Malware Analysis Report

2024-09-11 10:25

Sample ID 240616-165zyavcll
Target c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f
SHA256 c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f
Tags
amadey b2c2c1 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f

Threat Level: Known bad

The file c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f was found to be: Known bad.

Malicious Activity Summary

amadey b2c2c1 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 22:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 22:16

Reported

2024-06-16 22:19

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2248 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2248 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe

"C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1292

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3404 -ip 3404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 472

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 820

Network

Country Destination Domain Proto
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp

Files

memory/2248-1-0x00000000023A0000-0x00000000024A0000-memory.dmp

memory/2248-2-0x0000000003FA0000-0x000000000400B000-memory.dmp

memory/2248-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 6174a84678bb6128cc44bcf403efa49b
SHA1 216e5bece19cb9b5b067603e7035c2f51a2989b0
SHA256 c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f
SHA512 6abf95d27e37948f85c327e52ea0f649ec9af7c6d99062aee28cc6b45060d320d0803596328365a30d9ab80b8ed317cb90cb909f2bd35c057dc03c8c84e2783b

memory/3404-16-0x0000000000400000-0x0000000002398000-memory.dmp

memory/3404-17-0x0000000000400000-0x0000000002398000-memory.dmp

memory/3404-19-0x0000000000400000-0x0000000002398000-memory.dmp

memory/2248-20-0x0000000003FA0000-0x000000000400B000-memory.dmp

memory/2248-21-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2248-18-0x0000000000400000-0x0000000002398000-memory.dmp

memory/3232-29-0x0000000000400000-0x0000000002398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\337824034273

MD5 edb59dc558588369e6d5f4fedb5d9edc
SHA1 a50df06aa5a233d160fc6a843940bee5d6d9f666
SHA256 5a90cd650756a01c55b8b66e7bea8fb3c06df3b4937167c62a2b988badde2fc3
SHA512 03d59861863dea743e1778fa2e1def906b41f3b617141b6658adec238a33efee8c7580fb551f0d2dd4088757aa8309c936b4f2f4da41df3e495fa4283c24e4da

memory/3232-41-0x0000000000400000-0x0000000002398000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 22:16

Reported

2024-06-16 22:19

Platform

win11-20240611-en

Max time kernel

144s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 404 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 404 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 404 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe

"C:\Users\Admin\AppData\Local\Temp\c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1136

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1584

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4416 -ip 4416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 480

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 856

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 480

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 jkshb.su udp
CO 186.145.236.93:80 jkshb.su tcp
CO 186.145.236.93:80 jkshb.su tcp
CO 186.145.236.93:80 jkshb.su tcp

Files

memory/404-1-0x0000000002510000-0x0000000002610000-memory.dmp

memory/404-3-0x0000000000400000-0x0000000000470000-memory.dmp

memory/404-2-0x0000000004110000-0x000000000417B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 6174a84678bb6128cc44bcf403efa49b
SHA1 216e5bece19cb9b5b067603e7035c2f51a2989b0
SHA256 c72da658182195a2bd55fc35b539d5981d059df80c16c8685169cd97232e774f
SHA512 6abf95d27e37948f85c327e52ea0f649ec9af7c6d99062aee28cc6b45060d320d0803596328365a30d9ab80b8ed317cb90cb909f2bd35c057dc03c8c84e2783b

memory/912-16-0x0000000000400000-0x0000000002398000-memory.dmp

memory/404-18-0x0000000000400000-0x0000000000470000-memory.dmp

memory/404-17-0x0000000000400000-0x0000000002398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\524922173293

MD5 f5afe306b001996cc8532809b3f25903
SHA1 22072db5ff310f0a70c4c2c08dbb49faccc1d46c
SHA256 d794918cf4f8f1dbaf4a67978f15ecd3f17f6f4c18a9790fd794141b15f5857c
SHA512 11eef28f4fb4462e0be74940a57c06332ff1240730feb20be7a21f8791ffd9a3f7d33bd1806c17a0ef59863a3daed3bd6a8a71523ef5728c30452438768a49ed

memory/4416-29-0x0000000000400000-0x0000000002398000-memory.dmp

memory/912-37-0x0000000000400000-0x0000000002398000-memory.dmp

memory/4632-45-0x0000000000400000-0x0000000002398000-memory.dmp

memory/4424-54-0x0000000000400000-0x0000000002398000-memory.dmp