Analysis Overview
SHA256
440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc
Threat Level: Known bad
The file 440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc was found to be: Known bad.
Malicious Activity Summary
Amadey
Checks computer location settings
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 19:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 19:53
Reported
2024-06-18 19:55
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 2380 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 2380 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe
"C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1260
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4924 -ip 4924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 472
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 528
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 1172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 1456
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | jkshb.su | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| MA | 41.140.82.25:80 | jkshb.su | tcp |
| MA | 41.140.82.25:80 | jkshb.su | tcp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| KW | 78.89.199.216:80 | jkshb.su | tcp |
| KW | 78.89.199.216:80 | jkshb.su | tcp |
| KW | 78.89.199.216:80 | jkshb.su | tcp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | 216.199.89.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |
Files
memory/2380-1-0x0000000002580000-0x0000000002680000-memory.dmp
memory/2380-2-0x0000000004120000-0x000000000418B000-memory.dmp
memory/2380-3-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2380-5-0x0000000000400000-0x0000000002396000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
| MD5 | c9d5e2dcf0cebb5300a382152b06e06f |
| SHA1 | 27372b42f68fc63bd3017a56ad0ccc699dceccd4 |
| SHA256 | 440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc |
| SHA512 | 50d222c9002e16906f2b50eb181ce0d7cbe9880fc3cc5714a947248e8259c14bec3ab6a3f2256f647d2c7270ce934ee52ca97c040f32ea11dc16c813be904963 |
memory/4924-17-0x0000000000400000-0x0000000002396000-memory.dmp
memory/2380-18-0x0000000000400000-0x0000000002396000-memory.dmp
memory/4924-19-0x0000000000400000-0x0000000002396000-memory.dmp
memory/2380-20-0x0000000002580000-0x0000000002680000-memory.dmp
memory/2380-23-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2380-22-0x0000000004120000-0x000000000418B000-memory.dmp
memory/4924-24-0x0000000000400000-0x0000000002396000-memory.dmp
memory/2796-31-0x0000000000400000-0x0000000002396000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\808065738166
| MD5 | 198d6912eb6d1b7e078b5b662ec0ce88 |
| SHA1 | de99bf58c55e40fc5431ba31878b928283665a34 |
| SHA256 | 2a38c0ff6fae3756e1ee0b5a36e627349682a4f07932f76c029c61e56971157e |
| SHA512 | bb356c52a34ad55a6af2231472d0d03a110eec3a1ae36e2bc9af8445015ff86aa774f6ab6f587099f90b7706ac90d9a8ef366c3de604d94cf2fb64154652500a |
memory/2796-37-0x0000000000400000-0x0000000002396000-memory.dmp
memory/2796-45-0x0000000000400000-0x0000000002396000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 19:53
Reported
2024-06-18 19:55
Platform
win11-20240611-en
Max time kernel
144s
Max time network
94s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3852 wrote to memory of 4148 | N/A | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 3852 wrote to memory of 4148 | N/A | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 3852 wrote to memory of 4148 | N/A | C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe
"C:\Users\Admin\AppData\Local\Temp\440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1132
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1536
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 5072 -ip 5072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 480
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4224 -ip 4224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 900
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| US | 8.8.8.8:53 | jkshb.su | udp |
| KR | 220.82.134.210:80 | jkshb.su | tcp |
| KR | 220.82.134.210:80 | jkshb.su | tcp |
| KR | 220.82.134.210:80 | jkshb.su | tcp |
Files
memory/3852-1-0x0000000002670000-0x0000000002770000-memory.dmp
memory/3852-2-0x0000000004110000-0x000000000417B000-memory.dmp
memory/3852-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
| MD5 | c9d5e2dcf0cebb5300a382152b06e06f |
| SHA1 | 27372b42f68fc63bd3017a56ad0ccc699dceccd4 |
| SHA256 | 440b89a38280e120ad5ca20376ed8e36a2982e7eb23a286c4facc2b31ee840fc |
| SHA512 | 50d222c9002e16906f2b50eb181ce0d7cbe9880fc3cc5714a947248e8259c14bec3ab6a3f2256f647d2c7270ce934ee52ca97c040f32ea11dc16c813be904963 |
memory/4148-16-0x0000000000400000-0x0000000002396000-memory.dmp
memory/3852-19-0x0000000000400000-0x0000000000470000-memory.dmp
memory/3852-18-0x0000000004110000-0x000000000417B000-memory.dmp
memory/3852-17-0x0000000000400000-0x0000000002396000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\235821424191
| MD5 | 349837cd06f77b85160d7ac66fe76040 |
| SHA1 | 1e1579f2c02aa7bdf2358e1997e93c3921267555 |
| SHA256 | c2a43b96e190e2cdb0586530c7b1ba7e910148fd4706b9a4245217e38d551cb0 |
| SHA512 | 22e57ecaa6bcd6271435c69f21d3a137e3b150f1d98dbc320492e19c4e52a3a11dc9de4d35f091d05d1cebd9f68048efb2764572c59f32dd6cb598b66870dfa6 |
memory/4148-35-0x0000000000400000-0x0000000002396000-memory.dmp
memory/5072-41-0x0000000000400000-0x0000000002396000-memory.dmp
memory/4224-50-0x0000000000400000-0x0000000002396000-memory.dmp