Malware Analysis Report

2024-09-11 14:15

Sample ID 240620-m117xatdld
Target da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002
SHA256 da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002

Threat Level: Known bad

The file da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002 was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 10:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 10:56

Reported

2024-06-20 10:59

Platform

win11-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4044 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4044 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4044 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe

"C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4044 -ip 4044

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 508

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 860

Network

Country Destination Domain Proto
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
MX 148.230.249.9:80 selltix.org tcp
MX 148.230.249.9:80 selltix.org tcp
MX 148.230.249.9:80 selltix.org tcp
MX 148.230.249.9:80 selltix.org tcp
MX 148.230.249.9:80 selltix.org tcp
MX 148.230.249.9:80 selltix.org tcp
MX 148.230.249.9:80 selltix.org tcp
MX 148.230.249.9:80 selltix.org tcp
MX 148.230.249.9:80 selltix.org tcp

Files

memory/4044-1-0x0000000002A40000-0x0000000002B40000-memory.dmp

memory/4044-2-0x00000000029D0000-0x0000000002A3F000-memory.dmp

memory/4044-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 d8ece4218b4afab0ab5dd6ea6e41f023
SHA1 f1f2157955512c1f9921120e5bf1be121173e88d
SHA256 da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002
SHA512 0e7bb5e18c5f247e2fd1e2377c8064ee075b67f482ef82f7c7f095bf64bf8f50913330569d6cf74e1c3b2e92f5c09c973b08fc84c8fb71498a0f108b2110750b

memory/4964-16-0x0000000000400000-0x0000000002767000-memory.dmp

memory/4964-17-0x0000000000400000-0x0000000002767000-memory.dmp

memory/4044-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4044-19-0x00000000029D0000-0x0000000002A3F000-memory.dmp

memory/4044-18-0x0000000000400000-0x0000000002767000-memory.dmp

memory/4964-22-0x0000000000400000-0x0000000002767000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\198854727384

MD5 98521dbd99beecdd6e44c66b82cc35d3
SHA1 7ceee0cf40e3ecba359f9f3d2dc2a74b6572c91f
SHA256 d6f1cfaee9e7b3b622c258b4d32a677973af711c4287d1a72fe955352046e7ca
SHA512 58c1d8e526cc7e0bf5ccdf4d892a90fa68c14b36fd47b208ad4021a204567a416da71284dffc4cae1b9da40daca4ae273944355d037e3132a25a5b0259ef6336

memory/2020-40-0x0000000000400000-0x0000000002767000-memory.dmp

memory/2020-41-0x0000000000400000-0x0000000002767000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 10:56

Reported

2024-06-20 10:59

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1332 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1332 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe

"C:\Users\Admin\AppData\Local\Temp\da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1244

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1328

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4576 -ip 4576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 448

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3088 -ip 3088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 924

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 440

Network

Country Destination Domain Proto
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp

Files

memory/1332-1-0x0000000002980000-0x0000000002A80000-memory.dmp

memory/1332-2-0x00000000028E0000-0x000000000294F000-memory.dmp

memory/1332-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 d8ece4218b4afab0ab5dd6ea6e41f023
SHA1 f1f2157955512c1f9921120e5bf1be121173e88d
SHA256 da708ba94087c1d7b3352f0228c01fbd671f7465da102372d4a7deaaa0a7e002
SHA512 0e7bb5e18c5f247e2fd1e2377c8064ee075b67f482ef82f7c7f095bf64bf8f50913330569d6cf74e1c3b2e92f5c09c973b08fc84c8fb71498a0f108b2110750b

memory/5020-16-0x0000000000400000-0x0000000002767000-memory.dmp

memory/5020-17-0x0000000000400000-0x0000000002767000-memory.dmp

memory/1332-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1332-19-0x00000000028E0000-0x000000000294F000-memory.dmp

memory/1332-18-0x0000000000400000-0x0000000002767000-memory.dmp

memory/5020-25-0x0000000000400000-0x0000000002767000-memory.dmp

memory/4576-28-0x0000000000400000-0x0000000002767000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\539840389126

MD5 8b488ea40481cd3c1253c89ff2710331
SHA1 06847a1ee1c4dbcb48e5fd220aa3a4021e112f19
SHA256 aa4b076032ffbeeba74d10514a40cd6f7e3bed606c065288f58117a509f9a415
SHA512 21275638d703ee77f46e54c11543925d891f01916a546d6e8f776ba4c711a062abd1d57ff472665a0d9aeefe09d0ce82d79b2347e308a7a616cd9a05c046e3f0

memory/5020-33-0x0000000000400000-0x0000000002767000-memory.dmp

memory/5020-41-0x0000000000400000-0x0000000002767000-memory.dmp

memory/3088-48-0x0000000000400000-0x0000000002767000-memory.dmp

memory/4884-57-0x0000000000400000-0x0000000002767000-memory.dmp