Analysis Overview
SHA256
314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61
Threat Level: Known bad
The file 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61 was found to be: Known bad.
Malicious Activity Summary
Amadey
Checks computer location settings
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 12:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 12:41
Reported
2024-06-20 12:44
Platform
win10v2004-20240611-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 3532 wrote to memory of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 3532 wrote to memory of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
"C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1184
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3532 -ip 3532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1424
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 760 -ip 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 444
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1812 -ip 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 852
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 440 -ip 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 444
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| MX | 187.199.212.245:80 | selltix.org | tcp |
| MX | 187.199.212.245:80 | selltix.org | tcp |
| MX | 187.199.212.245:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | 245.212.199.187.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| MX | 187.199.212.245:80 | selltix.org | tcp |
| MX | 187.199.212.245:80 | selltix.org | tcp |
| MX | 187.199.212.245:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| MX | 187.199.212.245:80 | selltix.org | tcp |
| MX | 187.199.212.245:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| MX | 187.199.212.245:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
Files
memory/3532-1-0x0000000002A20000-0x0000000002B20000-memory.dmp
memory/3532-3-0x0000000000400000-0x0000000000472000-memory.dmp
memory/3532-2-0x00000000043C0000-0x000000000442F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
| MD5 | 052e6b664d68958cff0d19ef11286662 |
| SHA1 | abe767326cf2188599f6b59863e74ade34e48d73 |
| SHA256 | 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61 |
| SHA512 | 93b273c8bfd6723ecda2867f0793130837bf4b05d640aa89ba3afdee0289ffeb23a5645d684495caa38862a948d83ac66b397973b81970877f761a2e13a0737b |
memory/1812-16-0x0000000000400000-0x0000000002767000-memory.dmp
memory/3532-19-0x00000000043C0000-0x000000000442F000-memory.dmp
memory/3532-18-0x0000000000400000-0x0000000000472000-memory.dmp
memory/3532-17-0x0000000000400000-0x0000000002767000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\080292272204
| MD5 | 3875b80c8cfa9ba24e0a0c30b71bbbd8 |
| SHA1 | 2f23e14f5f378f9a8aa695ef6fdb8416efebc204 |
| SHA256 | 14e3b2dfdd56e742a7ab85ddc0fbf8e6416de1aae36ee94115ea16d742709833 |
| SHA512 | bb5c4cc13d42732d5e18c010ea7050f7b0fe5784f29af4ff1dfda61c01d5c7e800463c36d58a7a8105ed79f73216336fd7678b77de92619a19d98a3679dc3b47 |
memory/760-30-0x0000000000400000-0x0000000002767000-memory.dmp
memory/1812-38-0x0000000000400000-0x0000000002767000-memory.dmp
memory/1812-39-0x0000000000400000-0x0000000002767000-memory.dmp
memory/4580-46-0x0000000000400000-0x0000000002767000-memory.dmp
memory/440-55-0x0000000000400000-0x0000000002767000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 12:41
Reported
2024-06-20 12:44
Platform
win11-20240611-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4388 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 4388 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 4388 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
"C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1136
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1548
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 248 -ip 248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 248 -s 480
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4556 -ip 4556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 936
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2632 -ip 2632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 480
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| DO | 148.101.154.174:80 | selltix.org | tcp |
| DO | 148.101.154.174:80 | selltix.org | tcp |
| DO | 148.101.154.174:80 | selltix.org | tcp |
| DO | 148.101.154.174:80 | selltix.org | tcp |
| DO | 148.101.154.174:80 | selltix.org | tcp |
| DO | 148.101.154.174:80 | selltix.org | tcp |
| US | 52.111.227.11:443 | tcp | |
| DO | 148.101.154.174:80 | selltix.org | tcp |
| DO | 148.101.154.174:80 | selltix.org | tcp |
| DO | 148.101.154.174:80 | selltix.org | tcp |
Files
memory/4388-1-0x0000000002920000-0x0000000002A20000-memory.dmp
memory/4388-2-0x0000000004470000-0x00000000044DF000-memory.dmp
memory/4388-3-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
| MD5 | 052e6b664d68958cff0d19ef11286662 |
| SHA1 | abe767326cf2188599f6b59863e74ade34e48d73 |
| SHA256 | 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61 |
| SHA512 | 93b273c8bfd6723ecda2867f0793130837bf4b05d640aa89ba3afdee0289ffeb23a5645d684495caa38862a948d83ac66b397973b81970877f761a2e13a0737b |
memory/2156-16-0x0000000000400000-0x0000000002767000-memory.dmp
memory/2156-20-0x0000000000400000-0x0000000002767000-memory.dmp
memory/4388-19-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4388-17-0x0000000000400000-0x0000000002767000-memory.dmp
memory/4388-18-0x0000000004470000-0x00000000044DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\276817940128
| MD5 | 8ddf96e18d1fa6f56b44da76664a2c6f |
| SHA1 | 344381e12666f5ec9e5f97a163bc0b03580acf76 |
| SHA256 | 194fb63cfded8d67c7fd065a1db359caaef722b46a68ab2d8ca3f71e58faee6d |
| SHA512 | 1e268fc8495a2b76c08818d4b80823745be67c45c983d1e07d2935d79b770f80649491b329d140d05f111523ca55084fe93a824a08d026eda723460026a67cd0 |
memory/248-35-0x0000000000400000-0x0000000002767000-memory.dmp
memory/2156-39-0x0000000000400000-0x0000000002767000-memory.dmp
memory/2156-40-0x0000000000400000-0x0000000002767000-memory.dmp
memory/4556-48-0x0000000000400000-0x0000000002767000-memory.dmp
memory/2632-56-0x0000000000400000-0x0000000002767000-memory.dmp