Malware Analysis Report

2024-08-06 14:19

Sample ID 240619-xrvc4sxejd
Target 0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118
SHA256 a65a9e13d34e41f5544f5a1e3690b95c1f4394d65de86c42afaaa9496a4b9981
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a65a9e13d34e41f5544f5a1e3690b95c1f4394d65de86c42afaaa9496a4b9981

Threat Level: Known bad

The file 0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Enumerates connected drives

Drops autorun.inf file

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 19:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 19:05

Reported

2024-06-19 19:08

Platform

win7-20240220-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\paramstr.txt C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2916 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2916 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2916 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2916 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2916 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2916 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2916 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 312

Network

N/A

Files

memory/2916-0-0x0000000000400000-0x0000000000559000-memory.dmp

memory/2916-1-0x0000000000280000-0x00000000002D4000-memory.dmp

memory/2916-8-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2916-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2916-9-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2916-7-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2916-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2916-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2916-4-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/2916-3-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2916-2-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2916-11-0x0000000003270000-0x000000000331B000-memory.dmp

memory/2916-18-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-19-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-17-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-16-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-15-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-14-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-13-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-20-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-22-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-24-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-27-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-26-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-25-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-23-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-21-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-12-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-29-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-28-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-30-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-32-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-31-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-33-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-36-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-35-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-34-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-44-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-45-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-43-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-42-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-41-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-40-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-47-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2916-39-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-38-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-37-0x0000000003270000-0x0000000003271000-memory.dmp

C:\AutoRun.inf

MD5 1da0b273a8dd7961b24c6163e6ae0de2
SHA1 7a4f5e9a6934cc9ef9166d3ef3adf2535ccad6b2
SHA256 705ff32cb59644357122365403e7b6ed3ed6a4e9789836321468b5cb5db97cae
SHA512 d4f7e3dedd726988ebef8fd0ea93dc380ba50862257ceae1c30e0e974402d850a057d74ef995d2ed909a70f5479437539396911d0ea05fc80669e2ef57c74cdb

memory/2916-46-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-67-0x0000000000400000-0x0000000000559000-memory.dmp

memory/2916-69-0x0000000000280000-0x00000000002D4000-memory.dmp

memory/2916-70-0x0000000003270000-0x000000000331B000-memory.dmp

memory/2916-86-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-110-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-109-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-108-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-107-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-106-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-105-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-104-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-103-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-102-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-101-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-100-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-99-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-98-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-97-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-96-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-95-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-94-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-93-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-92-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-91-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-90-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-89-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-88-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-87-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-85-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-84-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-83-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-82-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-81-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-80-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-79-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-78-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-77-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-76-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-75-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-74-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-73-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-72-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2916-71-0x0000000003270000-0x0000000003271000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 19:05

Reported

2024-06-19 19:08

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\paramstr.txt C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 4852 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0016bdd1e1bdadcdbdc86c8ce3523502_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 684

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

memory/4852-1-0x0000000000A60000-0x0000000000AB4000-memory.dmp

memory/4852-0-0x0000000000400000-0x0000000000559000-memory.dmp

memory/4852-2-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/4852-11-0x0000000003390000-0x000000000343B000-memory.dmp

memory/4852-10-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/4852-9-0x0000000002430000-0x0000000002431000-memory.dmp

memory/4852-8-0x0000000002400000-0x0000000002401000-memory.dmp

memory/4852-7-0x0000000002410000-0x0000000002411000-memory.dmp

memory/4852-6-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/4852-5-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/4852-4-0x0000000002420000-0x0000000002421000-memory.dmp

memory/4852-25-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-24-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-54-0x0000000003390000-0x0000000003391000-memory.dmp

C:\AutoRun.inf

MD5 1da0b273a8dd7961b24c6163e6ae0de2
SHA1 7a4f5e9a6934cc9ef9166d3ef3adf2535ccad6b2
SHA256 705ff32cb59644357122365403e7b6ed3ed6a4e9789836321468b5cb5db97cae
SHA512 d4f7e3dedd726988ebef8fd0ea93dc380ba50862257ceae1c30e0e974402d850a057d74ef995d2ed909a70f5479437539396911d0ea05fc80669e2ef57c74cdb

memory/4852-56-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-55-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-53-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-52-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-51-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-50-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-49-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-48-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-47-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-46-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-45-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-44-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-43-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-42-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-41-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-40-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-39-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-38-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-37-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-36-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-35-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-34-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-33-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-32-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-31-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-30-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-29-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-28-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-27-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-26-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-23-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-22-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-21-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-20-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-19-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-18-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-17-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-16-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-15-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-14-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-13-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4852-12-0x0000000003390000-0x000000000343B000-memory.dmp

memory/4852-3-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4852-76-0x0000000000400000-0x0000000000559000-memory.dmp

memory/4852-78-0x0000000003390000-0x0000000003396000-memory.dmp

memory/4852-77-0x0000000000A60000-0x0000000000AB4000-memory.dmp