Malware Analysis Report

2024-09-11 13:42

Sample ID 240613-2pt2saxdrp
Target 4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815
SHA256 4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815

Threat Level: Known bad

The file 4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815 was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:45

Reported

2024-06-13 22:50

Platform

win7-20240221-en

Max time kernel

291s

Max time network

249s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2276 set thread context of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2600 set thread context of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2276 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 1656 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1656 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1656 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1656 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2600 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe

"C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe"

C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe

"C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
RU 91.189.114.21:80 otyt.ru tcp
KR 220.125.3.190:80 selltix.org tcp
KR 220.125.3.190:80 selltix.org tcp
KR 220.125.3.190:80 selltix.org tcp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 nudump.com udp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 nudump.com udp
KR 220.125.3.190:80 selltix.org tcp
KR 220.125.3.190:80 selltix.org tcp
KR 220.125.3.190:80 selltix.org tcp
RU 91.189.114.21:80 otyt.ru tcp
RU 91.189.114.21:80 otyt.ru tcp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
KR 220.125.3.190:80 selltix.org tcp
KR 220.125.3.190:80 selltix.org tcp
KR 220.125.3.190:80 selltix.org tcp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 nudump.com udp
KR 220.125.3.190:80 selltix.org tcp
KR 220.125.3.190:80 selltix.org tcp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
KR 220.125.3.190:80 selltix.org tcp

Files

memory/1656-3-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1656-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1656-6-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2276-5-0x00000000002B0000-0x000000000031F000-memory.dmp

memory/1656-7-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1656-9-0x0000000000400000-0x0000000000472000-memory.dmp

\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 504e7b2212f1805adf164fb062a9b7a6
SHA1 e9f20911a7a999835ddd1ce78f7d1610b303d86f
SHA256 4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815
SHA512 0496d25abb970fea8e6ce80490282aac40fb300e18f029ae6bdc1a8f7aab532874ce05e998d22c07a858c2c2f2c9883f1d87eda1d65ea328541aaa10a2f72409

memory/1656-22-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2632-30-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2632-31-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\297530677122

MD5 0acd546138ee9b7dc6472751f3ae8082
SHA1 99722cda1dd575c4912912703d0aafc4e7a05140
SHA256 fde50bd8dd3d3b76b835faff336d5746ee299d7b49d66dfefb2ef6164eb5ead0
SHA512 28d91e5410e8770eb461f3859471e78e1667e7cbc3d7eb02c43740cc3f6257ceaf22ab5cdee2630a149105911e854d87ae21ab1b2a5f8d78c21065d97de3364d

memory/2632-51-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2276-52-0x0000000000400000-0x0000000001BE4000-memory.dmp

memory/2632-78-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2632-86-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 d47b646093dd84d34885a714ce4bd74e
SHA1 c4df23671b6440e29159093dc52cb8c4aa184597
SHA256 6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352
SHA512 906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

memory/2632-100-0x0000000000400000-0x0000000000472000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:45

Reported

2024-06-13 22:50

Platform

win10-20240404-en

Max time kernel

292s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2872 set thread context of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 4904 set thread context of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 set thread context of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 set thread context of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 set thread context of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 set thread context of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 592 set thread context of 5028 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2872 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2872 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2872 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2872 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2872 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2872 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2872 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2872 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 2872 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe
PID 804 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 804 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 804 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4904 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4904 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4904 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4904 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4904 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4904 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4904 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4904 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4904 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4904 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1296 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4552 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2788 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 592 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe

"C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe"

C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe

"C:\Users\Admin\AppData\Local\Temp\4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp
KR 220.125.3.190:80 selltix.org tcp
KR 220.125.3.190:80 selltix.org tcp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 nudump.com udp
KR 220.125.3.190:80 selltix.org tcp
US 8.8.8.8:53 21.114.189.91.in-addr.arpa udp
US 8.8.8.8:53 190.3.125.220.in-addr.arpa udp
US 8.8.8.8:53 nudump.com udp
KR 220.125.3.190:80 selltix.org tcp
KR 220.125.3.190:80 selltix.org tcp
KR 220.125.3.190:80 selltix.org tcp
RU 91.189.114.21:80 otyt.ru tcp
KR 220.125.3.190:80 selltix.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
BA 92.36.226.66:80 selltix.org tcp
US 8.8.8.8:53 66.226.36.92.in-addr.arpa udp
BA 92.36.226.66:80 selltix.org tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
BA 92.36.226.66:80 selltix.org tcp
RU 91.189.114.21:80 otyt.ru tcp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
BA 92.36.226.66:80 selltix.org tcp
BA 92.36.226.66:80 selltix.org tcp
BA 92.36.226.66:80 selltix.org tcp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp

Files

memory/2872-2-0x0000000003840000-0x00000000038AF000-memory.dmp

memory/2872-1-0x0000000001DA0000-0x0000000001EA0000-memory.dmp

memory/804-3-0x0000000000400000-0x0000000000472000-memory.dmp

memory/804-4-0x0000000000400000-0x0000000000472000-memory.dmp

memory/804-5-0x0000000000400000-0x0000000000472000-memory.dmp

memory/804-6-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 504e7b2212f1805adf164fb062a9b7a6
SHA1 e9f20911a7a999835ddd1ce78f7d1610b303d86f
SHA256 4221658b6432fd66575d528ed2c486354c9197b737ac161d6e0e24d7290ca815
SHA512 0496d25abb970fea8e6ce80490282aac40fb300e18f029ae6bdc1a8f7aab532874ce05e998d22c07a858c2c2f2c9883f1d87eda1d65ea328541aaa10a2f72409

memory/804-17-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4956-21-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4956-22-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\106386276412

MD5 e3ea6f26674e7751f8dcb7b4430e1762
SHA1 e5d9038924c6b1816e61e80b1b3bba827b9c14ff
SHA256 db2d701794a4dca6fc3a287037881e51a2bb0966290b6694b4656d92f253f4c9
SHA512 cf4dbc942cf511c495efbe27cbf6eb49b17aa13be09cf9f963e6224cce9dd680c1667f5391c92614a0c80a8da6e41972f5ba7ac3863f9ce3b6df35279480a59f

memory/2988-39-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2988-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4956-49-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4956-50-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 d47b646093dd84d34885a714ce4bd74e
SHA1 c4df23671b6440e29159093dc52cb8c4aa184597
SHA256 6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352
SHA512 906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

memory/4956-60-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4956-67-0x0000000000400000-0x0000000000472000-memory.dmp

memory/5108-71-0x0000000000400000-0x0000000000472000-memory.dmp

memory/5108-72-0x0000000000400000-0x0000000000472000-memory.dmp

memory/652-84-0x0000000000400000-0x0000000000472000-memory.dmp

memory/652-85-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4956-99-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2388-104-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2388-105-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4956-127-0x0000000000400000-0x0000000000472000-memory.dmp

memory/5028-138-0x0000000000400000-0x0000000000472000-memory.dmp

memory/5028-139-0x0000000000400000-0x0000000000472000-memory.dmp