Malware Analysis Report

2024-10-23 19:32

Sample ID 240620-x2gvrsxfnp
Target 090ba923c9117d4641559a66bb40e275_JaffaCakes118
SHA256 e63a86159c13f3cd984d002cafd4d683c3f08e98835ea376c816b1d43bd91a74
Tags
aspackv2 modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e63a86159c13f3cd984d002cafd4d683c3f08e98835ea376c816b1d43bd91a74

Threat Level: Known bad

The file 090ba923c9117d4641559a66bb40e275_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Deletes itself

Enumerates connected drives

Drops autorun.inf file

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 19:20

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 19:20

Reported

2024-06-20 19:23

Platform

win7-20240221-en

Max time kernel

141s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_Server91.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe N/A
File opened for modification C:\Windows\SysWOW64\_Server91.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2184 set thread context of 3052 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe
PID 1652 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe
PID 1652 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe
PID 1652 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe
PID 2184 wrote to memory of 3052 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 2184 wrote to memory of 3052 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 2184 wrote to memory of 3052 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 2184 wrote to memory of 3052 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 2184 wrote to memory of 3052 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 2184 wrote to memory of 3052 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 2184 wrote to memory of 2672 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\WerFault.exe
PID 2184 wrote to memory of 2672 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\WerFault.exe
PID 2184 wrote to memory of 2672 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\WerFault.exe
PID 2184 wrote to memory of 2672 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 280

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""

Network

N/A

Files

memory/1652-0-0x00000000003E0000-0x00000000003E1000-memory.dmp

F:\Server91.exe

MD5 090ba923c9117d4641559a66bb40e275
SHA1 48bd696970da3a4095ce62016755a82d9887e5b4
SHA256 e63a86159c13f3cd984d002cafd4d683c3f08e98835ea376c816b1d43bd91a74
SHA512 f66c884e5271bd4d81bbd4f6df98c9b0a9fc81635f901045e342e8a3e4e9b67b10bb6ab8d1c2d77a4ee94db43d737d2cc947130e4abd9d85cb3eaa0c0e34edd5

memory/2184-21-0x0000000000270000-0x0000000000271000-memory.dmp

memory/3052-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3052-29-0x0000000000430000-0x0000000000430000-memory.dmp

memory/3052-26-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/3052-24-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1652-33-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2184-34-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1652-37-0x00000000003E0000-0x00000000003E1000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat

MD5 5a84d2267f8715ab6f5e853aed4d92d5
SHA1 c080353538c99294710ac64f6ea3eb272496b03f
SHA256 301d89971791942fe3d92aa3c85c68ba9653b8581f0419bc407f245600eb35e7
SHA512 025e8ea8a9aeacd1a069c7eb9c723727df1f1eb2ced91a24946b3ece124ac5dda5be3e92c78840f8332b40eb6f8a9f129b6a592ebc8b56846f53d1f13bd6ba1f

memory/1652-47-0x0000000000400000-0x00000000004C6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 19:20

Reported

2024-06-20 19:23

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_Server91.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe N/A
File opened for modification C:\Windows\SysWOW64\_Server91.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1472 set thread context of 1452 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe
PID 2244 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe
PID 2244 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe
PID 1472 wrote to memory of 1452 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 1472 wrote to memory of 1452 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 1472 wrote to memory of 1452 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 1472 wrote to memory of 1452 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 1472 wrote to memory of 1452 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\Windows\SysWOW64\calc.exe
PID 1472 wrote to memory of 1616 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1472 wrote to memory of 1616 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2244 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\090ba923c9117d4641559a66bb40e275_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server91.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1472 -ip 1472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 656

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""

Network

Files

memory/2244-0-0x0000000002290000-0x0000000002291000-memory.dmp

F:\Server91.exe

MD5 090ba923c9117d4641559a66bb40e275
SHA1 48bd696970da3a4095ce62016755a82d9887e5b4
SHA256 e63a86159c13f3cd984d002cafd4d683c3f08e98835ea376c816b1d43bd91a74
SHA512 f66c884e5271bd4d81bbd4f6df98c9b0a9fc81635f901045e342e8a3e4e9b67b10bb6ab8d1c2d77a4ee94db43d737d2cc947130e4abd9d85cb3eaa0c0e34edd5

memory/1452-16-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1472-18-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/2244-21-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat

MD5 5a84d2267f8715ab6f5e853aed4d92d5
SHA1 c080353538c99294710ac64f6ea3eb272496b03f
SHA256 301d89971791942fe3d92aa3c85c68ba9653b8581f0419bc407f245600eb35e7
SHA512 025e8ea8a9aeacd1a069c7eb9c723727df1f1eb2ced91a24946b3ece124ac5dda5be3e92c78840f8332b40eb6f8a9f129b6a592ebc8b56846f53d1f13bd6ba1f

memory/1472-23-0x0000000000400000-0x00000000004C6000-memory.dmp