formbook | 5c7e88f3840237ba479019cc2c86421db7f695c13dfeffe7f2db121158e42d81

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbaaca3df24ceb257d22854cac390f46_JaffaCakes118.rtf
Size

973KB
MD5

bbaaca3df24ceb257d22854cac390f46
SHA1

42eabeb3ee7475b1a68babe2aa96118c6c3e6e1e
SHA256

5c7e88f3840237ba479019cc2c86421db7f695c13dfeffe7f2db121158e42d81
SHA512

abc5b31f99bd39862fa6adad60191bcb26f9fcfd72c12bb67dca62dc6064858ee67b4bc8498a2eaf629a820bb2528d0a8a534c3a2375735008c5c4f4223e041e
SSDEEP

24576:s4zQaPkDpZdKUUyUn6HaNpKwD0gpV6HwR:J

Score

10^/10

formbook xa persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

laplayaencantada.net

francesemartin.biz

mydailyadverts.biz

themansiononwalnut.com

kccoin.net

lighthousenw.net

ideadubai.com

coat.ink

happiestmarriage101.com

god16.com

datecleanse.com

559453.top

nagwarerecords.com

xn--husw9zrks.com

welfarereform.net

grupocastedia.com

aqua-armor.online

hopugo.com

mylovesociety.com

exploremusicjax.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2640 2852 cmd.exe WINWORD.EXE
Formbook payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/3032-24-0x0000000000400000-0x0000000000475000-memory.dmp formbook
behavioral1/memory/3032-27-0x0000000000400000-0x0000000000475000-memory.dmp formbook
Executes dropped EXE 1 IoCs

Processes:

exe.exe

pid process

3032 exe.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2640 cmd.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

netsh.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KRWXSZIXGV = "C:\\Program Files (x86)\\X2dg\\IconCacherffpsz.exe" netsh.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

exe.exenetsh.exe

description pid process target process

PID 3032 set thread context of 1216 3032 exe.exe Explorer.EXE
PID 1636 set thread context of 1216 1636 netsh.exe Explorer.EXE
Drops file in Program Files directory 1 IoCs

Processes:

netsh.exe

description ioc process

File opened for modification C:\Program Files (x86)\X2dg\IconCacherffpsz.exe netsh.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2708 taskkill.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2640	2852	cmd.exe	WINWORD.EXE

resource	yara_rule
behavioral1/memory/3032-24-0x0000000000400000-0x0000000000475000-memory.dmp	formbook
behavioral1/memory/3032-27-0x0000000000400000-0x0000000000475000-memory.dmp	formbook

pid	process
2640	cmd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KRWXSZIXGV = "C:\\Program Files (x86)\\X2dg\\IconCacherffpsz.exe"	netsh.exe

description	pid	process	target process
PID 3032 set thread context of 1216	3032	exe.exe	Explorer.EXE
PID 1636 set thread context of 1216	1636	netsh.exe	Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\X2dg\IconCacherffpsz.exe	netsh.exe

pid	process
2708	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exeWINWORD.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-39690363-730359138-1046745555-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2852 WINWORD.EXE

pid	process
2852	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

exe.exenetsh.exe

pid	process
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
3032	exe.exe
1636	netsh.exe
1636	netsh.exe
1636	netsh.exe
1636	netsh.exe
1636	netsh.exe
1636	netsh.exe
1636	netsh.exe
1636	netsh.exe
1636	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

exe.exenetsh.exe

pid process

3032 exe.exe
3032 exe.exe
3032 exe.exe
1636 netsh.exe
1636 netsh.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exeexe.exeExplorer.EXEnetsh.exe

description pid process

Token: SeDebugPrivilege 2708 taskkill.exe
Token: SeDebugPrivilege 3032 exe.exe
Token: SeShutdownPrivilege 1216 Explorer.EXE
Token: SeDebugPrivilege 1636 netsh.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2852 WINWORD.EXE
2852 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	3032	exe.exe
Token: SeShutdownPrivilege	1216	Explorer.EXE
Token: SeDebugPrivilege	1636	netsh.exe

