Malware Analysis Report

2024-09-11 13:43

Sample ID 240616-kecajswgnh
Target dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67
SHA256 dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67

Threat Level: Known bad

The file dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67 was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 08:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 08:30

Reported

2024-06-16 08:32

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1664 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1664 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe

"C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1136

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1480

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3240 -ip 3240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 440

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3824 -ip 3824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 888

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp

Files

memory/1664-1-0x0000000000620000-0x0000000000720000-memory.dmp

memory/1664-2-0x0000000000820000-0x000000000088F000-memory.dmp

memory/1664-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 f84a85d92ef31e643725aa35ec22e0c6
SHA1 840cfcebcc55e2d2e02018d8e5d9758cacb1c294
SHA256 dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67
SHA512 c0332659caec051652c112eb05ff530742bf87b4bc10a0b0d0c1ad905e41a13b4f4f1b7ffc738eaa4cae0eff887152baf3d1b0d479aec580b4c498dd52968420

memory/1664-18-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1664-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1664-19-0x0000000000820000-0x000000000088F000-memory.dmp

memory/1368-22-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1368-23-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1368-28-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\124900551406

MD5 207109f8cbdf145493d16847b3b42016
SHA1 8938277eae7b8ef1055868083d60a4be08b16f80
SHA256 e9391fc08c98195f7ea522e67b8552b54ee2bcced81f4b3e38ef4e027947e596
SHA512 f1379164c7984bc112e203f1fe1f7258a2880676fde96fa2556390728c9e9b055ef4d2e974f27aa6e687b4a872c3a279b0f804dcee476ee9479f63a2a511068b

memory/1368-40-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3240-43-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3240-44-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3824-53-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3824-54-0x0000000000400000-0x0000000000486000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 08:30

Reported

2024-06-16 08:32

Platform

win11-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2008 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2008 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe

"C:\Users\Admin\AppData\Local\Temp\dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1136

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1528

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3508 -ip 3508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 480

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 920

Network

Country Destination Domain Proto
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp

Files

memory/2008-2-0x00000000021D0000-0x000000000223F000-memory.dmp

memory/2008-1-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/2008-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 f84a85d92ef31e643725aa35ec22e0c6
SHA1 840cfcebcc55e2d2e02018d8e5d9758cacb1c294
SHA256 dfb12aed2838e682fbf3080ae81f214b358e240a7849031a8e334187d60a4a67
SHA512 c0332659caec051652c112eb05ff530742bf87b4bc10a0b0d0c1ad905e41a13b4f4f1b7ffc738eaa4cae0eff887152baf3d1b0d479aec580b4c498dd52968420

memory/2008-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2008-19-0x00000000021D0000-0x000000000223F000-memory.dmp

memory/2008-18-0x0000000000400000-0x0000000000486000-memory.dmp

memory/4592-22-0x0000000000400000-0x0000000000486000-memory.dmp

memory/4592-27-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\457560273698

MD5 51be0137cc5ef314b9cd36b5b631b371
SHA1 e66cd23d37e9b4290bd95187c1455411e521cb8d
SHA256 9ff4e3f1efce43c6322ae1a54f0e6e139accfec89c86e635f734926b21708ded
SHA512 9d20a1f908bfb420649409344c6bfb9ae992e297faf7b3c0df7099073251f3295dafb47b01b57c5c1c107626755238b7382db041c04623261a25037b3507f8d9

memory/4592-32-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3508-35-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3508-43-0x0000000000400000-0x0000000000486000-memory.dmp

memory/4592-44-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2408-53-0x0000000000400000-0x0000000000486000-memory.dmp