Malware Analysis Report

2024-09-11 13:42

Sample ID 240611-2523bsvhkq
Target ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a
SHA256 ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a

Threat Level: Known bad

The file ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 23:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 23:10

Reported

2024-06-11 23:13

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4192 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4192 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe

"C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1236

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1336

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 892

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 21.114.189.91.in-addr.arpa udp
KR 211.181.24.132:80 selltix.org tcp
KR 211.181.24.132:80 selltix.org tcp
KR 211.181.24.132:80 selltix.org tcp
KR 211.181.24.132:80 selltix.org tcp
US 8.8.8.8:53 132.24.181.211.in-addr.arpa udp
KR 211.181.24.132:80 selltix.org tcp
KR 211.181.24.132:80 selltix.org tcp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 nudump.com udp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
KR 211.181.24.132:80 selltix.org tcp
KR 211.181.24.132:80 selltix.org tcp
KR 211.181.24.132:80 selltix.org tcp
LB 89.249.221.146:80 selltix.org tcp
US 8.8.8.8:53 146.221.249.89.in-addr.arpa udp

Files

memory/4192-2-0x0000000001F70000-0x0000000001FDF000-memory.dmp

memory/4192-1-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/4192-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 4b8cad4e596920ace7137ed2515c8e0d
SHA1 a174a7254b0b3a104519ce73cfdd32cc49d23169
SHA256 ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a
SHA512 5911d532d777c2a80bf16d4719f0e5fcddd9eb53f4ec34cf6c1fde27c2da56e682c22be0b768ac73166edd712f189f7ee1ff7bdba2d53d997483c8b96eb520c4

memory/3936-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3936-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4192-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4192-22-0x0000000001F70000-0x0000000001FDF000-memory.dmp

memory/4192-23-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3444-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3444-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3936-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3444-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3444-34-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\080292272204

MD5 b3e58a46d2267f7ab983082a61aaef40
SHA1 3d6fcaa5950cb3a46563085feaf7d372244e1ce4
SHA256 835fd42233a93dfa81b0282fb1f0c17e9c14bd92e04d220c1767567a0408d2d3
SHA512 fd28575fc31a932192e60429fe799ba8a7cdf765ca2decf7b0577e5a1860beed500627586083d3a423339573abfdda41c5bda739982eb742a9ec798b900f6474

memory/3936-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3936-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3936-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4100-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4100-56-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 d47b646093dd84d34885a714ce4bd74e
SHA1 c4df23671b6440e29159093dc52cb8c4aa184597
SHA256 6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352
SHA512 906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

memory/3936-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-77-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 23:10

Reported

2024-06-11 23:13

Platform

win11-20240419-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4224 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4224 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe

"C:\Users\Admin\AppData\Local\Temp\ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1136

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1532

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4992 -ip 4992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 472

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 912

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1656 -ip 1656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 472

Network

Country Destination Domain Proto
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp

Files

memory/4224-1-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/4224-2-0x00000000021F0000-0x000000000225F000-memory.dmp

memory/4224-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 4b8cad4e596920ace7137ed2515c8e0d
SHA1 a174a7254b0b3a104519ce73cfdd32cc49d23169
SHA256 ea7f2dd7c8390bef3b0676e9ba9faf34e1a0905b8f9dac75e677def1b4b7113a
SHA512 5911d532d777c2a80bf16d4719f0e5fcddd9eb53f4ec34cf6c1fde27c2da56e682c22be0b768ac73166edd712f189f7ee1ff7bdba2d53d997483c8b96eb520c4

memory/3280-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4224-22-0x00000000021F0000-0x000000000225F000-memory.dmp

memory/4224-21-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4224-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3280-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-31-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\474490143322

MD5 d9e88d43ebb2b3073efd7caea644cc09
SHA1 f52db4218f155117f296fb642d1ff7b67fd6fe66
SHA256 5013ded8752079a6013a72b7c2b75cfa7ad433f755d0b062a2508734ec0db158
SHA512 592061f97768498befbbc0a70b1fc0dd3bfa31e76d0b411e76c110fcade883c262fcd5529186adb7e201579012f96d75b78ee55435bad3426b94dcddcc2c074a

memory/3280-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3280-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4840-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1656-60-0x0000000000400000-0x0000000000482000-memory.dmp