Analysis Overview
SHA256
88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8
Threat Level: Known bad
The file 88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8 was found to be: Known bad.
Malicious Activity Summary
Amadey
Checks computer location settings
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-16 16:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 16:52
Reported
2024-06-16 16:54
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3892 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 3892 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 3892 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe
"C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1240
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1456
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1704 -ip 1704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 440
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3284 -ip 3284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 444
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | techolivls.in | udp |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| N/A | 127.0.0.127:80 | tcp | |
| PE | 190.187.52.42:80 | check-ftp.ru | tcp |
| PE | 190.187.52.42:80 | check-ftp.ru | tcp |
| PE | 190.187.52.42:80 | check-ftp.ru | tcp |
| N/A | 127.0.0.127:80 | tcp | |
| US | 8.8.8.8:53 | 42.52.187.190.in-addr.arpa | udp |
| N/A | 127.0.0.127:80 | tcp | |
| N/A | 127.0.0.127:80 | tcp | |
| N/A | 127.0.0.127:80 | tcp | |
| US | 8.8.8.8:53 | techolivls.in | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| DE | 216.58.206.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.206.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
memory/3892-1-0x0000000000720000-0x0000000000820000-memory.dmp
memory/3892-2-0x0000000002100000-0x000000000216B000-memory.dmp
memory/3892-3-0x0000000000400000-0x0000000000470000-memory.dmp
memory/3892-5-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3892-9-0x0000000000400000-0x0000000000484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
| MD5 | a9a0f1c13f0710e2c6ea56d261157baf |
| SHA1 | 9012c5c04de05499f39f1b722382b9a76ead89f3 |
| SHA256 | 88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8 |
| SHA512 | e66b8074d8ff7be80945a720600ecd7bcf84ffa4bb567e6f08888f6766ec2e167e093edc507e9dc9cd49c0c5bf44c95000c056a8435dbd7692e47a4febf616de |
memory/3892-20-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3892-22-0x0000000000400000-0x0000000000470000-memory.dmp
memory/3892-21-0x0000000002100000-0x000000000216B000-memory.dmp
memory/4140-24-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4140-26-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4140-25-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4140-31-0x0000000000400000-0x0000000000484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\808065738166
| MD5 | 0f79c64027da22e199ff0b42609a0d55 |
| SHA1 | 06f08583cf4ce852cde6eba7bc38f7e11dd86bc2 |
| SHA256 | 0fd013fc6bc518ba557af853ff52d68c45cc590c06122cfd24a51bbd778b0cf1 |
| SHA512 | c21e383717f2da823e5bd8c8a657dffe9910df71aeff9f00fda98867ed3852125402d228b63e1aed5c39e9dbe86300f15ffd37d0a776df41742f2119aebf10b6 |
memory/4140-37-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1704-39-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1704-41-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1704-40-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1704-43-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4140-51-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3284-59-0x0000000000400000-0x0000000000484000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 16:52
Reported
2024-06-16 16:54
Platform
win11-20240508-en
Max time kernel
147s
Max time network
99s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4512 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 4512 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
| PID 4512 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe | C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe
"C:\Users\Admin\AppData\Local\Temp\88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1076
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1444
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2308 -ip 2308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 472
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2776 -ip 2776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1252
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
| US | 8.8.8.8:53 | techolivls.in | udp |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| US | 8.8.8.8:53 | check-ftp.ru | udp |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| US | 8.8.8.8:53 | techolivls.in | udp |
| US | 8.8.8.8:53 | dnschnj.at | udp |
| US | 52.111.229.43:443 | tcp |
Files
memory/4512-1-0x00000000006C0000-0x00000000007C0000-memory.dmp
memory/4512-2-0x00000000021A0000-0x000000000220B000-memory.dmp
memory/4512-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
| MD5 | a9a0f1c13f0710e2c6ea56d261157baf |
| SHA1 | 9012c5c04de05499f39f1b722382b9a76ead89f3 |
| SHA256 | 88d121e09d012942ebf5289a859b310fc7e3e862ce24781869148ef7dfde67e8 |
| SHA512 | e66b8074d8ff7be80945a720600ecd7bcf84ffa4bb567e6f08888f6766ec2e167e093edc507e9dc9cd49c0c5bf44c95000c056a8435dbd7692e47a4febf616de |
memory/4512-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4512-19-0x00000000021A0000-0x000000000220B000-memory.dmp
memory/4512-18-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4876-22-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4876-27-0x0000000000400000-0x0000000000484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\001105534270
| MD5 | bd3e1a60f49ec49c0cf0e993780e439e |
| SHA1 | 6d8ae05d067c2c8a0245a2e3e8a4cdafba0f20e9 |
| SHA256 | 3340f480392677003687b1f358658e458bd7e91e792a111d039cf26f01f94219 |
| SHA512 | b4e91b9021ea677788558ff612abacae0a40b07abc6f240f2aee87e3d5234b056bd063d182b3b88b808efc792214649df7c62611da7c5e941b9931493db43c6a |
memory/4876-32-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4876-40-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2308-43-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2308-44-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2776-53-0x0000000000400000-0x0000000000484000-memory.dmp