Malware Analysis Report

2024-09-11 10:26

Sample ID 240618-ps33msxhkr
Target ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733
SHA256 ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733
Tags
amadey b2c2c1 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733

Threat Level: Known bad

The file ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733 was found to be: Known bad.

Malicious Activity Summary

amadey b2c2c1 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 12:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 12:36

Reported

2024-06-18 12:38

Platform

win11-20240419-en

Max time kernel

143s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2684 set thread context of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4864 set thread context of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 set thread context of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 set thread context of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 2684 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 2684 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 2684 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 2684 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 2684 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 2684 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 2684 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 2684 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 2684 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 3724 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3724 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3724 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4864 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4864 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4864 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4864 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4864 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4864 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4864 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4864 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4864 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4864 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4396 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3208 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe

"C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe"

C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe

"C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe"

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 osdhs.in.ne udp

Files

memory/2684-2-0x00000000040F0000-0x000000000415B000-memory.dmp

memory/2684-1-0x0000000002570000-0x0000000002670000-memory.dmp

memory/3724-3-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3724-5-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3724-4-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3724-6-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 f9069f199f56ff5884764d3c6ac6d2e3
SHA1 2a7612a39e3c15c8a273aadb0b60d2140cd69e33
SHA256 ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733
SHA512 b13782bacd10edc3a8c7a7f44c5ed26cd88479b5f4422af3197bb0667c1196ba775d4d613784379b334c9d307013c0926d464cef975ca6cb7f213e16e40e4bee

memory/3724-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4348-24-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4348-25-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4348-33-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\474490143322

MD5 11e55a7bc999021dae4167fe5ec8375b
SHA1 b44e969d769328ae0427659deb38eba0e3ea02f1
SHA256 61536abe891a24c2693707dc50f21ff855c2edffa8fb539d8ded342d97ffd1b1
SHA512 bd0760390156248fe8ded9b4640acf217ec28dff33bd9b9c1677171a1d38d817516ae6c92cd7db7e3718afff5cae7be9ad6728641447833b573ea1ee7726b8c7

memory/4348-38-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4348-46-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2020-51-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2020-52-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3296-64-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3296-65-0x0000000000400000-0x0000000000470000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 12:36

Reported

2024-06-18 12:38

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4864 set thread context of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 2624 set thread context of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 set thread context of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 set thread context of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4864 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4864 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4864 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4864 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4864 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4864 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4864 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4864 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4864 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe
PID 4456 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4456 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4456 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2624 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2624 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2624 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2624 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2624 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2624 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2624 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2624 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2624 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2624 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4552 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4080 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe

"C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe"

C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe

"C:\Users\Admin\AppData\Local\Temp\ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733.exe"

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp
NL 52.111.243.29:443 tcp

Files

memory/4456-3-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4456-4-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4864-2-0x0000000003FA0000-0x000000000400B000-memory.dmp

memory/4456-5-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4864-1-0x00000000023E0000-0x00000000024E0000-memory.dmp

memory/4456-6-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 f9069f199f56ff5884764d3c6ac6d2e3
SHA1 2a7612a39e3c15c8a273aadb0b60d2140cd69e33
SHA256 ff2d3dcbc199719029b79bc1c306f191ad945f139dfc6335301a40c6b292d733
SHA512 b13782bacd10edc3a8c7a7f44c5ed26cd88479b5f4422af3197bb0667c1196ba775d4d613784379b334c9d307013c0926d464cef975ca6cb7f213e16e40e4bee

memory/4456-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1472-24-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1472-25-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1472-33-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\539840389126

MD5 d3cb94526afae856bc02a63a15bdcaf1
SHA1 0d36674b6f1da213999bceebf96de9762e717d04
SHA256 0b7e311e87db1e207b538730f50c1c6ffbb118f1df094e8c75133dae6e57642b
SHA512 aa7a5c06a065d2d8b6208dcb7fe88ba1810f7658246e76bb3b28e14e4a74c941570fcc7065e7ebf323ab42fcf52c27aca6ae28fa3e582899494ddda915e1bd9b

memory/1472-46-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2844-51-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2844-52-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3124-64-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3124-65-0x0000000000400000-0x0000000000470000-memory.dmp