Malware Analysis Report

2025-08-05 14:32

Sample ID 240203-thz1fsfdhj
Target 8cc0bb1a00157351cf02c2d97c0b1831
SHA256 555bc25a57d01bbb12b69d41995c7a4f41c86f7d05ce0e73d2cc95aa6e3775fd
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

555bc25a57d01bbb12b69d41995c7a4f41c86f7d05ce0e73d2cc95aa6e3775fd

Threat Level: Known bad

The file 8cc0bb1a00157351cf02c2d97c0b1831 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-03 16:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 16:04

Reported

2024-02-03 16:06

Platform

win7-20231215-en

Max time kernel

142s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File created F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\_KAV2007.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe N/A
File created C:\Windows\SysWOW64\_KAV2007.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe

"C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 304

C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe"

Network

N/A

Files

memory/2060-0-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2060-1-0x0000000001F50000-0x0000000001FA4000-memory.dmp

memory/2060-9-0x0000000000700000-0x0000000000701000-memory.dmp

memory/2060-8-0x00000000024F0000-0x00000000024F1000-memory.dmp

F:\KAV2007.exe

MD5 d2c1e8b492a0236c74e5f48dc674ca5a
SHA1 c565a7da948d721d4907122ff2a16618052ccecd
SHA256 1ca67416e6324448e5d8575dc7e8a7b817ab7b5db148af444fb932ad1cbe9ebf
SHA512 d99bc00236e55f19d9419b54c2fc19d63577801575b5e28e576111b546ddbc2d3b9707b54476261b52be7df1893441fa7565dc1ae77bcc4e391953c3e5c56d1a

memory/2060-10-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-7-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/2060-6-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/2060-28-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-37-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-39-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-55-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-58-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-64-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-73-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-72-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-71-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-70-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-69-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-68-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-67-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-66-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-65-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-63-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-62-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-61-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-60-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-59-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-57-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-56-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-54-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-53-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-52-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-51-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-50-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-49-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-48-0x0000000003440000-0x0000000003540000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe

MD5 8e5343e8a9209aa5b20cde76b81b1395
SHA1 f94c6b1f1e9be71b109cdbcc715eb2e84cacfde5
SHA256 47b5aacd545ae33a1185b360ba9c3e37c04224b665504b97cfa53bea9e41b714
SHA512 ee983fb33e97c1768d190535b0715d5b86ba1f1033ea65b69341f47eac1d9a4e05a9ae348dea4e84267bd1b144e3b38798c20bbdf3a32c99c9cb4007f394b688

C:\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe

MD5 d4947528e05995d8d7e34a8bb96b114d
SHA1 a036d2b586d8fc21851084b7ae999709f4a348fe
SHA256 ab52c4a90890e962d82f104aec011b0cee8261019da1033d947b82ce36e15a7e
SHA512 c22e23230af2cb9ab5a9fce32fb4c363032c9083bf93eefd8fe12420348e1b40289071f5db4455a26a3f9cbd6052ffb2cacafe1dd9cb0b4b8c86391002b261fb

C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe

MD5 f694515906a8424c63e7a43c3a94ea5a
SHA1 4e15cefb4d3c724b6ad101309c514ef3b6eb21f3
SHA256 567a1c15ce6a33ae9f7c60bf55725bffb22255ab1ddf3f904f636fe19cd0b91c
SHA512 fe3d4b45bb51025361ff493c3f46f58c713ca29d73f3103fdeaf70fe5d3b9762c107464fe398495d045f5681b4d0f50e7e9d8eb87ebe640dd6ff103bc089d57f

\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe

MD5 27bd21f47aa8fe3f17ac61a2721f91ac
SHA1 db635a200a1d850c83b2e565ebd65f7bfff0cfc8
SHA256 26c83585d3d86f4f90339e09d9e38ce4fe59c33b4b36c83eed7ab328d1f74973
SHA512 d9a2b6e536357a2b39c815cd21d9f3ddf50bc79499b73bb90580e4a60f87e0e78a1646ae9fa14724cd29de486af64447a9a01b6632f7551dc187e784a29e169e

\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe

MD5 16c824a07ad55a1bfc3ccce075f8d43e
SHA1 efaa666331a6b3abc0ec23ed46cb0b49035b839f
SHA256 d6fc56ac66a9d8c2deab7a80b2ab9d9589a17b2575418052d754c909977d8b77
SHA512 8aed9c15a80e2d13839671a26a07dbe153c469c77951fd934ebc6f599a5d4aa4703ab637b02bbb7c5efcb2857b744a96a26fb77240f65380d31f2403a1da73a5

