Malware Analysis Report

2024-09-11 13:42

Sample ID 240613-atrnnsxbpa
Target f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe
SHA256 f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe

Threat Level: Known bad

The file f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:30

Reported

2024-06-13 00:33

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1324 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1324 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe

"C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1248

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1436

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4260 -ip 4260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 440

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 904

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2016 -ip 2016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp

Files

memory/1324-1-0x0000000001F60000-0x0000000002060000-memory.dmp

memory/1324-2-0x0000000003870000-0x00000000038DF000-memory.dmp

memory/1324-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 431a1c2a09d2c4c7d00715a8538705f6
SHA1 a79b0441310b146a38c8c223e67118c0ce410e0d
SHA256 f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe
SHA512 75b266c1b955a57e1e1787f26d752d947e530c7a0a40f8fa75656eb4388eca315f4d177756729d780ee6beb37ec4ec31947ea942a47cb35bb2d4771e5c369366

memory/3796-16-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/3796-17-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/1324-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1324-19-0x0000000003870000-0x00000000038DF000-memory.dmp

memory/1324-18-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/3796-25-0x0000000000400000-0x0000000001BFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\804150937214

MD5 e13b12e928a7c91bb0fdc18286016229
SHA1 b4d6777227977a85354a499fdc39d304d8df88fd
SHA256 7f7840b0376752f190f216e2e0892c753362edfba5b363c14c4adf84c41678d9
SHA512 5f668813adc86ee1cee8dfbbbf15bc68dd572213cb3cd290e1c3954b0ac42842d9a54d0da361c8847ccbf886a26d833a1ea6e7c34e41a7b04cb2c90244c021f8

memory/4260-32-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/3796-33-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/3796-42-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/4580-49-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/2016-58-0x0000000000400000-0x0000000001BFC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:30

Reported

2024-06-13 00:33

Platform

win11-20240611-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1952 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1952 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe

"C:\Users\Admin\AppData\Local\Temp\f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1192

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1684 -ip 1684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 504

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 832

Network

Country Destination Domain Proto
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
RU 91.189.114.21:80 otyt.ru tcp
EC 200.63.106.141:80 selltix.org tcp
EC 200.63.106.141:80 selltix.org tcp
EC 200.63.106.141:80 selltix.org tcp
EC 200.63.106.141:80 selltix.org tcp
EC 200.63.106.141:80 selltix.org tcp
EC 200.63.106.141:80 selltix.org tcp
EC 200.63.106.141:80 selltix.org tcp
EC 200.63.106.141:80 selltix.org tcp
EC 200.63.106.141:80 selltix.org tcp
RU 91.189.114.21:80 otyt.ru tcp

Files

memory/1952-1-0x0000000001DC0000-0x0000000001EC0000-memory.dmp

memory/1952-2-0x0000000003900000-0x000000000396F000-memory.dmp

memory/1952-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 431a1c2a09d2c4c7d00715a8538705f6
SHA1 a79b0441310b146a38c8c223e67118c0ce410e0d
SHA256 f95e6b3860c5e3ca14dd8a2d2e57a5c918d1fc9fb20831a57d50d8c6df3094fe
SHA512 75b266c1b955a57e1e1787f26d752d947e530c7a0a40f8fa75656eb4388eca315f4d177756729d780ee6beb37ec4ec31947ea942a47cb35bb2d4771e5c369366

memory/1684-16-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/1684-17-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/1684-19-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/1952-22-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1952-21-0x0000000003900000-0x000000000396F000-memory.dmp

memory/1952-20-0x0000000000400000-0x0000000001BFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\235821424191

MD5 b0d27de8abcdbdf8e5d7d88aefefd769
SHA1 71e029df25c8e642a4fc75874e2848f4f96e1bbd
SHA256 0e56eec038bf88f454000ff3df160e68bda63bc75f7283206626317f8c016541
SHA512 7f554359eae90a757116689c99f61e385dfcc810522b51ea72afcfa89edf79b5d1d5e52893d9477718e4df344862537c6f12dce7c5739c66d2137d7cff10e8a9

memory/2380-33-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/2380-41-0x0000000000400000-0x0000000001BFC000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 d47b646093dd84d34885a714ce4bd74e
SHA1 c4df23671b6440e29159093dc52cb8c4aa184597
SHA256 6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352
SHA512 906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

memory/2380-50-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/2380-56-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/2380-67-0x0000000000400000-0x0000000001BFC000-memory.dmp

memory/2380-73-0x0000000000400000-0x0000000001BFC000-memory.dmp