Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
a97f874d6313ccfefceec77c2ccf1fda_JaffaCakes118.rtf
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a97f874d6313ccfefceec77c2ccf1fda_JaffaCakes118.rtf
Resource
win10v2004-20240611-en
General
-
Target
a97f874d6313ccfefceec77c2ccf1fda_JaffaCakes118.rtf
-
Size
814KB
-
MD5
a97f874d6313ccfefceec77c2ccf1fda
-
SHA1
0b140d33ec06f7387ad3763e30c091b255d4115e
-
SHA256
b5abd46caecf027f71d1dc3c78d490092a82d70dea355cf83523a70b6967be6e
-
SHA512
fd8e26830e6a511ae8b16cd6798cde208bf0584ba4f89fd2321b6a47ccde401860bbec1485904dea0feae42349b553744711d4e5d3bf3b4631bb9119b1b69110
-
SSDEEP
12288:e+WhWEyIueil9U4zx+InkxPn6L7KHPpwsXafAJJDBuoMY3l9Uae:eIRIWl9U4zUNP6HnqafAv1n3l9UB
Malware Config
Extracted
formbook
3.8
ch35
sitepm.site
chancein.net
urbanairer.com
jxzr888.com
maynewyork.com
snowcamel.net
montqranite.com
beijingplanettrading.com
private-placement-program.com
cureguru.com
elementorlandosouthwest.com
ohdoll.com
sunsationalpools.net
bionic.claims
0pe485.com
cc1231.com
waterdamagesoluton.online
melionp.reisen
bioepidemic.foundation
iprofi.online
yuanfenniao.com
zinkism.com
readytraffic4upgrades.date
mycommonentrance.com
niptonofweed.com
saferhealthalternatives.com
uzhackteam.com
crystaldantel.com
10o4.com
dreamliketech.com
oregonhempmarket.com
soliloquygame.com
overyondertx.com
ontrackcontact.com
krownrecords.com
vozdocalvario.com
71oi.info
sccy555.com
kuudii.com
leaveyourboat.com
klusjesman.online
happilyeverjohnstone.com
portnov.photography
eyesoftexasdroneservices.com
re-design.online
stvdale.com
divorcelawyerno.com
xn--9kq121kjqq.com
81manbetx.com
heidistreasuretrove.com
malenyvideo.com
auth-2fa.com
dhqwtsns.com
nano-shielding.com
daixieshangyejihuashu.com
bolchoyremont-92.com
dahuowen.com
pepemaxonline.com
sonyerin.com
tkmamba.com
goodplace.world
tanveerisnotcool.com
lgktwh.com
eryugi.info
empoweremyv.com
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2632 1656 cmd.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1856 1656 cmd.exe WINWORD.EXE -
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2752-45-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/2752-49-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
exe.exeexe.exepid process 1728 exe.exe 2752 exe.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeexe.exepid process 2672 cmd.exe 2672 cmd.exe 1728 exe.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
exe.exeexe.execmmon32.exedescription pid process target process PID 1728 set thread context of 2752 1728 exe.exe exe.exe PID 2752 set thread context of 1132 2752 exe.exe Explorer.EXE PID 2620 set thread context of 1132 2620 cmmon32.exe Explorer.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2800 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1548 taskkill.exe -
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
Processes:
EQNEDT32.EXEEQNEDT32.EXEpid process 2732 EQNEDT32.EXE 2548 EQNEDT32.EXE -
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
exe.execmmon32.exepid process 2752 exe.exe 2752 exe.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe 2620 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
exe.execmmon32.exepid process 2752 exe.exe 2752 exe.exe 2752 exe.exe 2620 cmmon32.exe 2620 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exeexe.execmmon32.exedescription pid process Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 2752 exe.exe Token: SeDebugPrivilege 2620 cmmon32.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
exe.exeExplorer.EXEpid process 1728 exe.exe 1728 exe.exe 1132 Explorer.EXE 1132 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
exe.exeExplorer.EXEpid process 1728 exe.exe 1728 exe.exe 1132 Explorer.EXE 1132 Explorer.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEexe.exepid process 1656 WINWORD.EXE 1656 WINWORD.EXE 1656 WINWORD.EXE 1728 exe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEcmd.execmd.exeEQNEDT32.EXEdescription pid process target process PID 1656 wrote to memory of 2632 1656 WINWORD.EXE cmd.exe PID 1656 wrote to memory of 2632 1656 WINWORD.EXE cmd.exe PID 1656 wrote to memory of 2632 1656 WINWORD.EXE cmd.exe PID 1656 wrote to memory of 2632 1656 WINWORD.EXE cmd.exe PID 2632 wrote to memory of 2672 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2672 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2672 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2672 2632 cmd.exe cmd.exe PID 1656 wrote to memory of 1856 1656 WINWORD.EXE cmd.exe PID 1656 wrote to memory of 1856 1656 WINWORD.EXE cmd.exe PID 1656 wrote to memory of 1856 1656 WINWORD.EXE cmd.exe PID 1656 wrote to memory of 1856 1656 WINWORD.EXE cmd.exe PID 2672 wrote to memory of 2800 2672 cmd.exe timeout.exe PID 2672 wrote to memory of 2800 2672 cmd.exe timeout.exe PID 2672 wrote to memory of 2800 2672 cmd.exe timeout.exe PID 2672 wrote to memory of 2800 2672 cmd.exe timeout.exe PID 2732 wrote to memory of 2976 2732 EQNEDT32.EXE CmD.exe PID 2732 wrote to memory of 2976 2732 EQNEDT32.EXE CmD.exe PID 2732 wrote to memory of 2976 2732 EQNEDT32.EXE