Malware Analysis Report

2024-09-11 11:06

Sample ID 240620-fx9ljs1bna
Target f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6
SHA256 f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6
Tags
amadey b2c2c1 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6

Threat Level: Known bad

The file f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6 was found to be: Known bad.

Malicious Activity Summary

amadey b2c2c1 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 05:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 05:16

Reported

2024-06-20 05:18

Platform

win11-20240508-en

Max time kernel

143s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 412 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 412 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 412 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe

"C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1132

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1452

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2460 -ip 2460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 472

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 580 -ip 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 928

Network

Country Destination Domain Proto
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp

Files

memory/412-2-0x0000000004490000-0x00000000044FB000-memory.dmp

memory/412-1-0x0000000002920000-0x0000000002A20000-memory.dmp

memory/412-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 63f4a9d79e15748b849f796db8890b8c
SHA1 136fbafce2c84a883da23106b3c7134f878dfd3c
SHA256 f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6
SHA512 69a0f154d181fcd56619156b4e51274d3424210cb7e31a4c9d76682feeba21e10e4c76c86c75269c9e28f18f5d05bfdea10e280a5f9b1c99e2d8742e09a7573a

memory/2408-16-0x0000000000400000-0x0000000002766000-memory.dmp

memory/412-18-0x0000000004490000-0x00000000044FB000-memory.dmp

memory/412-19-0x0000000000400000-0x0000000000470000-memory.dmp

memory/412-17-0x0000000000400000-0x0000000002766000-memory.dmp

memory/2408-24-0x0000000000400000-0x0000000002766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\457560273698

MD5 6cb907d7c9518f2e7d04f7f4b156afdc
SHA1 5067e0c98c6029cc6bb70049fb3c922cf481ee6b
SHA256 c3e3552530dd59ce87625a99b27b89ca4876919bf1b3c4d79b1281f9ba13bcfc
SHA512 60ccac5ab84a4def6024190d5e5191b043520b5fb92f644939aac00f8860b09f27cdb377482862dc0d41ee312906b4d350c900d5b09f3619d659ac3f6ad42aa9

memory/2408-37-0x0000000000400000-0x0000000002766000-memory.dmp

memory/2460-40-0x0000000000400000-0x0000000002766000-memory.dmp

memory/580-49-0x0000000000400000-0x0000000002766000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 05:16

Reported

2024-06-20 05:19

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3352 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3352 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe

"C:\Users\Admin\AppData\Local\Temp\f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1304

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1464

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp
CO 190.147.2.86:80 jkshb.su tcp
CO 190.147.2.86:80 jkshb.su tcp
CO 190.147.2.86:80 jkshb.su tcp
US 8.8.8.8:53 86.2.147.190.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/3352-1-0x0000000002900000-0x0000000002A00000-memory.dmp

memory/3352-2-0x00000000044B0000-0x000000000451B000-memory.dmp

memory/3352-3-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3352-5-0x0000000000400000-0x0000000002766000-memory.dmp

memory/3352-7-0x0000000002900000-0x0000000002A00000-memory.dmp

memory/3352-8-0x00000000044B0000-0x000000000451B000-memory.dmp

memory/3352-9-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 63f4a9d79e15748b849f796db8890b8c
SHA1 136fbafce2c84a883da23106b3c7134f878dfd3c
SHA256 f46dad8197b2d0a34a8d55b46a204c0f0be76efd2cfad9125631e0d26f1125c6
SHA512 69a0f154d181fcd56619156b4e51274d3424210cb7e31a4c9d76682feeba21e10e4c76c86c75269c9e28f18f5d05bfdea10e280a5f9b1c99e2d8742e09a7573a

memory/3352-25-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3352-23-0x0000000000400000-0x0000000002766000-memory.dmp

memory/2568-26-0x0000000000400000-0x0000000002766000-memory.dmp

memory/2568-27-0x0000000000400000-0x0000000002766000-memory.dmp

memory/2568-32-0x0000000000400000-0x0000000002766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\808065738166

MD5 5485fb77c33f6864b2a5fc219902aca9
SHA1 dc24e5b89bc71427f56d4320a15f94b23db01758
SHA256 1e983854602cede07087879fa28ea3cfa379a2bf4fe41fc07d15199ef0f01584
SHA512 92e558bb5bd5c206a34fb66b99fd8e3800db1804727c3a3ddd45534ae467193aa9658f896459fd49c13798f69343aa979368d30a9eb78367a85aa94246b6a4f3

memory/2568-45-0x0000000000400000-0x0000000002766000-memory.dmp

memory/4464-48-0x0000000000400000-0x0000000002766000-memory.dmp