Analysis Overview
SHA256
f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c
Threat Level: Known bad
The file f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c was found to be: Known bad.
Malicious Activity Summary
Amadey
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 09:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 09:16
Reported
2024-06-12 09:19
Platform
win11-20240611-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4864 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 4864 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 4864 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe
"C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1140
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2976 -ip 2976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 504
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 836
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jkshb.su | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| PA | 190.218.158.53:80 | jkshb.su | tcp |
| PA | 190.218.158.53:80 | jkshb.su | tcp |
| PA | 190.218.158.53:80 | jkshb.su | tcp |
Files
memory/4864-3-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4864-2-0x0000000003900000-0x000000000396B000-memory.dmp
memory/4864-1-0x0000000001E10000-0x0000000001F10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
| MD5 | 27884cb1c7d946789149be915954413d |
| SHA1 | c7c5141ec3449ce575fe2b72ea8983aaa79c359d |
| SHA256 | f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c |
| SHA512 | caeffd6145316b7396bb257171c0fc3028df9437c4c1af50e826f7aa1b5446a52522aca00c9029be3442f2cf56fa476cfee3ddc9a9bca3fb585baaa14737c254 |
memory/2976-16-0x0000000000400000-0x0000000001BF8000-memory.dmp
memory/2976-17-0x0000000000400000-0x0000000001BF8000-memory.dmp
memory/4864-20-0x0000000003900000-0x000000000396B000-memory.dmp
memory/4864-19-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4864-18-0x0000000000400000-0x0000000001BF8000-memory.dmp
memory/2976-22-0x0000000000400000-0x0000000001BF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\276817940128
| MD5 | 1f12934d79aad8d90f0483b13272cf0c |
| SHA1 | f959082d970e7878dff425548f72b8e8ace702fa |
| SHA256 | 11a4b17ac05b1b6b1aa6f60a01ca6a3b988a8dfa0bbf443109583b4161df4107 |
| SHA512 | 84148f1f108da438b02404af449bd82cec35368c0d081bcc52a3dae944765ef2b1d041feeb7b1f3fd8fecf974f55f970c4c0f0939ac9b36d3faa0df4e7f3c24a |
memory/2440-40-0x0000000000400000-0x0000000001BF8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 09:16
Reported
2024-06-12 09:19
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 920 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 920 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 920 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe
"C:\Users\Admin\AppData\Local\Temp\f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1244
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1488
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1872 -ip 1872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 440
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3176 -ip 3176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 888
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2300 -ip 2300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jkshb.su | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | jkshb.su | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | jkshb.su | udp |
Files
memory/920-1-0x0000000001EE0000-0x0000000001FE0000-memory.dmp
memory/920-2-0x0000000003880000-0x00000000038EB000-memory.dmp
memory/920-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
| MD5 | 27884cb1c7d946789149be915954413d |
| SHA1 | c7c5141ec3449ce575fe2b72ea8983aaa79c359d |
| SHA256 | f2666b3feaeb1f4495b62386f1ca40de92af3baa1db5cf9e246ffb3820b7ad8c |
| SHA512 | caeffd6145316b7396bb257171c0fc3028df9437c4c1af50e826f7aa1b5446a52522aca00c9029be3442f2cf56fa476cfee3ddc9a9bca3fb585baaa14737c254 |
memory/2336-16-0x0000000000400000-0x0000000001BF8000-memory.dmp
memory/920-19-0x0000000000400000-0x0000000000470000-memory.dmp
memory/920-18-0x0000000003880000-0x00000000038EB000-memory.dmp
memory/920-17-0x0000000000400000-0x0000000001BF8000-memory.dmp
memory/2336-24-0x0000000000400000-0x0000000001BF8000-memory.dmp
memory/1872-27-0x0000000000400000-0x0000000001BF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\124900551406
| MD5 | 20c141da1ffb7d04c0b6cc5a0374dbc9 |
| SHA1 | 1187ec2ceaadffbbffa65a236d4ddd3f964344ea |
| SHA256 | 1f65614b270996fe0a250465b3941bd2b0110b4b38659fdcbe18e6051b063bd4 |
| SHA512 | 7ba247abb1eab1504f76ceefb99699d3f828c8101a1da0ba004d437d9cc9ecab430315325efda104d815af1aae6442aee6053384be5b2b171ad468bef3bf1512 |
memory/2336-40-0x0000000000400000-0x0000000001BF8000-memory.dmp
memory/3176-47-0x0000000000400000-0x0000000001BF8000-memory.dmp
memory/2300-56-0x0000000000400000-0x0000000001BF8000-memory.dmp