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
2852	WINWORD.EXE
2852	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 2852 wrote to memory of 2640	2852	WINWORD.EXE	cmd.exe
PID 2852 wrote to memory of 2640	2852	WINWORD.EXE	cmd.exe
PID 2852 wrote to memory of 2640	2852	WINWORD.EXE	cmd.exe
PID 2852 wrote to memory of 2640	2852	WINWORD.EXE	cmd.exe
PID 2640 wrote to memory of 3032	2640	cmd.exe	exe.exe
PID 2640 wrote to memory of 3032	2640	cmd.exe	exe.exe
PID 2640 wrote to memory of 3032	2640	cmd.exe	exe.exe
PID 2640 wrote to memory of 3032	2640	cmd.exe	exe.exe
PID 2640 wrote to memory of 2708	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 2708	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 2708	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 2708	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 2988	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2988	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2988	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2988	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2528	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2528	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2528	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2528	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2952	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2952	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2952	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2952	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2164	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2164	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2164	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2164	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1740	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1740	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1740	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1740	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2468	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2468	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2468	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2468	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1996	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1996	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1996	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1996	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1116	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1116	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1116	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1116	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 1508	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 1508	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 1508	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 1508	2640	cmd.exe	cmd.exe
PID 1508 wrote to memory of 584	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 584	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 584	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 584	1508	cmd.exe	reg.exe
PID 2640 wrote to memory of 568	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 568	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 568	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 568	2640	cmd.exe	cmd.exe
PID 568 wrote to memory of 664	568	cmd.exe	reg.exe
PID 568 wrote to memory of 664	568	cmd.exe	reg.exe
PID 568 wrote to memory of 664	568	cmd.exe	reg.exe
PID 568 wrote to memory of 664	568	cmd.exe	reg.exe
PID 2640 wrote to memory of 332	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 332	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 332	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 332	2640	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1216

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bbaaca3df24ceb257d22854cac390f46_JaffaCakes118.rtf"
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\task.bat
3⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\exe.exe
C:\Users\Admin\AppData\Local\Temp\exe.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
4⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
4⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
4⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
4⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
4⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
4⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
4⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
4⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
4⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
5⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
4⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
5⤵
PID:664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
4⤵
PID:332

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
5⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
4⤵
PID:756

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
5⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
4⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
5⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
4⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
5⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
4⤵
PID:900

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
5⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
4⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
5⤵
PID:2848

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"
3⤵
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\exe.exe
Filesize
448KB

MD5
a98ad56c847fca4da5b855bd1769e43b

SHA1
e11cac2e8d5861bd2423633eb18610d9350c29e7

SHA256
a8907640e46c8801627308581705a44407f60e251b0472965628a22cad9d3b4f

SHA512
be5237f5ed05d97524c3dca04e3146129fdb4b534bde21b0380da1d704e20802413e733274e5b20127abe95f3864fca96efaf0b0d2d6c956bf143e5f9f862b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct
Filesize
423B

MD5
37d1f4b225ea7008a1a5c0641d99a8a0

SHA1
52885e4d80a630d7975d4cb979f7fe75805c1453

SHA256
58ed6afc4e6b704e28a95bf35150ff767582e71f996009531dd81fe5251c4b7b

SHA512
7572f2e8df62c2abf30ab45a8bc83af9008b11933d3a745dfb9ad3687089872cd1b7eeb2e1a1a941014257a9b349d189c662b34f980d40d734561e5211125578

Download Submit
C:\Users\Admin\AppData\Local\Temp\task.bat
Filesize
2KB

MD5
87aa6f8b236f77ea6ba2960e339a2418

SHA1
de6de0f0344693ff9fbc1c342867afee5bce3725

SHA256
cd0170e8e982ec7e87a916d1fd137a7e056c97f64b269eb7696b361bc9c7d1b2

SHA512
132dc475f5189d3f63fcbbff5dd7e74a8262270121710a936b91e450979b67e6f205123c5cd063fe01520cf0d67c7082f5dbff04261aeb48776e6e9c9ce0d7d8

Download Submit
C:\Users\Admin\AppData\Roaming\LLAMPA5E\LLAlogim.jpeg
Filesize
72KB

MD5
e515043b919b1fc24aa0774d6db7ae5c

SHA1
0217c5093d5934525fa7f985001f0fdb768e8aac

SHA256
1228c4881989f90e14c38e72b831ca069a0146f4d069bbd4d3cec9d0d8b1df7f

SHA512
57fe3340fb1f15848a2f36dff2603204d1099f20368b6c14aa4fe42a7696666b16cfb9d9cc11025b462c1fbac85c674134ada24b27975895bbed4ab10f4d8b8e

Download Submit
C:\Users\Admin\AppData\Roaming\LLAMPA5E\LLAlogri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\LLAMPA5E\LLAlogrv.ini
Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
memory/1216-25-0x0000000002E40000-0x0000000002F40000-memory.dmp

Filesize
1024KB

Download
memory/1216-32-0x0000000006A70000-0x0000000006B37000-memory.dmp

Filesize
796KB

Download
memory/1636-26-0x0000000000910000-0x000000000092B000-memory.dmp

Filesize
108KB

Download
memory/2852-0-0x000000002F601000-0x000000002F602000-memory.dmp

Filesize
4KB

Download
memory/2852-23-0x000000007173D000-0x0000000071748000-memory.dmp

Filesize
44KB

Download
memory/2852-2-0x000000007173D000-0x0000000071748000-memory.dmp

Filesize
44KB

Download
memory/2852-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3032-27-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3032-24-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download