Malware Analysis Report

2024-10-19 07:00

Sample ID 240620-sf581stdnc
Target 0718c590352a10a5fb647c775059f447_JaffaCakes118
SHA256 bb60fd410e1a3fd36f5d8e43ff0e5534dc2a2765ae2a3000a8d14b9304d1bd92
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb60fd410e1a3fd36f5d8e43ff0e5534dc2a2765ae2a3000a8d14b9304d1bd92

Threat Level: Known bad

The file 0718c590352a10a5fb647c775059f447_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 15:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 15:05

Reported

2024-06-20 15:07

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_time.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe N/A
File opened for modification C:\Windows\SysWOW64\_time.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2168 set thread context of 1584 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 2168 set thread context of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe
PID 2952 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe
PID 2952 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe
PID 2952 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe
PID 2168 wrote to memory of 1584 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 2168 wrote to memory of 1584 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 2168 wrote to memory of 1584 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 2168 wrote to memory of 1584 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 2168 wrote to memory of 1584 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 2168 wrote to memory of 1584 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 2168 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\svchost.exe
PID 2168 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\svchost.exe
PID 2168 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\svchost.exe
PID 2168 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\svchost.exe
PID 2168 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\svchost.exe
PID 2168 wrote to memory of 2644 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\svchost.exe
PID 2952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

Network

N/A

Files

memory/2952-0-0x0000000000400000-0x0000000000557000-memory.dmp

memory/2952-1-0x0000000001DE0000-0x0000000001E34000-memory.dmp

memory/2952-2-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2952-59-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-77-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-76-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-75-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-74-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-73-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-72-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-71-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-70-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-69-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-68-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-67-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-66-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-65-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-64-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-63-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-62-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-61-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-60-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-58-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-57-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-56-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-55-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-54-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-53-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-52-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-51-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-50-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-49-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-48-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-47-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-46-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-45-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-44-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-43-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-42-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-41-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-40-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-39-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-38-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-37-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-36-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-35-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-34-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-33-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-32-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-31-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-30-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-29-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-28-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-27-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-26-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-25-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-24-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-23-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-22-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-21-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-20-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-19-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-18-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-17-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2952-16-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/2952-15-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/2952-14-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/2952-13-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/2952-12-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/2952-11-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/2952-10-0x0000000000630000-0x0000000000631000-memory.dmp

memory/2952-9-0x0000000001E70000-0x0000000001E71000-memory.dmp

memory/2952-8-0x0000000001E40000-0x0000000001E41000-memory.dmp

memory/2952-7-0x0000000001E50000-0x0000000001E51000-memory.dmp

memory/2952-6-0x0000000000610000-0x0000000000611000-memory.dmp

memory/2952-5-0x0000000000620000-0x0000000000621000-memory.dmp

memory/2952-4-0x0000000001E60000-0x0000000001E61000-memory.dmp

memory/2952-3-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2952-78-0x0000000000400000-0x0000000000557000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\time.exe

MD5 0718c590352a10a5fb647c775059f447
SHA1 ef7037a97789c9670c60a02395aaebcc739652fc
SHA256 bb60fd410e1a3fd36f5d8e43ff0e5534dc2a2765ae2a3000a8d14b9304d1bd92
SHA512 169985b972ec6a9d62618dbd6912bd446ac0b452d935c95340fa3cc3450f8f59b5f82ac4def5ab2e58da2dfb1190af8f56e42911d2c128321f2bf243231b9d07

memory/2952-88-0x00000000043F0000-0x0000000004547000-memory.dmp

memory/2952-87-0x00000000043F0000-0x0000000004547000-memory.dmp

memory/2168-90-0x0000000000400000-0x0000000000557000-memory.dmp

memory/2168-91-0x0000000000400000-0x0000000000557000-memory.dmp

memory/1584-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1584-97-0x0000000000400000-0x0000000000557000-memory.dmp

memory/2644-103-0x0000000000400000-0x0000000000557000-memory.dmp

memory/2168-112-0x0000000000400000-0x0000000000557000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

