Analysis Overview
SHA256
1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b
Threat Level: Known bad
The file 1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b was found to be: Known bad.
Malicious Activity Summary
Amadey
Checks computer location settings
Executes dropped EXE
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 22:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 22:06
Reported
2024-06-19 22:09
Platform
win11-20240611-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 4736 | N/A | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 2104 wrote to memory of 4736 | N/A | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 2104 wrote to memory of 4736 | N/A | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe
"C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1136
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1500
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 488
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3528 -ip 3528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 904
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4272 -ip 4272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 480
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| MK | 95.86.30.3:80 | selltix.org | tcp |
| MK | 95.86.30.3:80 | selltix.org | tcp |
| MK | 95.86.30.3:80 | selltix.org | tcp |
| MK | 95.86.30.3:80 | selltix.org | tcp |
| MK | 95.86.30.3:80 | selltix.org | tcp |
| MK | 95.86.30.3:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| MK | 95.86.30.3:80 | selltix.org | tcp |
| MK | 95.86.30.3:80 | selltix.org | tcp |
| MK | 95.86.30.3:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/2104-2-0x0000000002190000-0x00000000021FF000-memory.dmp
memory/2104-1-0x0000000000670000-0x0000000000770000-memory.dmp
memory/2104-3-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
| MD5 | 49424674de93a3cb442fe160dfb6df59 |
| SHA1 | 7ff555f0a50d710c38aa97866d738886a80c22cd |
| SHA256 | 1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b |
| SHA512 | 57764e4a8bd9773b107fc706068234ba8377c1563e49e73d27ab7724f4452189d89f6661e8185311c5e693fc6a1d3994171cf9df8a26622aa8e504e0b6bcc297 |
memory/2104-20-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2104-19-0x0000000002190000-0x00000000021FF000-memory.dmp
memory/2104-18-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4736-22-0x0000000000400000-0x0000000000473000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\235821424191
| MD5 | 32d1392bcf4fdeaa339e864721e4a25c |
| SHA1 | 38c3578e55e76afca7687bd815fc2713441d0526 |
| SHA256 | 575d902705a6c201ab14e72f78018fd5a349bab5d45b523635c173d3d5621165 |
| SHA512 | 7a11e113143ce71310f3ac4b269d69404a9e10b8df8a9e73aed5f70709337f3a8b649e320847773bf59646fae7e3812390efb3e3bf3372c0d6823611e58b6bb9 |
memory/4736-38-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4736-41-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4988-42-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4988-43-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3528-52-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4272-61-0x0000000000400000-0x0000000000473000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 22:06
Reported
2024-06-19 22:09
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 552 wrote to memory of 4228 | N/A | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 552 wrote to memory of 4228 | N/A | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 552 wrote to memory of 4228 | N/A | C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe
"C:\Users\Admin\AppData\Local\Temp\1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1172
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1468
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 516 -ip 516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 448
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2020 -ip 2020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 892
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4184 -ip 4184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 440
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| KR | 220.82.134.210:80 | selltix.org | tcp |
| KR | 220.82.134.210:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 210.134.82.220.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 220.82.134.210:80 | selltix.org | tcp |
| KR | 220.82.134.210:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| KR | 220.82.134.210:80 | selltix.org | tcp |
| KR | 220.82.134.210:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| KR | 220.82.134.210:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| KR | 220.82.134.210:80 | selltix.org | tcp |
| KR | 220.82.134.210:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/552-1-0x0000000000540000-0x0000000000640000-memory.dmp
memory/552-2-0x00000000020C0000-0x000000000212F000-memory.dmp
memory/552-3-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
| MD5 | 49424674de93a3cb442fe160dfb6df59 |
| SHA1 | 7ff555f0a50d710c38aa97866d738886a80c22cd |
| SHA256 | 1a7eb1768c065d68288aeaeeb0593792b75079808f310f3dab921323e6c85b1b |
| SHA512 | 57764e4a8bd9773b107fc706068234ba8377c1563e49e73d27ab7724f4452189d89f6661e8185311c5e693fc6a1d3994171cf9df8a26622aa8e504e0b6bcc297 |
memory/552-18-0x0000000000400000-0x0000000000473000-memory.dmp
memory/552-20-0x0000000000400000-0x0000000000472000-memory.dmp
memory/552-19-0x00000000020C0000-0x000000000212F000-memory.dmp
memory/4228-22-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4228-27-0x0000000000400000-0x0000000000473000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\080292272204
| MD5 | e42f0165da198205436f199941025554 |
| SHA1 | e0c4f761b92980173d6bc5693737224fbad48ff0 |
| SHA256 | f830963231fc668bacdc4c49a8cebf52095f11db2f1b487031deaa9274a66062 |
| SHA512 | 46af06140864a7809e294f0c38fbda01dfa44cf47bd2eec0dbd802d19a8b61ac9488658bb0f0df8abfcd4ebb3e141e6d9cf84e29446d5725191286a7a9557d60 |
memory/516-41-0x0000000000400000-0x0000000000473000-memory.dmp
memory/516-42-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4228-43-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2020-52-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4184-60-0x0000000000400000-0x0000000000473000-memory.dmp