Analysis Overview
SHA256
f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c
Threat Level: Known bad
The file f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c was found to be: Known bad.
Malicious Activity Summary
Amadey
Checks computer location settings
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 20:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 20:06
Reported
2024-06-14 20:08
Platform
win10v2004-20240611-en
Max time kernel
147s
Max time network
128s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3652 wrote to memory of 4036 | N/A | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 3652 wrote to memory of 4036 | N/A | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 3652 wrote to memory of 4036 | N/A | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe
"C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 904
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4564,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 1140
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1188
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 872
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 2.17.107.112:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 112.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
| US | 8.8.8.8:53 | techolivls.in | udp |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| N/A | 127.0.0.127:80 | tcp | |
| KG | 212.112.110.243:80 | check-ftp.ru | tcp |
| KG | 212.112.110.243:80 | check-ftp.ru | tcp |
| KG | 212.112.110.243:80 | check-ftp.ru | tcp |
| N/A | 127.0.0.127:80 | tcp | |
| N/A | 127.0.0.127:80 | tcp | |
| US | 8.8.8.8:53 | 243.110.112.212.in-addr.arpa | udp |
| N/A | 127.0.0.127:80 | tcp | |
| N/A | 127.0.0.127:80 | tcp | |
| US | 8.8.8.8:53 | techolivls.in | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/3652-1-0x0000000000660000-0x0000000000760000-memory.dmp
memory/3652-2-0x00000000005F0000-0x000000000065B000-memory.dmp
memory/3652-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
| MD5 | 2604b449ccbfbd5dbb2c33cff5d85a33 |
| SHA1 | ecf9d1fae86c83b2c355c04d0931bb7875c6863c |
| SHA256 | f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c |
| SHA512 | 0dfa6f17638475519062f5e3a36d42330a3c145141e5e43bfbe18b76a14d17071d08619a1ad170e70566dac6efb15ee4b5496c482c1f980a2f3aa74f3a8de04b |
memory/3652-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/3652-19-0x00000000005F0000-0x000000000065B000-memory.dmp
memory/3652-18-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4036-22-0x0000000000400000-0x0000000000483000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\665033694144
| MD5 | 1ffac2c3e3c37c13b68eec9594a8b7f1 |
| SHA1 | c566021ad8710b8ba4013f51692c9674f7cb1a99 |
| SHA256 | 646fc24a7b954910598599b4b3c1720205c41e74b0aadd31d4c6e7203a07e9f7 |
| SHA512 | e4a8c4793745b9d2dff6a3fb0b40dc6a370789790c492b5f87f21734fefb55a5b2a474150beb9d572a813c70161775289228f4dfb97158b50bcaea93da3b284c |
memory/4036-31-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4036-39-0x0000000000400000-0x0000000000483000-memory.dmp
memory/3040-45-0x0000000000400000-0x0000000000483000-memory.dmp
memory/3040-44-0x0000000000400000-0x0000000000483000-memory.dmp
memory/3040-46-0x0000000000400000-0x0000000000483000-memory.dmp
memory/3040-47-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2892-56-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2892-57-0x0000000000400000-0x0000000000483000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 20:06
Reported
2024-06-14 20:08
Platform
win11-20240611-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 4708 | N/A | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 2916 wrote to memory of 4708 | N/A | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 2916 wrote to memory of 4708 | N/A | C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe
"C:\Users\Admin\AppData\Local\Temp\f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1132
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1508
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1468 -ip 1468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 472
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1092 -ip 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 916
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
| US | 8.8.8.8:53 | techolivls.in | udp |
| KG | 212.112.110.243:80 | check-ftp.ru | tcp |
| KG | 212.112.110.243:80 | check-ftp.ru | tcp |
| KG | 212.112.110.243:80 | check-ftp.ru | tcp |
Files
memory/2916-1-0x00000000007F0000-0x00000000008F0000-memory.dmp
memory/2916-2-0x0000000000710000-0x000000000077B000-memory.dmp
memory/2916-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
| MD5 | 2604b449ccbfbd5dbb2c33cff5d85a33 |
| SHA1 | ecf9d1fae86c83b2c355c04d0931bb7875c6863c |
| SHA256 | f935d00b08387bc8b9ad275dc5f19e68233abed7f3c2a43ffa21ba3f3567044c |
| SHA512 | 0dfa6f17638475519062f5e3a36d42330a3c145141e5e43bfbe18b76a14d17071d08619a1ad170e70566dac6efb15ee4b5496c482c1f980a2f3aa74f3a8de04b |
memory/2916-18-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2916-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2916-19-0x0000000000710000-0x000000000077B000-memory.dmp
memory/4708-22-0x0000000000400000-0x0000000000483000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\394516847340
| MD5 | 3d2099ee6a2766839df6124530661469 |
| SHA1 | 9a13cc350f86be0d91e7ff9846e86fe51f6598cc |
| SHA256 | 9d344013d24ab07da996c08dbdba3dd90e90159b7b86a39e8dd6e34729d5b856 |
| SHA512 | a1689a6b0031640d72e062f620d26e1372337dab660c0bec68dd052b4c78de7a6ac05700d5fb810ec8bf102eee1e0d607278fb87b7b6bb0510b54572a70f8fb1 |
memory/4708-38-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1468-44-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1468-45-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1092-55-0x0000000000400000-0x0000000000483000-memory.dmp