Malware Analysis Report

2024-09-11 14:23

Sample ID 240622-bcrssazaqf
Target 052e6b664d68958cff0d19ef11286662.bin
SHA256 7371d21f531ec5c5ef2b392521f8abd4276a4f8161f4bd2a18969c5ce72cca4b
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7371d21f531ec5c5ef2b392521f8abd4276a4f8161f4bd2a18969c5ce72cca4b

Threat Level: Known bad

The file 052e6b664d68958cff0d19ef11286662.bin was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-22 01:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 01:00

Reported

2024-06-22 01:02

Platform

win7-20240419-en

Max time kernel

145s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2288 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2288 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2288 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

"C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
MY 219.92.154.145:80 selltix.org tcp
MY 219.92.154.145:80 selltix.org tcp
MY 219.92.154.145:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
MY 219.92.154.145:80 selltix.org tcp
MY 219.92.154.145:80 selltix.org tcp
MY 219.92.154.145:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
MY 219.92.154.145:80 selltix.org tcp
MY 219.92.154.145:80 selltix.org tcp
MY 219.92.154.145:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp

Files

memory/2288-1-0x0000000002850000-0x0000000002950000-memory.dmp

memory/2288-3-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2288-2-0x0000000000220000-0x000000000028F000-memory.dmp

memory/2288-9-0x0000000000400000-0x0000000002767000-memory.dmp

\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 052e6b664d68958cff0d19ef11286662
SHA1 abe767326cf2188599f6b59863e74ade34e48d73
SHA256 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61
SHA512 93b273c8bfd6723ecda2867f0793130837bf4b05d640aa89ba3afdee0289ffeb23a5645d684495caa38862a948d83ac66b397973b81970877f761a2e13a0737b

memory/2288-19-0x0000000002850000-0x0000000002950000-memory.dmp

memory/2288-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2288-21-0x0000000000400000-0x0000000002767000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\816782303773

MD5 2cac80fcae944ddc20e37e3c7462786c
SHA1 b871e266c202fddece1499fcfd9b19f10e8f3844
SHA256 45a304879663b3970d859505b7070887a4cec3aa0cdb8b6dc904a11970ec1cc0
SHA512 81f1e999b31f558c95613f6b9309264b91bd69c71b4960d00807c0646c0cff799ae5672796734297362e300f45b1319a2e988b7ffa09d22aef5eba618b8d7ddd

memory/2660-35-0x0000000000400000-0x0000000002767000-memory.dmp

memory/2660-39-0x0000000000400000-0x0000000002767000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 01:00

Reported

2024-06-22 01:02

Platform

win10v2004-20240611-en

Max time kernel

144s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3784 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

"C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1188

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1464

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3252 -ip 3252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 444

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4360 -ip 4360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 892

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp
AR 190.220.21.28:80 selltix.org tcp
AR 190.220.21.28:80 selltix.org tcp
AR 190.220.21.28:80 selltix.org tcp
US 8.8.8.8:53 28.21.220.190.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
AR 190.220.21.28:80 selltix.org tcp
AR 190.220.21.28:80 selltix.org tcp
AR 190.220.21.28:80 selltix.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
AR 190.220.21.28:80 selltix.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
AR 190.220.21.28:80 selltix.org tcp
AR 190.220.21.28:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp

Files

memory/3784-1-0x0000000002790000-0x0000000002890000-memory.dmp

memory/3784-2-0x0000000004370000-0x00000000043DF000-memory.dmp

memory/3784-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 052e6b664d68958cff0d19ef11286662
SHA1 abe767326cf2188599f6b59863e74ade34e48d73
SHA256 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61
SHA512 93b273c8bfd6723ecda2867f0793130837bf4b05d640aa89ba3afdee0289ffeb23a5645d684495caa38862a948d83ac66b397973b81970877f761a2e13a0737b

memory/2592-16-0x0000000000400000-0x0000000002767000-memory.dmp

memory/3784-19-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3784-18-0x0000000004370000-0x00000000043DF000-memory.dmp

memory/3784-17-0x0000000000400000-0x0000000002767000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\004059303877

MD5 aac2ace1320e6897085c92855baf462d
SHA1 84d7bd3274aca0f56de6584241fa0a7fea8bab3b
SHA256 0047612e100cf08e79c4b2c585c6605c396971849252688b373b89508967b782
SHA512 a8545220fcea5f5098eba1b27ca1db011bdb9f914763d67b9404b7a222e99582b6ed19c961156218dac3c1845a9b154e0a476035dab87ccb87ce09fe158c8373

memory/2592-35-0x0000000000400000-0x0000000002767000-memory.dmp

memory/2592-36-0x0000000000400000-0x0000000002767000-memory.dmp

memory/3252-40-0x0000000000400000-0x0000000002767000-memory.dmp

memory/4360-49-0x0000000000400000-0x0000000002767000-memory.dmp