Malware Analysis Report

2024-09-11 10:44

Sample ID 240619-p1m2dsvflp
Target 0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7
SHA256 0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7
Tags
amadey b2c2c1 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7

Threat Level: Known bad

The file 0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7 was found to be: Known bad.

Malicious Activity Summary

amadey b2c2c1 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 12:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 12:47

Reported

2024-06-19 12:50

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 468 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 468 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 468 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe

"C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1236

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 804

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1532

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1784 -ip 1784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 440

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2468 -ip 2468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 888

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp

Files

memory/468-1-0x00000000004E0000-0x00000000005E0000-memory.dmp

memory/468-2-0x0000000002090000-0x00000000020FB000-memory.dmp

memory/468-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 e6fc28553e094884912bae4a2c2b3b9c
SHA1 cde0267165251594e62d474d1c80841733b19875
SHA256 0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7
SHA512 ca02ba43c31ef94035d26d6e8e92707608dcd7ec667fcf97ca391128084de90000c76eaa2075caaa93f98a135aadaeffce331d1eb0bea5343e83385022cbd162

memory/468-19-0x0000000002090000-0x00000000020FB000-memory.dmp

memory/468-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/468-18-0x0000000000400000-0x000000000047B000-memory.dmp

memory/5036-23-0x0000000000400000-0x000000000047B000-memory.dmp

memory/4468-27-0x0000000000400000-0x000000000047B000-memory.dmp

memory/4468-26-0x0000000000400000-0x000000000047B000-memory.dmp

memory/4468-25-0x0000000000400000-0x000000000047B000-memory.dmp

memory/4468-30-0x0000000000400000-0x000000000047B000-memory.dmp

memory/5036-34-0x0000000000400000-0x000000000047B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\124900551406

MD5 b3001378f4a2a4c142ca7f085a59ffb1
SHA1 a7f307179ae6a547ad37c6b050195a3d633885c6
SHA256 0d4de57c9f103aebf58cf8de1faf30dc60c57e0e1ed452b9b7451048b407c190
SHA512 6eabde5c1e68bbf18b21f59120753014e178b0e07f8ed1d339287bb2ff960ed3f1ad16910cfbd38863c8c611605f3f050d41ab36ed19f6ce6b4847cab24e24a1

memory/5036-47-0x0000000000400000-0x000000000047B000-memory.dmp

memory/1784-53-0x0000000000400000-0x000000000047B000-memory.dmp

memory/2468-62-0x0000000000400000-0x000000000047B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 12:47

Reported

2024-06-19 12:50

Platform

win11-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 952 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 952 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 952 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe

"C:\Users\Admin\AppData\Local\Temp\0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1140

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 768

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1780 -ip 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 472

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 472

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 896 -ip 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 488

Network

Country Destination Domain Proto
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 jkshb.su udp
CO 190.159.30.35:80 jkshb.su tcp
CO 190.159.30.35:80 jkshb.su tcp
CO 190.159.30.35:80 jkshb.su tcp
US 52.111.227.14:443 tcp

Files

memory/952-1-0x0000000000810000-0x0000000000910000-memory.dmp

memory/952-3-0x0000000000400000-0x0000000000470000-memory.dmp

memory/952-2-0x00000000021B0000-0x000000000221B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 e6fc28553e094884912bae4a2c2b3b9c
SHA1 cde0267165251594e62d474d1c80841733b19875
SHA256 0433532a3e70d641865b749221aeb9e759a89a40efcf2c56efa4ed169511a6a7
SHA512 ca02ba43c31ef94035d26d6e8e92707608dcd7ec667fcf97ca391128084de90000c76eaa2075caaa93f98a135aadaeffce331d1eb0bea5343e83385022cbd162

memory/952-19-0x0000000000400000-0x0000000000470000-memory.dmp

memory/952-18-0x0000000000400000-0x000000000047B000-memory.dmp

memory/564-23-0x0000000000400000-0x000000000047B000-memory.dmp

memory/564-22-0x0000000000400000-0x000000000047B000-memory.dmp

memory/564-21-0x0000000000400000-0x000000000047B000-memory.dmp

memory/1780-30-0x0000000000400000-0x000000000047B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\433428765247

MD5 5da6683e65e82aa56ffe50471e9d6344
SHA1 e684c6258a815066c1166ae7d5b53d949c00a778
SHA256 7dbd7f8216b57b3c40c75db561876e17adc9d8e86934538d4641752262a30f02
SHA512 2052215b7002211b44ae3f27f3b0f4548e3a07586ccdeccf32ed10c6295763109dd1b412973f61009845039773770cbede0ace98c98d0ee6895665996321e82a

memory/1780-35-0x0000000000400000-0x000000000047B000-memory.dmp

memory/564-43-0x0000000000400000-0x000000000047B000-memory.dmp

memory/4940-51-0x0000000000400000-0x000000000047B000-memory.dmp

memory/896-60-0x0000000000400000-0x000000000047B000-memory.dmp