Malware Analysis Report

2024-09-11 13:44

Sample ID 240615-yg65lasfpa
Target f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
SHA256 f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4

Threat Level: Known bad

The file f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 19:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 19:46

Reported

2024-06-15 19:49

Platform

win7-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1612 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1612 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1612 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe

"C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp

Files

memory/1612-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/1612-3-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1612-2-0x0000000000220000-0x000000000028F000-memory.dmp

memory/1612-5-0x0000000000400000-0x0000000000487000-memory.dmp

memory/1612-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1612-20-0x0000000000400000-0x0000000000487000-memory.dmp

memory/1612-19-0x00000000005B0000-0x00000000006B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 e74f545545336a9143e2f35aef50aee0
SHA1 36c23904db55217c0eba2378408d8af710faf735
SHA256 f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4
SHA512 2f15f9cffda6597bf2e350fb1d77f5eaeacc3ba7bb73ecc881ac1cc994ab691bf648c9b206025eb1d7616a4d7f25ca625af13fede7669b3842baedfb019d6dad

memory/2640-22-0x0000000000400000-0x0000000000487000-memory.dmp

memory/2640-28-0x0000000000400000-0x0000000000487000-memory.dmp

memory/2640-29-0x0000000000400000-0x0000000000487000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\737914667933

MD5 71bd54a2e82ae8561cc943187ff74b84
SHA1 b1a8843459355e40a8b4ebbc2102486c7621ab31
SHA256 3077ff18f094fe6cf70850559168bd850d526e2bded7a0337a7360a916408ef3
SHA512 187ae927e0474c4ef01660d5d84efd1004cb682d413d7ca31c475d6c351654eec082805c9bba9d5105a910e349c13d19fcc4f74931121b2b1428abf4c07674ba

memory/2640-34-0x0000000000400000-0x0000000000487000-memory.dmp

memory/2640-41-0x0000000000400000-0x0000000000487000-memory.dmp

memory/2640-45-0x0000000000400000-0x0000000000487000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 19:46

Reported

2024-06-15 19:49

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3020 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3020 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe

"C:\Users\Admin\AppData\Local\Temp\f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1240

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1368

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3928 -ip 3928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 440

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 376 -ip 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 788

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp

Files

memory/3020-1-0x0000000000820000-0x0000000000920000-memory.dmp

memory/3020-2-0x0000000000730000-0x000000000079F000-memory.dmp

memory/3020-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 e74f545545336a9143e2f35aef50aee0
SHA1 36c23904db55217c0eba2378408d8af710faf735
SHA256 f4e3a5e436bd1548215069d1bbe22bbf62e720b122ac0bf8880f5ea92921e3a4
SHA512 2f15f9cffda6597bf2e350fb1d77f5eaeacc3ba7bb73ecc881ac1cc994ab691bf648c9b206025eb1d7616a4d7f25ca625af13fede7669b3842baedfb019d6dad

memory/3020-18-0x0000000000400000-0x0000000000487000-memory.dmp

memory/3020-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3020-19-0x0000000000730000-0x000000000079F000-memory.dmp

memory/1548-22-0x0000000000400000-0x0000000000487000-memory.dmp

memory/1548-23-0x0000000000400000-0x0000000000487000-memory.dmp

memory/1548-28-0x0000000000400000-0x0000000000487000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\337824034273

MD5 2f94d4d4ef762331f76524971e0cf6a4
SHA1 3fdb0cde2b7529c5a233ce09cf99b517b37cb45c
SHA256 83f51043bc9d64eb46c5eb38f482a9602aeae958ede721c523f151067bed8f02
SHA512 ecc4ff1883e4a1b3afdbedc5847870f7551dde5e279746618c4d112312be1aa7adf9b5f2bc9e8740cc00ea3530979fab505e37105b44f49d0f0242d5eaad42f8

memory/1548-40-0x0000000000400000-0x0000000000487000-memory.dmp

memory/3928-43-0x0000000000400000-0x0000000000487000-memory.dmp

memory/3928-45-0x0000000000400000-0x0000000000487000-memory.dmp

memory/376-54-0x0000000000400000-0x0000000000487000-memory.dmp

memory/376-55-0x0000000000400000-0x0000000000487000-memory.dmp