Malware Analysis Report

2024-09-11 11:28

Sample ID 240620-fs38zazhlf
Target 3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1
SHA256 3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1
Tags
amadey 9a3efc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1

Threat Level: Known bad

The file 3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1 was found to be: Known bad.

Malicious Activity Summary

amadey 9a3efc trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 05:09

Reported

2024-06-20 05:11

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 1980 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 1980 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe

"C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1288

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1444

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 884

Network

Country Destination Domain Proto
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 check-ftp.ru udp

Files

memory/1980-2-0x0000000002A00000-0x0000000002A6B000-memory.dmp

memory/1980-1-0x0000000002A70000-0x0000000002B70000-memory.dmp

memory/1980-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5 c2c08e98ac653fbe4fd360fa2a1f1c6a
SHA1 128293361c929ef23e469bd7cffce2d1bf8564f5
SHA256 3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1
SHA512 eb5cae1a6e805ec401cb4ff8a1e616f43e98383ba1ef3936809b4c246d5ba5d771f4d77247367545ec36bb5072ed603aee83aa26c6ef89ee8ff57f2d5367529c

memory/1980-16-0x0000000002A00000-0x0000000002A6B000-memory.dmp

memory/1980-17-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1980-15-0x0000000000400000-0x0000000002766000-memory.dmp

memory/3292-19-0x0000000000400000-0x0000000002766000-memory.dmp

memory/3292-24-0x0000000000400000-0x0000000002766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\539840389126

MD5 a661d48c557c3f22b54d02a4c61b68be
SHA1 36c0c4d5069dd3d73407fd5f2f122b54266f0172
SHA256 6922c169bed272cd2a58503bc88fe3eb6508515185048cc92d65213b28580504
SHA512 4d54543fcd3f4a5a1592709b78bb6b862370bce51618d0a4f8c2a552558f5e11a6ccdec6246b53ee70d6127c9ac3457ec0c439f09be01fa69310f0b8c8535129

memory/3292-37-0x0000000000400000-0x0000000002766000-memory.dmp

memory/5032-42-0x0000000000400000-0x0000000002766000-memory.dmp

memory/2072-51-0x0000000000400000-0x0000000002766000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 05:09

Reported

2024-06-20 05:11

Platform

win11-20240508-en

Max time kernel

143s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 1144 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 1144 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe

"C:\Users\Admin\AppData\Local\Temp\3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1184

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1392

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3236 -ip 3236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 480

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3064 -ip 3064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 900

Network

Country Destination Domain Proto
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 check-ftp.ru udp
CO 190.147.128.172:80 check-ftp.ru tcp
CO 190.147.128.172:80 check-ftp.ru tcp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp
CO 190.147.128.172:80 check-ftp.ru tcp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp

Files

memory/1144-2-0x0000000004470000-0x00000000044DB000-memory.dmp

memory/1144-3-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1144-1-0x0000000002940000-0x0000000002A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5 c2c08e98ac653fbe4fd360fa2a1f1c6a
SHA1 128293361c929ef23e469bd7cffce2d1bf8564f5
SHA256 3cf289a85156ccd6984c800996d03d7d2c81ad57d8c5a4a89dea2ee8859aa3a1
SHA512 eb5cae1a6e805ec401cb4ff8a1e616f43e98383ba1ef3936809b4c246d5ba5d771f4d77247367545ec36bb5072ed603aee83aa26c6ef89ee8ff57f2d5367529c

memory/4504-16-0x0000000000400000-0x0000000002766000-memory.dmp

memory/1144-18-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1144-19-0x0000000004470000-0x00000000044DB000-memory.dmp

memory/1144-17-0x0000000000400000-0x0000000002766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\433428765247

MD5 c7729cbb8cf1616065d3c8ef8e556fbc
SHA1 d8dd759eefe0a1253d9484b57a17513968b5ed2c
SHA256 f3cb8a70a025ef3386914a1e3263f476b16ff89766e709665133f9913f7321c3
SHA512 262ad95614e336426e1c9ab1f2e2ede291b70121e49468d3c4fb916d504263394eff20a5c0157106378efb1f66aaf173d23c016d83c62204d5a28f169aca4a0a

memory/4504-28-0x0000000000400000-0x0000000002766000-memory.dmp

memory/4504-36-0x0000000000400000-0x0000000002766000-memory.dmp

memory/3236-43-0x0000000000400000-0x0000000002766000-memory.dmp

memory/3064-52-0x0000000000400000-0x0000000002766000-memory.dmp