Analysis Overview
SHA256
c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc
Threat Level: Known bad
The file c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc was found to be: Known bad.
Malicious Activity Summary
Amadey
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 23:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 23:52
Reported
2024-06-18 23:54
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3640 wrote to memory of 4432 | N/A | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 3640 wrote to memory of 4432 | N/A | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 3640 wrote to memory of 4432 | N/A | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe
"C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1232
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 548
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1432
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3672 -ip 3672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 448
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 8 -ip 8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 908
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| MX | 187.225.250.47:80 | selltix.org | tcp |
| MX | 187.225.250.47:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| MX | 187.225.250.47:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 47.250.225.187.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| MX | 187.225.250.47:80 | selltix.org | tcp |
| MX | 187.225.250.47:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| MX | 187.225.250.47:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| MX | 187.225.250.47:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| MX | 187.225.250.47:80 | selltix.org | tcp |
| MX | 187.225.250.47:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
Files
memory/3640-3-0x0000000000400000-0x0000000000472000-memory.dmp
memory/3640-2-0x00000000029D0000-0x0000000002A3F000-memory.dmp
memory/3640-1-0x0000000002AA0000-0x0000000002BA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
| MD5 | 1c328c06050cbddc572488041ba266cf |
| SHA1 | 76bc672a965c4767bdb2dd1e03e409d3dd8383f2 |
| SHA256 | c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc |
| SHA512 | 962f1b3ea083c4248bbe71a41bae74aafc973bc9e2ab6d417da021411e58fd5d484f31da01bc6e628d02fc576a214346aa5bc9cc34c815ea98db3ebbaabe6b0b |
memory/4432-16-0x0000000000400000-0x0000000002768000-memory.dmp
memory/3640-19-0x00000000029D0000-0x0000000002A3F000-memory.dmp
memory/3640-18-0x0000000000400000-0x0000000000472000-memory.dmp
memory/3640-17-0x0000000000400000-0x0000000002768000-memory.dmp
memory/4432-24-0x0000000000400000-0x0000000002768000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\181767204200
| MD5 | 42004f4c6552f03ca5a3d4ece77558c3 |
| SHA1 | 93694e3eb3ec48ec64bd4d14114565a7dfbe7fca |
| SHA256 | cde876c972b2e550d7826588695a9bf48849e53624015c79d7ef5fe14592867e |
| SHA512 | e76546012d490699cf08779091c2e9bc402691e27190ff7810aa32bb067b3de0b678d9c9327ddcf1265caf0749947b8362dccc9187d54062a1534e113bb8c1c6 |
memory/4432-36-0x0000000000400000-0x0000000002768000-memory.dmp
memory/3672-40-0x0000000000400000-0x0000000002768000-memory.dmp
memory/8-49-0x0000000000400000-0x0000000002768000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 23:52
Reported
2024-06-18 23:54
Platform
win11-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2096 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 2096 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 2096 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe
"C:\Users\Admin\AppData\Local\Temp\c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1132
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 1392
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3872 -ip 3872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 476
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4428 -ip 4428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2636 -ip 2636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 924
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
Files
memory/2096-2-0x0000000004470000-0x00000000044DF000-memory.dmp
memory/2096-1-0x0000000002880000-0x0000000002980000-memory.dmp
memory/2096-3-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
| MD5 | 1c328c06050cbddc572488041ba266cf |
| SHA1 | 76bc672a965c4767bdb2dd1e03e409d3dd8383f2 |
| SHA256 | c07da14606cfcb3a3eeba5e0f6d39d44ff43e8d67377d06cdd3d3a9a7d5252bc |
| SHA512 | 962f1b3ea083c4248bbe71a41bae74aafc973bc9e2ab6d417da021411e58fd5d484f31da01bc6e628d02fc576a214346aa5bc9cc34c815ea98db3ebbaabe6b0b |
memory/2636-16-0x0000000000400000-0x0000000002768000-memory.dmp
memory/2096-19-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2096-18-0x0000000004470000-0x00000000044DF000-memory.dmp
memory/2096-17-0x0000000000400000-0x0000000002768000-memory.dmp
memory/2636-24-0x0000000000400000-0x0000000002768000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\001105534270
| MD5 | 9c7fc3f3900b496aaecaf7384a99257c |
| SHA1 | 8db37bded403171dc28e25cf2b4a1e02f3b4dbc2 |
| SHA256 | c2c3ea469a769d13bab457b59e9855dc4b13fd68b2d3162390f655dde1861a5c |
| SHA512 | 0d17db4153d2ac2241e39073f3740570ea96e676bf2c5d2da27da20211c42be01b341056df835c21a73e2b1bb3558d97a5b564afded575675873ebab11c552fe |
memory/2636-29-0x0000000000400000-0x0000000002768000-memory.dmp
memory/2636-38-0x0000000000400000-0x0000000002768000-memory.dmp
memory/3872-40-0x0000000000400000-0x0000000002768000-memory.dmp
memory/4428-49-0x0000000000400000-0x0000000002768000-memory.dmp