Malware Analysis Report

2025-03-15 04:37

Sample ID 241027-1979gatfrc
Target 763d06f09c646c995c9ded35754f35e1_JaffaCakes118
SHA256 64d12b6ed1fc65eaaf9410903955668bfa6fd6ae699dcabc6e9cad74ffb42c1d
Tags
upx discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

64d12b6ed1fc65eaaf9410903955668bfa6fd6ae699dcabc6e9cad74ffb42c1d

Threat Level: Shows suspicious behavior

The file 763d06f09c646c995c9ded35754f35e1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery spyware stealer

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:22

Reported

2024-10-27 22:24

Platform

win7-20241010-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdate.lnk C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe
PID 2476 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe
PID 2476 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe
PID 2476 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe
PID 2476 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm32.exe
PID 2476 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm32.exe
PID 2476 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm32.exe
PID 2476 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe

"C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe"

C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm32.exe

"C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.foxnews.com udp
US 151.101.194.132:80 www.foxnews.com tcp
US 8.8.8.8:53 us.cnn.com udp
US 151.101.3.5:80 us.cnn.com tcp
US 8.8.8.8:53 www.foxnews.com udp
GB 2.19.248.73:80 www.foxnews.com tcp
US 8.8.8.8:53 us.cnn.com udp
US 151.101.131.5:80 us.cnn.com tcp
US 8.8.8.8:53 www.foxnews.com udp
GB 2.19.248.73:80 www.foxnews.com tcp
US 151.101.131.5:80 us.cnn.com tcp
US 8.8.8.8:53 www.foxnews.com udp
GB 2.19.248.96:80 www.foxnews.com tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.foxnews.com udp
US 151.101.2.132:80 www.foxnews.com tcp
US 151.101.2.132:80 www.foxnews.com tcp
US 8.8.8.8:53 us.cnn.com udp
US 151.101.131.5:80 us.cnn.com tcp
US 8.8.8.8:53 www.foxnews.com udp
GB 2.19.248.96:80 www.foxnews.com tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 www.foxnews.com udp
GB 2.19.248.73:80 www.foxnews.com tcp

Files

memory/2476-1-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msftldr.dll

MD5 ee693e9883f032df2849150b5279a21b
SHA1 7f5675e4c9383134fd495aa870d8a4567ae2ce6e
SHA256 fee1bd9f37e1925045425e48d97f215b1786b9bf2b11006ddedffc68c753fea4
SHA512 11378bf51357bbafbe3479974c4809a051f7cdb7877c00f7de523959160eb4235530037e9624e34434ab6d4e8f982768bea56dc3749c83ffd7fc7c6d2a9e6ab4

C:\Users\Admin\AppData\Local\Temp\msftcore.dll

MD5 ccab25c4f6a2411e649f41a654fb732a
SHA1 f0fa67afbfeba2fcfba4cbf378456e9563ed5e5b
SHA256 7d21310e49648c311d150f233b3f8b577a39705228c12b6c01cc5e770bdbeb76
SHA512 353d0196e47c963f62420df99c75a40bcf4db374386bf676edbc990d8c5cb16b74318aefacd9085e9fd860dded035350085f7efea3772b326a6a9867dfba641c

C:\Users\Admin\AppData\Local\Temp\msftcore.dat

MD5 85c353915f5aa8894943ba9724a56946
SHA1 a2ac3dd29c9dcdaf7ef748ac42f6e00a699a8aaf
SHA256 2a8932976e5b6fbe3cde6d4db4c5ee335702412fc907c3fb4d83f1ddf753bd30
SHA512 96d14e46949d1b9bf2b4cb49809b96b99d598bc3c75fe0b159ee544a2b835a49cda9e756b034159767572bf9ab22c3cd78e2e354d2ab578fe1523a8dbaffe955

C:\Users\Admin\AppData\Local\Temp\msfttcp.dll

MD5 47a1410f93552cb860134f63e7f08bbd
SHA1 05d13a592f4649af3a5f3a9f13cb686a5f29506a
SHA256 0dcd59b53093f87990eb9385f272a5d75fdc5b9517d62f5ca303c4ff8484ae6d
SHA512 2b18f2890e7690d0fe67c3d6f5962f5081bdc4ffa02e01e07050f061ed551dc54a2aceb52a4200c9f70bdc286c2f2d80c0b071e772952015bb4ee8d0cc6e2f18

C:\Users\Admin\AppData\Local\Temp\msftdm.exe

MD5 1ba9eb7cdab7a589ebbe6d720ae3c187
SHA1 55555de0a07d43a23c4fff84bd4613b9b3c3c104
SHA256 2dee3d4a62c04eb8dd0e30dc4ef3eb51dc80e72422d383b44a363ae939d64eea
SHA512 374a9d844365b1b1d855f83616c9e2d3cc3b9edaef5428af8022845a2679b38483e9249c686fe5f508a60124cc6fad2fbbf23eab60bd2e492b8366799ad60e74