\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe

MD5 d898d96cc68fd0cee45e69a77be8ec4e
SHA1 3d2f26b520d478a2ca0f437906a16bc3f81b04f1
SHA256 b700bcfd0705a367e9186da29c00ea38852b65a9ac919672dde12c9f34b44d00
SHA512 fef53bfeb0cd08ef901df7fca73a37f386fa30172647b845f502746cced4ebc741780df12fef30b305acd7be7e889bc0224c2ea27402a214e0abe276297e4549

\Program Files\Common Files\Microsoft Shared\MSInfo\KAV2007.exe

MD5 99930b362d97bde5d859c4b02639568d
SHA1 56f7b34e3ed7c5514a1abf2bf32dc1d0e56b21c3
SHA256 b4e04d5a83205ed29da731f30031b4bf8f77174295a5eb727e00a8871bb4527c
SHA512 5c02586c86b68d13ed85214c59491550dab58f1c380df31c86140bc6998f762dfbcf9992329e9396f4ce52c12df50dc421382fa7c48b7a5420fdc8040484516c

memory/2060-47-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-46-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-45-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-44-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-43-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-42-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-41-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-40-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-38-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-36-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-35-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-34-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-33-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-32-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-31-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-30-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-29-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-27-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-26-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-25-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-24-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-23-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-22-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-21-0x0000000003440000-0x0000000003540000-memory.dmp

memory/2060-5-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/2060-4-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/2060-3-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/2060-2-0x0000000000710000-0x0000000000711000-memory.dmp

memory/2060-112-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2364-113-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2060-130-0x0000000000400000-0x00000000005DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 16:04

Reported

2024-02-03 16:06

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File created F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File created C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_KAV2007.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe N/A
File opened for modification C:\Windows\SysWOW64\_KAV2007.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4880 set thread context of 2296 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe

"C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2296 -ip 2296

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp

Files

memory/2136-0-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2136-1-0x00000000023F0000-0x0000000002444000-memory.dmp

memory/2136-2-0x0000000002600000-0x0000000002601000-memory.dmp

memory/2136-3-0x0000000002650000-0x0000000002651000-memory.dmp

F:\KAV2007.exe

MD5 63f6545f346ba674df9fd99d79232204
SHA1 785bc1983450cc8c47bcd00ce7169f425685bba7
SHA256 b61eab79f4db2f7a3dea01ccf8aadcdff5d27ca10b6e2a19f94654d4c8f5ecf7
SHA512 a7ce03626e5c93019055c66c649d8afe1e904ddc850955dbc631177fe955191b9c77d3f535c3f0bdb39a868c18fdb283d1625b880137cda0b8da44f61491efd0

memory/2136-18-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-21-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-9-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/2136-8-0x0000000002660000-0x0000000002661000-memory.dmp

memory/2136-7-0x0000000002630000-0x0000000002631000-memory.dmp

memory/2136-6-0x0000000002640000-0x0000000002641000-memory.dmp

memory/2136-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/2136-24-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-25-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-23-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-22-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-4-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/2136-26-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-32-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-31-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-40-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-41-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-39-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-38-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-37-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-36-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-35-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-34-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-33-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-30-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-29-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-28-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-27-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-49-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-54-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-61-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-70-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-73-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-72-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-71-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-69-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-68-0x00000000035C0000-0x00000000036C0000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe

MD5 8685fd6e340191c57a725d37da4c2041
SHA1 41f742f4ccabe7e92105f91d576f9ad8b5c7fd9d
SHA256 e488a48cb41f6e0a6f42bd3191cb9a1b9a801ff59ada7698fd6b03306384c73c
SHA512 800fa36eb907a4571c4f4d18e4f533aeba779c03326ac39652c83613fda6d248c3aef1c0b6d0437553cfe2f9e1408e7e7ffa3dc12404e6312c6c35ef5d4f7d79

C:\Program Files\Common Files\microsoft shared\MSInfo\KAV2007.exe

MD5 71959f3d95511c35829be4ec361a1de0
SHA1 a483167050aee0dcfe7b129de074a6cc691b5280
SHA256 526d912f7393d4bd60a685935a3f52ab406821d6d7bfadaf806543b3325da8df
SHA512 f26fba85322bdb80998df1a9c4a7e305ee58e238f732658202b17b9aa9ca4c99e8b70b8a865fe4484e2e3fc0b3343e5105c618bf434e05ff7a256e1b68797030

memory/2136-67-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-94-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4880-93-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2296-92-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2136-66-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-65-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-64-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-63-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-62-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-60-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-59-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-58-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-57-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-56-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-55-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-53-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-52-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-51-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-50-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-48-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-47-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-46-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-45-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-44-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-43-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2136-42-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/2296-97-0x0000000000B50000-0x0000000000B50000-memory.dmp