Malware Analysis Report

2024-09-11 11:14

Sample ID 240615-pfsfdatgkj
Target 70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb
SHA256 70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb
Tags
amadey 9a3efc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb

Threat Level: Known bad

The file 70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb was found to be: Known bad.

Malicious Activity Summary

amadey 9a3efc trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 12:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 12:16

Reported

2024-06-15 12:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 3244 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 3244 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe

"C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1240

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1460

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3620 -ip 3620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 440

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2588 -ip 2588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 624

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1380 -ip 1380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 check-ftp.ru udp

Files

memory/3244-1-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/3244-2-0x0000000000930000-0x000000000099B000-memory.dmp

memory/3244-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5 d3a38b4480cc99b457c56de5d5c56c67
SHA1 cc9bf1200f09e9eb5d8998d5d4900953becd672e
SHA256 70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb
SHA512 345e6a1202af31a6e884490d67915ba9276fb1e8d86c1532916b7d4ddb4c5c4496874a310d0c194ef4735ed8fadde9eca81e2e922729153cfd1bf5cab3194781

memory/3244-18-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3244-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3244-19-0x0000000000930000-0x000000000099B000-memory.dmp

memory/1440-22-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1440-23-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1440-24-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1440-31-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3620-32-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3620-33-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3620-34-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\337824034273

MD5 e47c370600c4bb561631e037f385f6be
SHA1 76965127512c027d64b9da3dd88f24947533800c
SHA256 c0a711fbdd649a2daa0ba19a11b1e9d5e74c887d7d12c72b817502550870bf61
SHA512 838d9c3d8d9876b823f77d11deb8c3b63ef260114d851271c1a08521dc62e527b1b5a0fcfa73cc0ea925742cc1fe7052eb5d8310a3e22e5bcb42dbfa91a8ff63

memory/1440-46-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1440-47-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2588-55-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2588-56-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1380-65-0x0000000000400000-0x0000000000486000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 12:16

Reported

2024-06-15 12:19

Platform

win11-20240508-en

Max time kernel

148s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 1876 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 1876 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe

"C:\Users\Admin\AppData\Local\Temp\70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 904

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1396

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2516 -ip 2516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 480

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5060 -ip 5060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 900

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 472

Network

Country Destination Domain Proto
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 check-ftp.ru udp

Files

memory/1876-1-0x0000000000680000-0x0000000000780000-memory.dmp

memory/1876-2-0x00000000021D0000-0x000000000223B000-memory.dmp

memory/1876-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5 d3a38b4480cc99b457c56de5d5c56c67
SHA1 cc9bf1200f09e9eb5d8998d5d4900953becd672e
SHA256 70a1ff653b0b354ae391e06461acf23404ac73f755fdfe2ac0815ea61d48cacb
SHA512 345e6a1202af31a6e884490d67915ba9276fb1e8d86c1532916b7d4ddb4c5c4496874a310d0c194ef4735ed8fadde9eca81e2e922729153cfd1bf5cab3194781

memory/1876-19-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1876-18-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1764-21-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1764-23-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1764-22-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2516-30-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2516-31-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1764-32-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\433428765247

MD5 f749bc3c93d2ce39f01c30435b5e84fb
SHA1 96ed63577e36b9df77796390dcb7c94b46ab7afd
SHA256 61e064e155283164e0f88c790703cf901ff6bf230e888b78fbcf9468d11ca15d
SHA512 e7e116aa102ef3f6bfaba7a83d559dfe81e60cef7e71378abaebd15edbbd2e5c092ac6c647dd55b60f022ba472ae16b0d4f2913e31b128beb493b0886bfc9d13

memory/1764-45-0x0000000000400000-0x0000000000486000-memory.dmp

memory/5060-51-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2788-61-0x0000000000400000-0x0000000000486000-memory.dmp