C:\Users\Admin\AppData\Local\Temp\msftstp.exe

MD5 aaa500a9062eef90ef54a10b47dd38c0
SHA1 5aeb7d00518f9598ace234b9c0ce0ef859adccac
SHA256 089ed7d7301d5cf8c424d14f766e8a3eec38825eb757b498cc10a752c80d0092
SHA512 66884cfbbe637097bd5cdb52c678c78456e41664ac0bc491acb67fbdd48f09cfe5c8c124d5e5232cb80178b018d6199bf9be163f0eab9580ad6a9858d9f42a19

C:\Users\Admin\AppData\Local\Temp\msftmod.dat

MD5 e21f42c8e892bcb102b45fd92ae946f2
SHA1 018c9f80a4f603c12e0f7014fa8c77116434ba09
SHA256 1df3a4c0aea1b2cdc377ed1359f27efcfecc4a80c3d1a8a785568fb5552f91a9
SHA512 130d4bf292d25b44d68affc26318b033bcd532942f25f0fa78620b934095d6c2ae8ff4c2b2632233eaf25f85deca9f0349cba405b12e0c898254c00329403de1

C:\Users\Admin\AppData\Local\Temp\msfteml.dll

MD5 6a08aa55a1b999b583bdedd896cf6f7e
SHA1 1c66b481049cd30967e837b0d1b5a04421ad97a0
SHA256 a6b19efc6fc9aa7e8cf722f20fd4e1a40780af255310617c34f9e2dba6efde6b
SHA512 c161885bb5c301c986b3d45112cd74b69ea1bb424ff97a5798717e4e506b2d08ca5b993c20e79cb74cb00f2c5d76198b25424b7d15fade3dccaeb30096a383de

\Users\Admin\AppData\Roaming\Identities\vclvclms32\msftstp.exe

MD5 c1883400de568d13ac385424dfdac922
SHA1 89346038c164a66d441369d7a6e757af8db44089
SHA256 42dd97b432e39b5d8580d1a336f7c392c51ee5a9207f31b28a406dd97d4b7eaf
SHA512 5ed7d7fdc26c4790ab06163c488998288c05ae7a27807b7dd79771d8570f9e9653b2a6d5c8c12e12636f8228b09c6ed9af671a327c04a2a8c4daee22267fb6af

memory/2476-89-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftldr.dll

MD5 c617801ca4bb75ea00da0cc9af86a20b
SHA1 bdc45e976f7f553ebab954549a63def00d65b302
SHA256 c3be7740c2f338688bf7040aa1390e275e1c087b0c3dda843d02eab528572da8
SHA512 5c4f0c3331201728f05185b556d144128f7e84be72fb24e6553e33ac9e0a987575f2d263d710796f8076c363904ea5ed197891ce07d1efb9cef0cc125f1cfb1f

C:\Users\Admin\AppData\Roaming\Identities\vclvclms32\msfteml.dll

MD5 431281eb6636a49003c134ad75038139
SHA1 07a74b28bdc347e6936031a5d6f0ddff97c3cc50
SHA256 cbc61c7335c477fa72e5aba70de44ea0df37625372724332c377196af1c083dd
SHA512 1dedf42c0de7eb8cb9f5c6d425358ced05e37dded947c20a9996b32f6cec6753b08cec73413fc134ba7d282dbc60afb3136b20c96bcbf26a14b7717d591e2bc6

C:\Users\Admin\AppData\Roaming\Identities\vclvclms32\msftcore.dll

MD5 520004f34edca4a74fc5c3e9d6de36e1
SHA1 f799710dcf35d30245f2d4ffc621fc8058f045b4
SHA256 57de9ecfcfed78b7e52e41c7314d8dfc61976adb51c83478b16405c3d79b9557
SHA512 f3071ef6391222c6689c966051d4d108c2eb56a598d77313b0b1d912d87e3f67709896f735e6928ebc823214c48e551c1fea3aef8e8bb5361785e6f32b11c43f

memory/2412-98-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/1100-96-0x0000000000290000-0x00000000002B3000-memory.dmp

memory/1100-107-0x0000000000230000-0x000000000025D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Identities\vclvclms32\msftcore.dat

MD5 ad0edd8b47944c1178636c94542eacee
SHA1 8dd5d8e6cce39944939f40d0c15f78db943d1f2f
SHA256 940d8fd23163cbdcdc0eef26c8d333e8e784bd506d50a7deeabda95b0a1d1752
SHA512 11e9e6d05fe812e9316e0d00fda75de8bed4fbbee3765f13b653a547f8cea4b92d872f31a944e4fb8661d8b64083af4e94acb7beaa383a685cb90f2d85f07e3c

