Malware Analysis Report

2024-09-11 10:25

Sample ID 240616-tkm4nstepl
Target 115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6
SHA256 115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6
Tags
amadey b2c2c1 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6

Threat Level: Known bad

The file 115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6 was found to be: Known bad.

Malicious Activity Summary

amadey b2c2c1 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 16:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 16:07

Reported

2024-06-16 16:09

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3424 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3424 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe

"C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1316

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 1352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 1332

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 840 -ip 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 440

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4092 -ip 4092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2892 -ip 2892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 888

Network

Country Destination Domain Proto
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 greendag.ru udp

Files

memory/3424-1-0x0000000000760000-0x0000000000860000-memory.dmp

memory/3424-2-0x0000000002100000-0x000000000216B000-memory.dmp

memory/3424-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 20107b56aca91f4ec61feb7f80801a11
SHA1 f674c1f8ef89c4bd82883e1918aa22d0ee98984b
SHA256 115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6
SHA512 5cb20d2fa7493d218f5b7cd9135f79ddd0a6d6e548d7632c14ecdcc1ebfdceb627251ab8266e9bd6702c96e1f2634c61198d4f4d7a2f3a9a9f32c3a8f431a7ef

memory/3424-18-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3424-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3424-19-0x0000000002100000-0x000000000216B000-memory.dmp

memory/2892-22-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2892-23-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2892-24-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2892-29-0x0000000000400000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\124900551406

MD5 6f5b60c4b7b42506c3b83392a37c9b54
SHA1 ab36d40946eb2ccf0aebc6f4084ebd6d6f2fd539
SHA256 4c207375e132b2712d8b1d3040bd98131b8089913b1281569dfffedb4bedfe0b
SHA512 b506ac1405168ea716d8101e20e4f1225cea1893f8ed119de618fcf59f8f442ebbf184be43b4154bb8286cffad2c85348bf4a8b2b81d6982ac7a5686fa68ff80

memory/2892-38-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2892-42-0x0000000000400000-0x0000000000484000-memory.dmp

memory/840-46-0x0000000000400000-0x0000000000484000-memory.dmp

memory/840-47-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4092-56-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4092-57-0x0000000000400000-0x0000000000484000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 16:07

Reported

2024-06-16 16:09

Platform

win11-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2628 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2628 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe

"C:\Users\Admin\AppData\Local\Temp\115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 900

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1488

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1080 -ip 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 472

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3704 -ip 3704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 900

Network

Country Destination Domain Proto
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 jkshb.su udp
EG 102.189.56.158:80 jkshb.su tcp
EG 102.189.56.158:80 jkshb.su tcp
KW 78.89.199.216:80 jkshb.su tcp
KW 78.89.199.216:80 jkshb.su tcp
KW 78.89.199.216:80 jkshb.su tcp

Files

memory/2628-1-0x0000000000830000-0x0000000000930000-memory.dmp

memory/2628-2-0x00000000021D0000-0x000000000223B000-memory.dmp

memory/2628-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 20107b56aca91f4ec61feb7f80801a11
SHA1 f674c1f8ef89c4bd82883e1918aa22d0ee98984b
SHA256 115837a43e73caa948a48dcddd813304ff16a2738a132a12dd85f5e1191b75f6
SHA512 5cb20d2fa7493d218f5b7cd9135f79ddd0a6d6e548d7632c14ecdcc1ebfdceb627251ab8266e9bd6702c96e1f2634c61198d4f4d7a2f3a9a9f32c3a8f431a7ef

memory/2628-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2628-19-0x00000000021D0000-0x000000000223B000-memory.dmp

memory/2628-18-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3172-22-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3172-27-0x0000000000400000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\394516847340

MD5 6e5b8575ab4d05c5ca506fb931a067a8
SHA1 93e9390ea27bd619ff81d510805cc30c4f2540c0
SHA256 c05281325dc7f619b74ee27f3071380164b69da24ac249d6e72bcba27f80866d
SHA512 ecbe3e5d5a12eb686314d791daec507d0ce6cab1aa07588841c6b5df8746a6a6b2860b83deaf7145366ef06ff0c4ad308163e51478d3f827bed3751dd925eb98

memory/3172-33-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3172-41-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1080-44-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1080-45-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1080-46-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1080-47-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3704-56-0x0000000000400000-0x0000000000484000-memory.dmp