CmD.exe PID 2732 wrote to memory of 2976 2732 EQNEDT32.EXE CmD.exe PID 2672 wrote to memory of 1728 2672 cmd.exe exe.exe PID 2672 wrote to memory of 1728 2672 cmd.exe exe.exe PID 2672 wrote to memory of 1728 2672 cmd.exe exe.exe PID 2672 wrote to memory of 1728 2672 cmd.exe exe.exe PID 2672 wrote to memory of 1548 2672 cmd.exe taskkill.exe PID 2672 wrote to memory of 1548 2672 cmd.exe taskkill.exe PID 2672 wrote to memory of 1548 2672 cmd.exe taskkill.exe PID 2672 wrote to memory of 1548 2672 cmd.exe taskkill.exe PID 2672 wrote to memory of 1516 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1516 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1516 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1516 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1512 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1512 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1512 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1512 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1864 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1864 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1864 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1864 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1876 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1876 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1876 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1876 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1916 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1916 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1916 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1916 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1612 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1612 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1612 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1612 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1984 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1984 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1984 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1984 2672 cmd.exe reg.exe PID 2672 wrote to memory of 2256 2672 cmd.exe reg.exe PID 2672 wrote to memory of 2256 2672 cmd.exe reg.exe PID 2672 wrote to memory of 2256 2672 cmd.exe reg.exe PID 2672 wrote to memory of 2256 2672 cmd.exe reg.exe PID 2672 wrote to memory of 2260 2672 cmd.exe cmd.exe PID 2672 wrote to memory of 2260 2672 cmd.exe cmd.exe PID 2672 wrote to memory of 2260 2672 cmd.exe cmd.exe PID 2672 wrote to memory of 2260 2672 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a97f874d6313ccfefceec77c2ccf1fda_JaffaCakes118.rtf"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\exe.exeC:\Users\Admin\AppData\Local\Temp\ExE.ExE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\exe.exeC:\Users\Admin\AppData\Local\Temp\ExE.ExE6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM winword.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt3⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CmD.exeCmD /C %tmp%\task.bat & UUUUUUUU c2⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2nd.batFilesize
2KB
MD532a83d79acd18ac3776b3b51298d3a9f
SHA1c2a669ac6e371c6cd3b024e114a9a5004cb81500
SHA2564e738ef995c9c1f0d314a391e047c86439e5294d7778c6d034320d8607f9d604
SHA512f503e6ff3089ce9cf8071e96072a576c55c61404731d70207ce137b37c7e01895b5c75b3766fd6bacfb0942a41ad8a7c0a5b7d5d0bd3b4473f6d680054b83199
-
C:\Users\Admin\AppData\Local\Temp\exe.exeFilesize
344KB
MD5921feeabdaf221126606c0dcb4348bad
SHA1aa8b96abd540f1df7b64ab01c237c0eb9bef7c3a
SHA256955a73dba7a12ad968ce000a6f0ba0b3c9d144f1eea2e392e6ed86376f34ce74
SHA512807e4eb0fb57c26cd4c95e073595f984dbbfbc49937062c6b9bc693381224fcc5be6b9e9d8c7954cc559b42bf83aa80d53b4cb59a9f83a1424f399f46ee33d5d
-
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sctFilesize
432B
MD58decdcaeb92d9f628b6bf95de4c0597a
SHA119443ad64921ef01a77619350efcc97cd767a36b
SHA256e4f6b9def338fe9aca9e8796e79c58c5e42168e697c41bfe149946513765036e
SHA512d67fee80c9f4884331e476f53de7516d21e926cf2f00094bf310ccd6e875164740b31749ec1ea43c1015037590b9bfebe2bde0065d75e42343bfbd0c46bccf59
-
C:\Users\Admin\AppData\Local\Temp\task.batFilesize
149B
MD5c42b20e49a3b093e2d0c9d6b3051cfc7
SHA15fc1f968c7285c8b0c5f25e839e14d77df7e28f3
SHA25683935da79d6a4dcfd28121b5c0dd01b40e66da125971ac49e65221efb91a65a6
SHA51201881572adbe471797fd901057fabb1d631fc675dacd33c59876b9bb163deb1b9f8f82ed49c8a19bf69d871abe8e241beba8dcddc84ca4caf13ee4d4be9ac1fe
-
memory/1132-55-0x00000000042C0000-0x0000000004373000-memory.dmpFilesize
716KB
-
memory/1656-0-0x000000002FDF1000-0x000000002FDF2000-memory.dmpFilesize
4KB
-
memory/1656-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1656-2-0x00000000716BD000-0x00000000716C8000-memory.dmpFilesize
44KB
-
memory/1656-42-0x00000000716BD000-0x00000000716C8000-memory.dmpFilesize
44KB
-
memory/2620-51-0x0000000000F40000-0x0000000000F4D000-memory.dmpFilesize
52KB
-
memory/2752-45-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2752-49-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB