Malware Analysis Report

2024-09-11 11:13

Sample ID 240614-apseeaxdqf
Target c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb
SHA256 c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb
Tags
amadey 9a3efc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb

Threat Level: Known bad

The file c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb was found to be: Known bad.

Malicious Activity Summary

amadey 9a3efc trojan

Amadey

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:23

Reported

2024-06-14 00:26

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2064 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2064 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe

"C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1236

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1544

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2740 -ip 2740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 440

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 532 -ip 532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 888

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 936 -ip 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 440

Network

Country Destination Domain Proto
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 check-ftp.ru udp

Files

memory/2064-1-0x00000000023A0000-0x00000000024A0000-memory.dmp

memory/2064-3-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2064-2-0x0000000003FE0000-0x000000000404B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5 533d0bcb60268535cf0823ea47d89c3b
SHA1 8cdc73e1aa72930d875b5c377d06d1c7dbd056a2
SHA256 c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb
SHA512 2b75e2f3f52e88553558a69b3d331be1ffeaaeea3e87eb75483bed908ffc84f120f7f8ab383d9f8cd5fe08d8e1f61bcff064ce33f627d5e4897841d54365e127

memory/64-16-0x0000000000400000-0x0000000002396000-memory.dmp

memory/2064-19-0x0000000003FE0000-0x000000000404B000-memory.dmp

memory/2064-18-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2064-17-0x0000000000400000-0x0000000002396000-memory.dmp

memory/64-24-0x0000000000400000-0x0000000002396000-memory.dmp

memory/2740-27-0x0000000000400000-0x0000000002396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\337824034273

MD5 90c05c8704b0e35c834d84c7bcb3ee81
SHA1 29c672f9e0887be993a62ce2fb6a120800e0292e
SHA256 be48033056b04642334e6c57846bc64e43788fa91b400a65150abaeb84d2db26
SHA512 394133d48d56f2a184f339443633487fe09b1156107544e87b7e70f6a8c5bf3be7569d33c1efcf8b1787055da709558a684973299bd0aff8b334d5e387f1e100

memory/64-40-0x0000000000400000-0x0000000002396000-memory.dmp

memory/532-47-0x0000000000400000-0x0000000002396000-memory.dmp

memory/936-56-0x0000000000400000-0x0000000002396000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:23

Reported

2024-06-14 00:26

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 236 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 236 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 236 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe

"C:\Users\Admin\AppData\Local\Temp\c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 236 -ip 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 236 -ip 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 236 -ip 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 236 -ip 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 236 -ip 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 236 -ip 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 236 -ip 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 236 -ip 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 1060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 236 -ip 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 1092

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 236 -ip 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 1532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 1512

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 472

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4756 -ip 4756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 916

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2216 -ip 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 476

Network

Country Destination Domain Proto
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 dnschnj.at udp

Files

memory/236-2-0x00000000040A0000-0x000000000410B000-memory.dmp

memory/236-1-0x0000000002490000-0x0000000002590000-memory.dmp

memory/236-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5 533d0bcb60268535cf0823ea47d89c3b
SHA1 8cdc73e1aa72930d875b5c377d06d1c7dbd056a2
SHA256 c0814ea170137aa31bc7ce948534a5d5ce5049b60830d41dfa545ba8f7bb01cb
SHA512 2b75e2f3f52e88553558a69b3d331be1ffeaaeea3e87eb75483bed908ffc84f120f7f8ab383d9f8cd5fe08d8e1f61bcff064ce33f627d5e4897841d54365e127

memory/2152-16-0x0000000000400000-0x0000000002396000-memory.dmp

memory/2152-17-0x0000000000400000-0x0000000002396000-memory.dmp

memory/236-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/236-19-0x00000000040A0000-0x000000000410B000-memory.dmp

memory/236-18-0x0000000000400000-0x0000000002396000-memory.dmp

memory/2152-25-0x0000000000400000-0x0000000002396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\672260578815

MD5 f5bf425ed6265ae55d455290d6402583
SHA1 c51cfb6aa74d9df0c7044f9aebcb75c0d834ab37
SHA256 af9817346a91811e4db8b9c266a5c9df75c858e97ef73c71e575f18126bae60c
SHA512 daf4ccafc85a9526e611756c4ebd8e47e7570ea8aae15de5ff339395f965056fa1b6295fccad414d1b698fa06a30933baa951a1b1ead4e5f31a53e12baa335d5

memory/2448-32-0x0000000000400000-0x0000000002396000-memory.dmp

memory/2152-33-0x0000000000400000-0x0000000002396000-memory.dmp

memory/2152-41-0x0000000000400000-0x0000000002396000-memory.dmp

memory/4756-48-0x0000000000400000-0x0000000002396000-memory.dmp

memory/2216-58-0x0000000000400000-0x0000000002396000-memory.dmp