 11:35

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 4012 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 4012 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe

"C:\Users\Admin\AppData\Local\Temp\fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1208

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1304

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2688 -ip 2688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 440

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 888

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 dnschnj.at udp
BR 179.152.58.121:80 check-ftp.ru tcp
BR 179.152.58.121:80 check-ftp.ru tcp
N/A 127.0.0.127:80 tcp
BR 179.152.58.121:80 check-ftp.ru tcp
N/A 127.0.0.127:80 tcp
US 8.8.8.8:53 121.58.152.179.in-addr.arpa udp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4012-2-0x0000000000800000-0x000000000086B000-memory.dmp

memory/4012-1-0x0000000000A40000-0x0000000000B40000-memory.dmp

memory/4012-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5 95fc6ec18023c695a33b54d2950e22a3
SHA1 cd06f2953921da8dd8a62ef55a7467722f58e799
SHA256 fb73162e1793fbb3c6fd03a8df8c0b4e487a81735358f8bdf8d31ac906010d01
SHA512 12209c540b81dde16d252040cbbe80e87645d1862d1e773df3cbe1f68b08240f50170d71723171469fb1a12be6c2e12a3e4ce960ddbd6be5911b9dac4a2c3c06

memory/1708-19-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/4012-21-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4012-22-0x0000000000800000-0x000000000086B000-memory.dmp

memory/4012-20-0x0000000000400000-0x00000000006AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\124900551406

MD5 23341d42cf947b51d6eb79aea5531c42
SHA1 2f9994fcfd3e5dfe4b375b1742f6a6ff227c8ac5
SHA256 842ed85d9aea8eec2bb626b2af1a883abc455089de5296f36e7935ead9ffc6d1
SHA512 71c4484090d6bec26d50ca2e1268e31a2b32829c535d97cc5eeaf643b67f9a5551f9820f37268ceeccdf28872964d87765b61df789fbd5d1cd0db9b97dddb4a1

memory/1708-38-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2688-43-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2688-44-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2448-53-0x0000000000400000-0x00000000006AA000-memory.dmp