Analysis Overview
SHA256
3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd
Threat Level: Known bad
The file 3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd was found to be: Known bad.
Malicious Activity Summary
Amadey
Checks computer location settings
Executes dropped EXE
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-21 09:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 09:50
Reported
2024-06-21 09:53
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1280 wrote to memory of 4564 | N/A | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 1280 wrote to memory of 4564 | N/A | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 1280 wrote to memory of 4564 | N/A | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
"C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1280 -ip 1280
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1432
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2544 -ip 2544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 436
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1976 -ip 1976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 748
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 23.41.178.98:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| KR | 211.181.24.132:80 | selltix.org | tcp |
| KR | 211.181.24.132:80 | selltix.org | tcp |
| KR | 211.181.24.132:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | 132.24.181.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| KR | 211.181.24.132:80 | selltix.org | tcp |
| KR | 211.181.24.132:80 | selltix.org | tcp |
| KR | 211.181.24.132:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| KR | 211.181.24.132:80 | selltix.org | tcp |
| KR | 211.181.24.132:80 | selltix.org | tcp |
| KR | 211.181.24.132:80 | selltix.org | tcp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/1280-2-0x0000000000750000-0x00000000007BF000-memory.dmp
memory/1280-1-0x00000000007D0000-0x00000000008D0000-memory.dmp
memory/1280-3-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
| MD5 | 0bd32722e092eff1ef9e88a945824715 |
| SHA1 | af868c26f0a9cce64e30020e99d014efafa22e62 |
| SHA256 | 3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd |
| SHA512 | eab9d5f9f27adff92612df9a8a76ca403f7acb99a528772f9d389f7f6dc50919340c6e1c679f405b79b72ee8419d710fb5dcdcf2e1b8df5a74960437423ed2c7 |
memory/1280-16-0x0000000000750000-0x00000000007BF000-memory.dmp
memory/1280-17-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4564-19-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4564-20-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\080292272204
| MD5 | b41b31a0a0493ddf165e13cbef7e6d2d |
| SHA1 | a96c858b7d2f1518402944f5f8de159eb06aa3f6 |
| SHA256 | f4d4f8065e570e390449033a0b3880c195ed24d296d37a4086f23776c104e9e3 |
| SHA512 | ad0bf806afd73184fcc5a67e8981eedeeac942def1efa6ee4bed53471b2752a88089e560ef27d59803d5549300fb261e7d60ab824170a96c9ee5cb4796b82809 |
memory/4564-36-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4564-37-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2544-41-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2544-42-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2544-43-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1976-52-0x0000000000400000-0x0000000000472000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 09:50
Reported
2024-06-21 09:53
Platform
win11-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4388 wrote to memory of 4736 | N/A | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 4388 wrote to memory of 4736 | N/A | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
| PID 4388 wrote to memory of 4736 | N/A | C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
"C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1048
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1244
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4548 -ip 4548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 480
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4040 -ip 4040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 904
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| CL | 190.13.174.94:80 | selltix.org | tcp |
| CL | 190.13.174.94:80 | selltix.org | tcp |
| CL | 190.13.174.94:80 | selltix.org | tcp |
| CL | 190.13.174.94:80 | selltix.org | tcp |
| CL | 190.13.174.94:80 | selltix.org | tcp |
| CL | 190.13.174.94:80 | selltix.org | tcp |
| US | 52.111.227.11:443 | tcp | |
| CL | 190.13.174.94:80 | selltix.org | tcp |
| CL | 190.13.174.94:80 | selltix.org | tcp |
| CL | 190.13.174.94:80 | selltix.org | tcp |
Files
memory/4388-2-0x0000000002210000-0x000000000227F000-memory.dmp
memory/4388-1-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/4388-3-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
| MD5 | 0bd32722e092eff1ef9e88a945824715 |
| SHA1 | af868c26f0a9cce64e30020e99d014efafa22e62 |
| SHA256 | 3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd |
| SHA512 | eab9d5f9f27adff92612df9a8a76ca403f7acb99a528772f9d389f7f6dc50919340c6e1c679f405b79b72ee8419d710fb5dcdcf2e1b8df5a74960437423ed2c7 |
memory/4388-16-0x0000000002210000-0x000000000227F000-memory.dmp
memory/4388-17-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4736-19-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\276817940128
| MD5 | 8d0aae7a788d975e2bebd4ab835540e7 |
| SHA1 | 5f418e39bb78725170207e04ee0d08c2804cc656 |
| SHA256 | 7674e421fc476cf38ce12faa1530d4b2433562bc1f420081c8f0190f16fcfa51 |
| SHA512 | 7de2ca2e78ea3da3831272cd220c87fbee18b3950d93bdcc696d038e999383a4e7fbf881f9f559021483f2e181d8acd4bbd7c1183f8c34b569b5f8ecbc61e7df |
memory/4736-35-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4736-36-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4548-40-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4548-39-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4548-41-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4548-42-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4040-51-0x0000000000400000-0x0000000000472000-memory.dmp