C:\Users\Admin\AppData\Roaming\Identities\vclvclms32\msfttcp.dll

MD5 2506cecf663b4a961c65a9d7e9ef795a
SHA1 6262efdd2eba424474f6c2aac20913b3e588aaab
SHA256 baa21cee7ec40eb612ab70ef6d801cbb1645f9da9c827bf0d59d2e65d5646b52
SHA512 f97c35653d03ceb134ff34a912f7a8ca71e67e35a623ebe8f7470d4fd13e0df54ae5c617e23f15354de43f3a2ac762f57a42fb882f1204b0633b2d5fb91cb570

memory/2412-110-0x00000000002F0000-0x00000000002FD000-memory.dmp

memory/1100-112-0x0000000000230000-0x000000000023D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:22

Reported

2024-10-27 22:27

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdate.lnk C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm.exe

"C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm.exe"

C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm32.exe

"C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 us.cnn.com udp
US 151.101.3.5:80 us.cnn.com tcp
US 8.8.8.8:53 5.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 11.114.248.87.in-addr.arpa udp
US 151.101.3.5:80 us.cnn.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 www.foxnews.com udp
US 151.101.66.132:80 www.foxnews.com tcp
US 8.8.8.8:53 132.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 www.foxnews.com udp
US 151.101.194.132:80 www.foxnews.com tcp
US 8.8.8.8:53 132.194.101.151.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 www.foxnews.com udp
GB 2.19.248.96:80 www.foxnews.com tcp
US 8.8.8.8:53 96.248.19.2.in-addr.arpa udp
GB 2.19.248.96:80 www.foxnews.com tcp
US 8.8.8.8:53 us.cnn.com udp
US 151.101.3.5:80 us.cnn.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 www.foxnews.com udp
GB 2.19.248.96:80 www.foxnews.com tcp
US 151.101.3.5:80 us.cnn.com tcp
US 151.101.3.5:80 us.cnn.com tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 12.114.248.87.in-addr.arpa udp
US 151.101.3.5:80 us.cnn.com tcp

Files

memory/3880-0-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msftcore.dll

MD5 ccab25c4f6a2411e649f41a654fb732a
SHA1 f0fa67afbfeba2fcfba4cbf378456e9563ed5e5b
SHA256 7d21310e49648c311d150f233b3f8b577a39705228c12b6c01cc5e770bdbeb76
SHA512 353d0196e47c963f62420df99c75a40bcf4db374386bf676edbc990d8c5cb16b74318aefacd9085e9fd860dded035350085f7efea3772b326a6a9867dfba641c

C:\Users\Admin\AppData\Local\Temp\msftmod.dat

MD5 e21f42c8e892bcb102b45fd92ae946f2
SHA1 018c9f80a4f603c12e0f7014fa8c77116434ba09
SHA256 1df3a4c0aea1b2cdc377ed1359f27efcfecc4a80c3d1a8a785568fb5552f91a9
SHA512 130d4bf292d25b44d68affc26318b033bcd532942f25f0fa78620b934095d6c2ae8ff4c2b2632233eaf25f85deca9f0349cba405b12e0c898254c00329403de1

C:\Users\Admin\AppData\Local\Temp\msftstp.exe

MD5 aaa500a9062eef90ef54a10b47dd38c0
SHA1 5aeb7d00518f9598ace234b9c0ce0ef859adccac
SHA256 089ed7d7301d5cf8c424d14f766e8a3eec38825eb757b498cc10a752c80d0092
SHA512 66884cfbbe637097bd5cdb52c678c78456e41664ac0bc491acb67fbdd48f09cfe5c8c124d5e5232cb80178b018d6199bf9be163f0eab9580ad6a9858d9f42a19

C:\Users\Admin\AppData\Local\Temp\msftdm.exe

MD5 1ba9eb7cdab7a589ebbe6d720ae3c187
SHA1 55555de0a07d43a23c4fff84bd4613b9b3c3c104
SHA256 2dee3d4a62c04eb8dd0e30dc4ef3eb51dc80e72422d383b44a363ae939d64eea
SHA512 374a9d844365b1b1d855f83616c9e2d3cc3b9edaef5428af8022845a2679b38483e9249c686fe5f508a60124cc6fad2fbbf23eab60bd2e492b8366799ad60e74

C:\Users\Admin\AppData\Local\Temp\msfttcp.dll

MD5 47a1410f93552cb860134f63e7f08bbd
SHA1 05d13a592f4649af3a5f3a9f13cb686a5f29506a
SHA256 0dcd59b53093f87990eb9385f272a5d75fdc5b9517d62f5ca303c4ff8484ae6d
SHA512 2b18f2890e7690d0fe67c3d6f5962f5081bdc4ffa02e01e07050f061ed551dc54a2aceb52a4200c9f70bdc286c2f2d80c0b071e772952015bb4ee8d0cc6e2f18

