Analysis Overview
SHA256
af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051
Threat Level: Known bad
The file af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051 was found to be: Known bad.
Malicious Activity Summary
Amadey
Checks computer location settings
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 15:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 15:33
Reported
2024-06-19 15:36
Platform
win10v2004-20240611-en
Max time kernel
146s
Max time network
128s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1532 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 1532 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 1532 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe
"C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1152
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3368,i,3144109701624127473,12586215149656995128,262144 --variations-seed-version --mojo-platform-channel-handle=3364 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1432
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4048 -ip 4048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 444
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4452 -ip 4452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 864
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1688 -ip 1688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 440
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| US | 8.8.8.8:53 | jkshb.su | udp |
| IR | 46.100.50.5:80 | jkshb.su | tcp |
| IR | 46.100.50.5:80 | jkshb.su | tcp |
| IR | 46.100.50.5:80 | jkshb.su | tcp |
| US | 8.8.8.8:53 | 5.50.100.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/1532-1-0x00000000005D0000-0x00000000006D0000-memory.dmp
memory/1532-2-0x0000000000560000-0x00000000005CB000-memory.dmp
memory/1532-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
| MD5 | aed08386ec5ca24caee809144ab8032d |
| SHA1 | a7665fd400ed96fa6cda6af5e55d7bd3ec597c1a |
| SHA256 | af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051 |
| SHA512 | 774a07e3eb79e384def3ee144295a0144d2d1c04fc67e42c9f084f05f5e33f1e59a407cb4b0bf9ae26c543a1219e5dfcfb044978bbdb376cbde22060954aff77 |
memory/1532-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1532-19-0x0000000000560000-0x00000000005CB000-memory.dmp
memory/1532-18-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2320-22-0x0000000000400000-0x000000000047A000-memory.dmp
memory/2320-23-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\665033694144
| MD5 | efa6401ff3263e94bdf7452c9e27ef70 |
| SHA1 | 78409d1740fe88159df60e207547cfc099a3114e |
| SHA256 | c322c40e05a89c5c56bc9f85062e31be736703a90ffef0bc6ca5220a1aa3a9cf |
| SHA512 | 8c94cb18a776a1f15262aa800a7e99024b470ec92dd830d5841b830b53930b0f313da003163fce3e353be9a8be592f7a47748380778f1503a86ae5c34049fe83 |
memory/2320-39-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4048-42-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4048-43-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4452-52-0x0000000000400000-0x000000000047A000-memory.dmp
memory/1688-61-0x0000000000400000-0x000000000047A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 15:33
Reported
2024-06-19 15:36
Platform
win11-20240508-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3064 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 3064 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
| PID 3064 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe | C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe
"C:\Users\Admin\AppData\Local\Temp\af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1056
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1356
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 800 -ip 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 336
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3308 -ip 3308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 900
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3740 -ip 3740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 472
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | jkshb.su | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jkshb.su | udp |
| US | 8.8.8.8:53 | greendag.ru | udp |
| US | 8.8.8.8:53 | osdhs.in.ne | udp |
Files
memory/3064-1-0x00000000006D0000-0x00000000007D0000-memory.dmp
memory/3064-2-0x0000000002180000-0x00000000021EB000-memory.dmp
memory/3064-3-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
| MD5 | aed08386ec5ca24caee809144ab8032d |
| SHA1 | a7665fd400ed96fa6cda6af5e55d7bd3ec597c1a |
| SHA256 | af540e751a84fc8695531a1519c9472025ffda94d491b7a3d9be3927e0079051 |
| SHA512 | 774a07e3eb79e384def3ee144295a0144d2d1c04fc67e42c9f084f05f5e33f1e59a407cb4b0bf9ae26c543a1219e5dfcfb044978bbdb376cbde22060954aff77 |
memory/3064-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/3064-19-0x0000000002180000-0x00000000021EB000-memory.dmp
memory/3064-18-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4420-22-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4420-23-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4420-24-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4420-29-0x0000000000400000-0x000000000047A000-memory.dmp
memory/800-32-0x0000000000400000-0x000000000047A000-memory.dmp
memory/800-33-0x0000000000400000-0x000000000047A000-memory.dmp
memory/800-34-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\001105534270
| MD5 | 08f6b9f37893077037f65507c00245e5 |
| SHA1 | fdb31aa2e73709fa7bf945e710c092ac55ed0de9 |
| SHA256 | 59efd1d538c019e82b97f79dc50fdd6a9a70b37240017c545f9fc2e1db93ae47 |
| SHA512 | 405808249257f36405d92e8654ba28fc6aa64fbc370ce0a06c68196e00493baa39a1627ba4e9778d3ab241ae7c72b002e14f7f1578974560caeb32ebbf837092 |
memory/4420-39-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4420-48-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3308-55-0x0000000000400000-0x000000000047A000-memory.dmp
memory/3740-64-0x0000000000400000-0x000000000047A000-memory.dmp