Analysis Overview
SHA256
9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764
Threat Level: Known bad
The file 9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764 was found to be: Known bad.
Malicious Activity Summary
Amadey
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-16 08:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 08:47
Reported
2024-06-16 08:49
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4372 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 4372 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 4372 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe
"C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 960
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1172
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1432
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4224 -ip 4224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 440
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1212 -ip 1212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 900
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | techolivls.in | udp |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
Files
memory/4372-1-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/4372-2-0x0000000002150000-0x00000000021BB000-memory.dmp
memory/4372-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
| MD5 | e577baaafedd6fb3753b0513de5fa3c9 |
| SHA1 | 6485630373b9cbd7fa2a48d44a803e46f2fbbc69 |
| SHA256 | 9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764 |
| SHA512 | 7557000ad8ba23d422abbe0db5ac9f7f1ab8fe99d703c55f21e6f85212552fd9c29b140f77da6060d207fdff763b223d18a580a255c262329fb0766d290b825b |
memory/4372-19-0x0000000002150000-0x00000000021BB000-memory.dmp
memory/4372-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4372-18-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4908-22-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4908-23-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4908-24-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4908-29-0x0000000000400000-0x0000000000484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\181767204200
| MD5 | ae941877c0e5e10991390be51ea16183 |
| SHA1 | 6b3c55efb531b2ecc2728d9f21b6d25189a5b21f |
| SHA256 | 6dc75be1ce39049c5d88893b97974b85b78661eab6c0565a76ca7d921484f764 |
| SHA512 | e4f7f6f1a864897ddcde0bc63240b775cfe67c4483e5d3d85e915265ec2e35d9c2f72d668304e3d5bb2b22597141430e8d9a7a197de67b5004f791c4593af972 |
memory/4908-41-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4224-45-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4224-46-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4224-47-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1212-56-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1212-57-0x0000000000400000-0x0000000000484000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 08:47
Reported
2024-06-16 08:49
Platform
win11-20240611-en
Max time kernel
147s
Max time network
94s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4980 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 4980 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 4980 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe
"C:\Users\Admin\AppData\Local\Temp\9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 900
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1356
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3048 -ip 3048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 476
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1944 -ip 1944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 908
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
| US | 8.8.8.8:53 | techolivls.in | udp |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| AR | 200.122.37.247:80 | check-ftp.ru | tcp |
| AR | 200.122.37.247:80 | check-ftp.ru | tcp |
| N/A | 127.0.0.127:80 | tcp | |
| AR | 200.122.37.247:80 | check-ftp.ru | tcp |
| N/A | 127.0.0.127:80 | tcp | |
| N/A | 127.0.0.127:80 | tcp | |
| N/A | 127.0.0.127:80 | tcp | |
| N/A | 127.0.0.127:80 | tcp |
Files
memory/4980-1-0x0000000000730000-0x0000000000830000-memory.dmp
memory/4980-2-0x00000000021D0000-0x000000000223B000-memory.dmp
memory/4980-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
| MD5 | e577baaafedd6fb3753b0513de5fa3c9 |
| SHA1 | 6485630373b9cbd7fa2a48d44a803e46f2fbbc69 |
| SHA256 | 9cb02164d6c2b7e7bb1f51d6e9bbf30962deed32478fd62767fa71fd20fac764 |
| SHA512 | 7557000ad8ba23d422abbe0db5ac9f7f1ab8fe99d703c55f21e6f85212552fd9c29b140f77da6060d207fdff763b223d18a580a255c262329fb0766d290b825b |
memory/4980-19-0x00000000021D0000-0x000000000223B000-memory.dmp
memory/4980-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4980-18-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2520-23-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2520-22-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2520-24-0x0000000000400000-0x0000000000484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\524922173293
| MD5 | 36304424d71c306ed6d62d73d1d85473 |
| SHA1 | f86c66085baf29585ec52b75a4c65136497c6a23 |
| SHA256 | ff6be4ae9fe04f9c34df5440a968b4996dbc201949b57862b37b488f6025cde1 |
| SHA512 | bfa5c6c37593125657f5f222551fc3e42926f9053ce24d0ab3e659343a25bb8b783dd9ac4d7ddb1a2e780e93eb19b7572430eff9146abeae804356942cb67fe7 |
memory/2520-33-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2520-41-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3048-46-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3048-47-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1944-56-0x0000000000400000-0x0000000000484000-memory.dmp