C:\Users\Admin\AppData\Local\Temp\msfteml.dll

MD5 6a08aa55a1b999b583bdedd896cf6f7e
SHA1 1c66b481049cd30967e837b0d1b5a04421ad97a0
SHA256 a6b19efc6fc9aa7e8cf722f20fd4e1a40780af255310617c34f9e2dba6efde6b
SHA512 c161885bb5c301c986b3d45112cd74b69ea1bb424ff97a5798717e4e506b2d08ca5b993c20e79cb74cb00f2c5d76198b25424b7d15fade3dccaeb30096a383de

C:\Users\Admin\AppData\Local\Temp\msftcore.dat

MD5 85c353915f5aa8894943ba9724a56946
SHA1 a2ac3dd29c9dcdaf7ef748ac42f6e00a699a8aaf
SHA256 2a8932976e5b6fbe3cde6d4db4c5ee335702412fc907c3fb4d83f1ddf753bd30
SHA512 96d14e46949d1b9bf2b4cb49809b96b99d598bc3c75fe0b159ee544a2b835a49cda9e756b034159767572bf9ab22c3cd78e2e354d2ab578fe1523a8dbaffe955

C:\Users\Admin\AppData\Local\Temp\msftldr.dll

MD5 ee693e9883f032df2849150b5279a21b
SHA1 7f5675e4c9383134fd495aa870d8a4567ae2ce6e
SHA256 fee1bd9f37e1925045425e48d97f215b1786b9bf2b11006ddedffc68c753fea4
SHA512 11378bf51357bbafbe3479974c4809a051f7cdb7877c00f7de523959160eb4235530037e9624e34434ab6d4e8f982768bea56dc3749c83ffd7fc7c6d2a9e6ab4

C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftldr.dll

MD5 c617801ca4bb75ea00da0cc9af86a20b
SHA1 bdc45e976f7f553ebab954549a63def00d65b302
SHA256 c3be7740c2f338688bf7040aa1390e275e1c087b0c3dda843d02eab528572da8
SHA512 5c4f0c3331201728f05185b556d144128f7e84be72fb24e6553e33ac9e0a987575f2d263d710796f8076c363904ea5ed197891ce07d1efb9cef0cc125f1cfb1f

memory/3880-97-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\mscrtvcl98\msftcore.dll

MD5 520004f34edca4a74fc5c3e9d6de36e1
SHA1 f799710dcf35d30245f2d4ffc621fc8058f045b4
SHA256 57de9ecfcfed78b7e52e41c7314d8dfc61976adb51c83478b16405c3d79b9557
SHA512 f3071ef6391222c6689c966051d4d108c2eb56a598d77313b0b1d912d87e3f67709896f735e6928ebc823214c48e551c1fea3aef8e8bb5361785e6f32b11c43f

memory/1088-103-0x00000000006C0000-0x00000000006E3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\mscrtvcl98\msftcore.dat

MD5 f14e8a5674b6b212acb364f5d369bd37
SHA1 2180ebde3057be76b5606b10bcdba93a29f83898
SHA256 8af5010ec5b76b49abffcdc92d131a5963f9d7aae3a427b4347cd545fb1073e8
SHA512 521f1e5d5f7496ebc93b89e63a5ec32c148aa22dc2a1a450d43cc881487fab2acafe854f102ce016a5db3f06b37baa7821b38ed9ddac99e64939794820fbf965

C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msfteml.dll

MD5 431281eb6636a49003c134ad75038139
SHA1 07a74b28bdc347e6936031a5d6f0ddff97c3cc50
SHA256 cbc61c7335c477fa72e5aba70de44ea0df37625372724332c377196af1c083dd
SHA512 1dedf42c0de7eb8cb9f5c6d425358ced05e37dded947c20a9996b32f6cec6753b08cec73413fc134ba7d282dbc60afb3136b20c96bcbf26a14b7717d591e2bc6

memory/1088-115-0x0000000000530000-0x000000000055D000-memory.dmp

memory/980-118-0x00000000005A0000-0x00000000005CD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\mscrtvcl98\msfttcp.dll

MD5 2506cecf663b4a961c65a9d7e9ef795a
SHA1 6262efdd2eba424474f6c2aac20913b3e588aaab
SHA256 baa21cee7ec40eb612ab70ef6d801cbb1645f9da9c827bf0d59d2e65d5646b52
SHA512 f97c35653d03ceb134ff34a912f7a8ca71e67e35a623ebe8f7470d4fd13e0df54ae5c617e23f15354de43f3a2ac762f57a42fb882f1204b0633b2d5fb91cb570

memory/1088-125-0x0000000000530000-0x000000000053D000-memory.dmp

memory/980-122-0x0000000000460000-0x000000000046D000-memory.dmp