Analysis Overview
SHA256
c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44
Threat Level: Known bad
The file c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44 was found to be: Known bad.
Malicious Activity Summary
Amadey
Checks computer location settings
Executes dropped EXE
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-11 23:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 23:18
Reported
2024-06-11 23:21
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4536 wrote to memory of 3632 | N/A | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 4536 wrote to memory of 3632 | N/A | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 4536 wrote to memory of 3632 | N/A | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe
"C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1288
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1448
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 888
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| US | 8.8.8.8:53 | techolivls.in | udp |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
| US | 8.8.8.8:53 | techolivls.in | udp |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
Files
memory/4536-1-0x0000000000790000-0x0000000000890000-memory.dmp
memory/4536-3-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4536-2-0x00000000005D0000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
| MD5 | 4e278426b48e76e777c4145d6c0f1eba |
| SHA1 | 6cbcace7341273c970f22e1ecacbb68d318deabd |
| SHA256 | c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44 |
| SHA512 | 435e27e73392df7b9e956d6ef174030a52d2d17079a6a3351ad4d3da70aa8240d6e95ea1c28448e33ace6366bae11855aba67ea2c9d4980fb1442ab44a7ba0e7 |
memory/3632-19-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4536-20-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4536-21-0x00000000005D0000-0x000000000063B000-memory.dmp
memory/4536-22-0x0000000000400000-0x0000000000470000-memory.dmp
memory/3632-27-0x0000000000400000-0x0000000000480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\804150937214
| MD5 | a7ff67aabd5293fe23ba681231441088 |
| SHA1 | c3df6c3bee17ec2ba4860eeaf8ab69436dcb8d05 |
| SHA256 | eeed8088e59fdb6241a106382b435eb7c6eb7befc5d288c673feb73f6fdd245b |
| SHA512 | 2415b8e46edc498893d2b8b3e77a67173e00617d6488c40f2cf623a973a448207c418b1d58df8bd40366d8ede591d3c599ce5c7657cef4037a84fc79f70eaaef |
memory/3632-40-0x0000000000400000-0x0000000000480000-memory.dmp
memory/636-45-0x0000000000400000-0x0000000000480000-memory.dmp
memory/636-46-0x0000000000400000-0x0000000000480000-memory.dmp
memory/908-55-0x0000000000400000-0x0000000000480000-memory.dmp
memory/908-56-0x0000000000400000-0x0000000000480000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 23:18
Reported
2024-06-11 23:21
Platform
win11-20240426-en
Max time kernel
144s
Max time network
89s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 884 wrote to memory of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 884 wrote to memory of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 884 wrote to memory of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe
"C:\Users\Admin\AppData\Local\Temp\c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1136
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 884 -ip 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1456
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1856 -ip 1856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 480
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4856 -ip 4856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2092 -ip 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 900
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| US | 8.8.8.8:53 | techolivls.in | udp |
| AZ | 185.18.245.58:80 | check-ftp.ru | tcp |
| AZ | 185.18.245.58:80 | check-ftp.ru | tcp |
| N/A | 127.0.0.127:80 | tcp | |
| AZ | 185.18.245.58:80 | check-ftp.ru | tcp |
| N/A | 127.0.0.127:80 | tcp | |
| N/A | 127.0.0.127:80 | tcp | |
| N/A | 127.0.0.127:80 | tcp | |
| N/A | 127.0.0.127:80 | tcp |
Files
memory/884-1-0x00000000006B0000-0x00000000007B0000-memory.dmp
memory/884-2-0x0000000002200000-0x000000000226B000-memory.dmp
memory/884-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
| MD5 | 4e278426b48e76e777c4145d6c0f1eba |
| SHA1 | 6cbcace7341273c970f22e1ecacbb68d318deabd |
| SHA256 | c9dafe97940cde190f862c6db1b82cb2e21eb1b2e245b1bcf6cbf4446157cd44 |
| SHA512 | 435e27e73392df7b9e956d6ef174030a52d2d17079a6a3351ad4d3da70aa8240d6e95ea1c28448e33ace6366bae11855aba67ea2c9d4980fb1442ab44a7ba0e7 |
memory/2092-19-0x0000000000400000-0x0000000000480000-memory.dmp
memory/884-20-0x0000000000400000-0x0000000000480000-memory.dmp
memory/884-21-0x0000000002200000-0x000000000226B000-memory.dmp
memory/884-22-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\551177587377
| MD5 | 3fa42f1e35e454265d98641fe6cf3c4a |
| SHA1 | d0eaa03d97049ca844aa0456e02ed770db50ba6d |
| SHA256 | 1ec895768580191eaf9d0562535ca0fb54de463cdef9dca6f997fe9f27aa82c1 |
| SHA512 | f5e84d403769d998fb5fc779cb694a2e47a468b861e6f176e93d005637b9434f363119b8cfb962132f231d811c0fad3b27315121d46df6a7eba7a08328da1d1b |
memory/2092-35-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2092-40-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1856-46-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1856-47-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1856-48-0x0000000000400000-0x0000000000480000-memory.dmp
memory/4856-57-0x0000000000400000-0x0000000000480000-memory.dmp