Malware Analysis Report

2024-09-11 10:26

Sample ID 240614-2sagjstalk
Target c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b
SHA256 c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b
Tags
amadey b2c2c1 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b

Threat Level: Known bad

The file c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b was found to be: Known bad.

Malicious Activity Summary

amadey b2c2c1 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 22:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 22:50

Reported

2024-06-14 22:52

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe

"C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4048,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4836 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1284

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1508

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 920

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 greendag.ru udp

Files

memory/4904-1-0x0000000000700000-0x0000000000800000-memory.dmp

memory/4904-2-0x0000000000940000-0x00000000009AB000-memory.dmp

memory/4904-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 f8914ff2ef23fc26be2058f5dedebaff
SHA1 6e44dd40ad19887d6d2a218c218b94cc441a9a2b
SHA256 c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b
SHA512 fe68b02f02ec08c359c70b53b5347ea35699e81ce469b9df2e46327102c8a105aa0480f238af06cdcf9aad9e6b559fbf52f547d023be90e346a853882e5ac34d

memory/4904-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4904-19-0x0000000000940000-0x00000000009AB000-memory.dmp

memory/4904-18-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2548-22-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2548-23-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2548-28-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\181767204200

MD5 cf8beeace7998c7415b2f1ed25426684
SHA1 04e4b41af796fb2d35ff8ce40ef2590cb272acab
SHA256 b0086ad2e6af0aa9a7baa1618cb1ea3fa72291e6075d0401d1873e2ad753e645
SHA512 ca90015ffe15e79e6189d6bfb9d6424fba12449b6ed23c716fe13e8a106e7a30a34e241b82818c0db4cb55073be326772e8543a6b80685b2589815eae4333d8b

memory/2548-33-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2548-41-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4316-45-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4316-46-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4316-47-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1516-56-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1516-57-0x0000000000400000-0x0000000000483000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 22:50

Reported

2024-06-14 22:52

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2660 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2660 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe

"C:\Users\Admin\AppData\Local\Temp\c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1132

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1484

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 480

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3264 -ip 3264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 900

Network

Country Destination Domain Proto
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp

Files

memory/2660-1-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/2660-2-0x0000000002220000-0x000000000228B000-memory.dmp

memory/2660-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 f8914ff2ef23fc26be2058f5dedebaff
SHA1 6e44dd40ad19887d6d2a218c218b94cc441a9a2b
SHA256 c8481c9700a2b8f6423275822ced58f421cade7dc37eb9a25c3290e93cc21d8b
SHA512 fe68b02f02ec08c359c70b53b5347ea35699e81ce469b9df2e46327102c8a105aa0480f238af06cdcf9aad9e6b559fbf52f547d023be90e346a853882e5ac34d

memory/2660-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2660-19-0x0000000002220000-0x000000000228B000-memory.dmp

memory/2660-18-0x0000000000400000-0x0000000000483000-memory.dmp

memory/5056-22-0x0000000000400000-0x0000000000483000-memory.dmp

memory/5056-27-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\457560273698

MD5 1401fb8546401b4568f1864c0f96d951
SHA1 18c76f64fbdb096a2aa634a0f881b0e336f398d3
SHA256 4fcc50e03eb53359cad672222896ee6cb942607e3fb313b0edb13183bc4b8cb9
SHA512 fb7bb678db7c84b56f189a37cb3074417690cd1508ec498a0691247f0aa607f49c565f309d061b332aec9c4a596be640e343469fb8010b76b584673c63818c72

memory/5056-40-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2064-44-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2064-45-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2064-46-0x0000000000400000-0x0000000000483000-memory.dmp

memory/3264-55-0x0000000000400000-0x0000000000483000-memory.dmp