MD5 76f4f64c36235149e1b93f1420e29311
SHA1 d918584788206e19231cc084ad545940f41528a0
SHA256 daa33e8c3a34e27a56ad316be88e45c739a13934e43e6057510d547c04833b6f
SHA512 503be45fa1ff869ed51586254b4d8cdfd28dd0b642e5db8290ec5b8c5624bd68cf2c4c25310052bc2179358f9bc002189b23ed246b993e122d3d788bbf10abc7

memory/2952-115-0x0000000001DE0000-0x0000000001E34000-memory.dmp

memory/2952-114-0x0000000000400000-0x0000000000557000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 15:05

Reported

2024-06-20 15:07

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_time.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe N/A
File opened for modification C:\Windows\SysWOW64\_time.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 316 set thread context of 2564 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe
PID 4692 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe
PID 4692 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe
PID 316 wrote to memory of 2564 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 316 wrote to memory of 2564 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 316 wrote to memory of 2564 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 316 wrote to memory of 2564 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 316 wrote to memory of 2564 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\calc.exe
PID 316 wrote to memory of 3188 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\svchost.exe
PID 316 wrote to memory of 3188 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\svchost.exe
PID 316 wrote to memory of 3188 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe C:\Windows\SysWOW64\svchost.exe
PID 4692 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0718c590352a10a5fb647c775059f447_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 316 -ip 316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 684

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

Network

Files

memory/4692-0-0x0000000000400000-0x0000000000557000-memory.dmp

memory/4692-1-0x0000000002200000-0x0000000002254000-memory.dmp

memory/4692-26-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-74-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-73-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-72-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-71-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-70-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-68-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-67-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-69-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-66-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-65-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-64-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-63-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-62-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-61-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-60-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-59-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-58-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-57-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-56-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-55-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-54-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-53-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-52-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-51-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-50-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-49-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-48-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-47-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-46-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-45-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-44-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-43-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-42-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-41-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-40-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-39-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-38-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-37-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-36-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-35-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-34-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-33-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-32-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-31-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-30-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-29-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-28-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-27-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-25-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-24-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-23-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-22-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-21-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-20-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-19-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-18-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-17-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4692-16-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/4692-15-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/4692-14-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/4692-13-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/4692-12-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/4692-11-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/4692-10-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/4692-9-0x0000000002470000-0x0000000002471000-memory.dmp

memory/4692-8-0x0000000002440000-0x0000000002441000-memory.dmp

memory/4692-7-0x0000000002450000-0x0000000002451000-memory.dmp

memory/4692-6-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/4692-5-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/4692-4-0x0000000002460000-0x0000000002461000-memory.dmp

memory/4692-3-0x0000000002300000-0x0000000002301000-memory.dmp

memory/4692-2-0x0000000002430000-0x0000000002431000-memory.dmp

memory/4692-75-0x0000000000400000-0x0000000000557000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\time.exe

MD5 0718c590352a10a5fb647c775059f447
SHA1 ef7037a97789c9670c60a02395aaebcc739652fc
SHA256 bb60fd410e1a3fd36f5d8e43ff0e5534dc2a2765ae2a3000a8d14b9304d1bd92
SHA512 169985b972ec6a9d62618dbd6912bd446ac0b452d935c95340fa3cc3450f8f59b5f82ac4def5ab2e58da2dfb1190af8f56e42911d2c128321f2bf243231b9d07

memory/316-81-0x0000000000400000-0x0000000000557000-memory.dmp

memory/316-82-0x0000000000400000-0x0000000000557000-memory.dmp

memory/2564-85-0x0000000000400000-0x0000000000557000-memory.dmp

memory/4692-89-0x0000000000400000-0x0000000000557000-memory.dmp

memory/4692-90-0x0000000002200000-0x0000000002254000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

MD5 76f4f64c36235149e1b93f1420e29311
SHA1 d918584788206e19231cc084ad545940f41528a0
SHA256 daa33e8c3a34e27a56ad316be88e45c739a13934e43e6057510d547c04833b6f
SHA512 503be45fa1ff869ed51586254b4d8cdfd28dd0b642e5db8290ec5b8c5624bd68cf2c4c25310052bc2179358f9bc002189b23ed246b993e122d3d788bbf10abc7

memory/316-93-0x0000000000400000-0x0000000000557000-memory.dmp