Malware Analysis Report

2024-09-11 13:42

Sample ID 240615-v2lgvasenr
Target 20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e
SHA256 20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e

Threat Level: Known bad

The file 20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 17:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 17:29

Reported

2024-06-15 17:31

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3696 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3696 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3696 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe

"C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1240

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 560

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1492

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
KR 125.7.253.10:80 selltix.org tcp
KR 125.7.253.10:80 selltix.org tcp
KR 125.7.253.10:80 selltix.org tcp
US 8.8.8.8:53 10.253.7.125.in-addr.arpa udp
KR 125.7.253.10:80 selltix.org tcp
KR 125.7.253.10:80 selltix.org tcp
KR 125.7.253.10:80 selltix.org tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
KR 125.7.253.10:80 selltix.org tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
KR 125.7.253.10:80 selltix.org tcp
KR 125.7.253.10:80 selltix.org tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 udp

Files

memory/3696-1-0x00000000004E0000-0x00000000005E0000-memory.dmp

memory/3696-2-0x0000000002130000-0x000000000219F000-memory.dmp

memory/3696-3-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3696-5-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 2573de67cd3f90e0cd44364fb0b25dd4
SHA1 92200ff26192febe4ac4549731559891466bc0a6
SHA256 20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e
SHA512 acfec0bb3f5de64bd342b0150644a1755eb1cb5ee3a71446122e1c4c86472aec7b7cd9e300fbcb89b3023840319db373a260e440ff52a9959d0024e232dd6d18

memory/3696-17-0x00000000004E0000-0x00000000005E0000-memory.dmp

memory/3696-23-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3696-22-0x0000000002130000-0x000000000219F000-memory.dmp

memory/3696-21-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1916-25-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1916-26-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1916-32-0x0000000000400000-0x0000000000483000-memory.dmp

memory/432-34-0x0000000000400000-0x0000000000483000-memory.dmp

memory/432-35-0x0000000000400000-0x0000000000483000-memory.dmp

memory/432-37-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\808065738166

MD5 a1c795de0f0e591c2d44456535869504
SHA1 41e51b6659da0ea39915e7c50383826aab01e0dc
SHA256 66c11dd9df052b6f80226d7afbf84ba0a4be5a65a9798f637a56633aacefcc0e
SHA512 a815de7846e559fb74acaf272479e582b0f4658ce2d9abc4baf98509932de747e8223a4cbb205d9c3095540223ca0579e0ef49e5f9b0281d23d94612a916dfe3

memory/1916-49-0x0000000000400000-0x0000000000483000-memory.dmp

memory/988-57-0x0000000000400000-0x0000000000483000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 17:29

Reported

2024-06-15 17:31

Platform

win11-20240611-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2120 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2120 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe

"C:\Users\Admin\AppData\Local\Temp\20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1132

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1552

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1724 -ip 1724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 472

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3420 -ip 3420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2204 -ip 2204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
EG 102.189.56.158:80 selltix.org tcp
EG 102.189.56.158:80 selltix.org tcp
MX 187.156.104.208:80 selltix.org tcp
MX 187.156.104.208:80 selltix.org tcp
MX 187.156.104.208:80 selltix.org tcp
MX 187.156.104.208:80 selltix.org tcp
MX 187.156.104.208:80 selltix.org tcp
MX 187.156.104.208:80 selltix.org tcp
MX 187.156.104.208:80 selltix.org tcp
MX 187.156.104.208:80 selltix.org tcp
MX 187.156.104.208:80 selltix.org tcp

Files

memory/2120-2-0x00000000021A0000-0x000000000220F000-memory.dmp

memory/2120-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/2120-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 2573de67cd3f90e0cd44364fb0b25dd4
SHA1 92200ff26192febe4ac4549731559891466bc0a6
SHA256 20175eb91cc052cb4ba1f5492d906cbf8effead5cb571ee350cbaacc96e97f6e
SHA512 acfec0bb3f5de64bd342b0150644a1755eb1cb5ee3a71446122e1c4c86472aec7b7cd9e300fbcb89b3023840319db373a260e440ff52a9959d0024e232dd6d18

memory/2120-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2120-19-0x00000000021A0000-0x000000000220F000-memory.dmp

memory/2120-18-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2204-22-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2204-23-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2204-24-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2204-29-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2204-30-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\560405787796

MD5 302eea94bab2c2a34fdd7a5f54e030ef
SHA1 c4d74c7f4124209b2146a11004c98bacb802af17
SHA256 54377f4b70caa69e084078ffb6f455c220704ad1690acfa6ad13972b0173e9f4
SHA512 84aba644e64ecb3302124431bb9d19676180817fb214859612b558abdf6d4562e370a8148c70f4e35a0399344cab90b16a8c7d756b948c2950fe95e82cdef6db

memory/2204-43-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1724-46-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1724-47-0x0000000000400000-0x0000000000483000-memory.dmp

memory/3420-56-0x0000000000400000-0x0000000000483000-memory.dmp