Analysis Overview
SHA256
561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9
Threat Level: Known bad
The file 561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9 was found to be: Known bad.
Malicious Activity Summary
Amadey
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 20:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 20:54
Reported
2024-06-18 20:57
Platform
win11-20240419-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 468 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 468 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 468 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe
"C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1132
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 468 -ip 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1524
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5028 -ip 5028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 480
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 900
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1596 -ip 1596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 488
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
Files
memory/468-1-0x00000000029C0000-0x0000000002AC0000-memory.dmp
memory/468-3-0x0000000000400000-0x0000000000472000-memory.dmp
memory/468-2-0x00000000044A0000-0x000000000450F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
| MD5 | b702e6456ab8cc32654546e7a3bfa42e |
| SHA1 | 46d5d4eaaefdc00ae0ef08593d5a4d9076901f48 |
| SHA256 | 561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9 |
| SHA512 | 69dd9e7cecddaef97c2a53d84285347653bf165615abdee02a33a34c363f2543bea768bb04ddda666f2cd5be9d2f634aa643cb6c74778e5a83f1e4fe9d6d93f2 |
memory/2428-16-0x0000000000400000-0x0000000002768000-memory.dmp
memory/2428-17-0x0000000000400000-0x0000000002768000-memory.dmp
memory/468-19-0x0000000000400000-0x0000000000472000-memory.dmp
memory/468-20-0x00000000044A0000-0x000000000450F000-memory.dmp
memory/468-18-0x0000000000400000-0x0000000002768000-memory.dmp
memory/2428-25-0x0000000000400000-0x0000000002768000-memory.dmp
memory/5028-28-0x0000000000400000-0x0000000002768000-memory.dmp
memory/2428-29-0x0000000000400000-0x0000000002768000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\474490143322
| MD5 | 50b82d5f350767f44e79596aa8a0023f |
| SHA1 | 98d6a5827f9adff2cc1c993332cef2af8c5fd183 |
| SHA256 | eac3a0e5b59de46632c92e85b78494f2a3c39ad50cec1ec47595221b83e730af |
| SHA512 | 11ac1a3124cf2353ec49e046b732c19a77dbd08420dc05aab89ceda3efcb404e8f53d878f8202f4dac2e10498c52b94d20ff50e60736be588c511b9e9b7760b0 |
memory/2428-41-0x0000000000400000-0x0000000002768000-memory.dmp
memory/4076-48-0x0000000000400000-0x0000000002768000-memory.dmp
memory/1596-57-0x0000000000400000-0x0000000002768000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 20:54
Reported
2024-06-18 20:57
Platform
win10v2004-20240611-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 768 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 768 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 768 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe
"C:\Users\Admin\AppData\Local\Temp\561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 768 -ip 768
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3496 -ip 3496
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4256,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1476
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 448
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3100 -ip 3100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 888
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4440 -ip 4440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| MX | 187.199.117.24:80 | selltix.org | tcp |
| MX | 187.199.117.24:80 | selltix.org | tcp |
| MX | 187.199.117.24:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 24.117.199.187.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| MX | 187.199.117.24:80 | selltix.org | tcp |
| MX | 187.199.117.24:80 | selltix.org | tcp |
| MX | 187.199.117.24:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| MX | 187.199.117.24:80 | selltix.org | tcp |
| MX | 187.199.117.24:80 | selltix.org | tcp |
| MX | 187.199.117.24:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
Files
memory/768-2-0x0000000004390000-0x00000000043FF000-memory.dmp
memory/768-1-0x0000000002890000-0x0000000002990000-memory.dmp
memory/768-3-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
| MD5 | b702e6456ab8cc32654546e7a3bfa42e |
| SHA1 | 46d5d4eaaefdc00ae0ef08593d5a4d9076901f48 |
| SHA256 | 561d6a6e5dc19d5c5b14c5eeeb1585be4b976f02b54d36b60a295fab547029d9 |
| SHA512 | 69dd9e7cecddaef97c2a53d84285347653bf165615abdee02a33a34c363f2543bea768bb04ddda666f2cd5be9d2f634aa643cb6c74778e5a83f1e4fe9d6d93f2 |
memory/3496-16-0x0000000000400000-0x0000000002768000-memory.dmp
memory/768-19-0x0000000000400000-0x0000000000472000-memory.dmp
memory/768-18-0x0000000004390000-0x00000000043FF000-memory.dmp
memory/768-17-0x0000000000400000-0x0000000002768000-memory.dmp
memory/3496-20-0x0000000000400000-0x0000000002768000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\665033694144
| MD5 | 53cb7dda91993d7a23906cf3365e116d |
| SHA1 | fdc82eec6f977cc77a17a7f6306d9590c9e9039c |
| SHA256 | a4f18078814b160ecf75ed4138a6b189cae76c7862d7a61761bd56cbaf53ac79 |
| SHA512 | a36d4eb7f2794082b6ec615446e1d7cb68b895e218083c97ddfdb1a1372a971bf5818e0bc9043de7beb2d02a25aa71b85b89efb9e3b300a2d83bef1724687b0d |
memory/3496-29-0x0000000000400000-0x0000000002768000-memory.dmp
memory/3120-39-0x0000000000400000-0x0000000002768000-memory.dmp
memory/3496-40-0x0000000000400000-0x0000000002768000-memory.dmp
memory/3100-48-0x0000000000400000-0x0000000002768000-memory.dmp
memory/4440-57-0x0000000000400000-0x0000000002768000-memory.dmp