Malware Analysis Report

2024-09-11 13:42

Sample ID 240612-j2nresvgpf
Target 15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52
SHA256 15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52

Threat Level: Known bad

The file 15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52 was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 08:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 08:10

Reported

2024-06-12 08:12

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2504 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2504 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe

"C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1236

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4844 -ip 4844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 472

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1460

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp

Files

memory/2504-1-0x0000000001DA0000-0x0000000001EA0000-memory.dmp

memory/2504-2-0x0000000003840000-0x00000000038AF000-memory.dmp

memory/2504-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 d783e26f6356588a06eb749df60ceae0
SHA1 2417807d113aedb6e4351cc6a195361c35e96ed1
SHA256 15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52
SHA512 2bd4209b893517c51c4f1f20edcc7e67a4789684f97f8ef7b130c321249b2c8ad1e2fa45d97723b9e56d2e7b451ff26083da1cfd87c5d4372c1be9930c30b76e

memory/4844-16-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/4844-17-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/2504-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2504-19-0x0000000003840000-0x00000000038AF000-memory.dmp

memory/2504-18-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/4844-21-0x0000000000400000-0x0000000001BF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\124900551406

MD5 1dd86916863ac78a7735a093a1455743
SHA1 bfb2aea248aaea9acf13210fcd7a3bbd5aae9091
SHA256 ff21c430b7b1878416e655c5489fa1ca77a3227c09dd130164e4ce3dfb394035
SHA512 0ccec1ef27e568fdfc18ca872963c1abdcddfc14ed65eec64528e03fdc6c44998c712a1f792ae979bb0a075861c03ef15af58af1fff0b75ffd7445fe1586ad9c

memory/4264-39-0x0000000000400000-0x0000000001BF8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 08:10

Reported

2024-06-12 08:12

Platform

win11-20240611-en

Max time kernel

143s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4108 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4108 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4108 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe

"C:\Users\Admin\AppData\Local\Temp\15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1136

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1392

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1680

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 424 -ip 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 904

Network

Country Destination Domain Proto
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
RU 91.189.114.21:80 otyt.ru tcp
IR 2.185.214.11:80 selltix.org tcp
IR 2.185.214.11:80 selltix.org tcp
IR 2.185.214.11:80 selltix.org tcp
IR 2.185.214.11:80 selltix.org tcp
IR 2.185.214.11:80 selltix.org tcp
IR 2.185.214.11:80 selltix.org tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
IR 2.185.214.11:80 selltix.org tcp
IR 2.185.214.11:80 selltix.org tcp
IR 2.185.214.11:80 selltix.org tcp
RU 91.189.114.21:80 otyt.ru tcp

Files

memory/4108-2-0x0000000001E60000-0x0000000001ECF000-memory.dmp

memory/4108-1-0x0000000001EE0000-0x0000000001FE0000-memory.dmp

memory/4108-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 d783e26f6356588a06eb749df60ceae0
SHA1 2417807d113aedb6e4351cc6a195361c35e96ed1
SHA256 15b3c3d89a50ab5e951d82ef1ca8d8d93bb8b6058723ec610b399a77d7d44a52
SHA512 2bd4209b893517c51c4f1f20edcc7e67a4789684f97f8ef7b130c321249b2c8ad1e2fa45d97723b9e56d2e7b451ff26083da1cfd87c5d4372c1be9930c30b76e

memory/424-16-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/4108-18-0x0000000001E60000-0x0000000001ECF000-memory.dmp

memory/4108-17-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/4108-19-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\524922173293

MD5 00277d797ee30cb09a1c82400b31ac5b
SHA1 3dda2b2b7ae4fb26426da26b5f115361ab508126
SHA256 4be0a17c32ea1fbe984a1801454d70ac4e1608771d3b232e66a0c9cdb8d09c0f
SHA512 3e6fb7c2fe7d9c3edb7f96712927b9707787539aaef4aba8b133ab3e9a2d1b5a872c5c2e6973880b281ddbc2f87bcb836d61428247a9eee61092acdb73165eee

memory/424-28-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/424-36-0x0000000000400000-0x0000000001BF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 d47b646093dd84d34885a714ce4bd74e
SHA1 c4df23671b6440e29159093dc52cb8c4aa184597
SHA256 6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352
SHA512 906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

memory/424-45-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/424-51-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/4856-54-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/424-65-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/424-71-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/1488-75-0x0000000000400000-0x0000000001BF8000-memory.dmp