Malware Analysis Report

2025-01-23 13:29

Sample ID 241223-rav1es1qan
Target JaffaCakes118_bf0e96518ed963661f2390fbca0abd06fa85df03c38f1ba6e493032055eee0e0
SHA256 bf0e96518ed963661f2390fbca0abd06fa85df03c38f1ba6e493032055eee0e0
Tags
macro macro_on_action trickbot banker discovery packer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf0e96518ed963661f2390fbca0abd06fa85df03c38f1ba6e493032055eee0e0

Threat Level: Known bad

The file JaffaCakes118_bf0e96518ed963661f2390fbca0abd06fa85df03c38f1ba6e493032055eee0e0 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action trickbot banker discovery packer trojan

Trickbot family

Trickbot

Process spawned unexpected child process

Templ.dll packer

Suspicious Office macro

Office macro that triggers on suspicious action

Loads dropped DLL

Drops file in Windows directory

System Location Discovery: System Language Discovery

Program crash

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-23 13:59

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-23 13:59

Reported

2024-12-23 14:02

Platform

win7-20241010-en

Max time kernel

139s

Max time network

153s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\935b07a6f2a00b8ca625ef04a73896951908d7be53a376a42f735834ce9e5051.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\explorer.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2852 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2852 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2852 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\explorer.exe
PID 2128 wrote to memory of 2852 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\explorer.exe
PID 2836 wrote to memory of 2668 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 2836 wrote to memory of 2668 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 2836 wrote to memory of 2668 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 2668 wrote to memory of 2224 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2668 wrote to memory of 2224 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2668 wrote to memory of 2224 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2224 wrote to memory of 1032 N/A C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1032 N/A C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1032 N/A C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1032 N/A C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1032 N/A C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1032 N/A C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1032 N/A C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1032 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1032 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1032 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1032 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1032 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1032 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2128 wrote to memory of 2584 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2128 wrote to memory of 2584 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2128 wrote to memory of 2584 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2128 wrote to memory of 2584 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\935b07a6f2a00b8ca625ef04a73896951908d7be53a376a42f735834ce9e5051.doc"

C:\Windows\SysWOW64\explorer.exe

explorer.exe C:\Required\DOMDocument.vbs

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Required\DOMDocument.vbs"

C:\Windows\System32\rundll32.exe

rundll32 c:\Required\occurs\PFSDOFKGAM.dll,DllRegisterServer

C:\Windows\SysWOW64\rundll32.exe

rundll32 c:\Required\occurs\PFSDOFKGAM.dll,DllRegisterServer

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
DE 185.234.72.35:443 tcp
DE 185.234.72.35:443 tcp
DE 185.234.72.35:443 tcp
DE 185.234.72.35:443 tcp
DE 185.234.72.35:443 tcp
DE 185.234.72.35:443 tcp
BA 185.99.2.243:443 tcp
IN 117.222.63.145:449 tcp
RO 85.204.116.173:443 tcp

Files

memory/2128-0-0x000000002FEA1000-0x000000002FEA2000-memory.dmp

memory/2128-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2128-2-0x00000000739DD000-0x00000000739E8000-memory.dmp

memory/2128-4-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-6-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-5-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-13-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-27-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-26-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-16-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-15-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-14-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-12-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-11-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-9-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-8-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2128-7-0x00000000007D0000-0x00000000008D0000-memory.dmp

C:\Required\DOMDocument.vbs

MD5 260fb1215f12dc252f18fcd7f742e641
SHA1 f7359f7384e1c0ea0d742904062d3d03bfbca65a
SHA256 085c48a7dccd84eb72924d23124d54c22bc7d681fbcb9d2956c11f803e56f310
SHA512 8a2021a43c95bda9ccaf0d47b839da7df4d0873f235cc5c81e3029eae1a4037c34242a1acc5b1f04b017ade2d69fca403f8aca40910f59a4fd24928c2581e67b

\??\c:\Required\occurs\PFSDOFKGAM.dll

MD5 9c7297f808358284407c2243f7087aa5
SHA1 5f355103c0eed80063232b534d7a0a55e66724be
SHA256 f6de646af9af051954ae507227567377b2198ed50fd7cc90fe4ead0318d7c62a
SHA512 3d8ab6f36e5408895ba1fcd403117a6d5bcd602a5e54358a8291c61fac4cc0651656cfe95dd3d59b9425f8f6380fab889e3de409cc251aa943d38b46a865e5d9

memory/1032-41-0x0000000000510000-0x0000000000546000-memory.dmp

memory/1032-37-0x00000000003B0000-0x00000000003E7000-memory.dmp

memory/2128-44-0x00000000739DD000-0x00000000739E8000-memory.dmp

memory/2128-45-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2544-46-0x0000000000110000-0x0000000000111000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-23 13:59

Reported

2024-12-23 14:02

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\935b07a6f2a00b8ca625ef04a73896951908d7be53a376a42f735834ce9e5051.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\explorer.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\935b07a6f2a00b8ca625ef04a73896951908d7be53a376a42f735834ce9e5051.doc" /o ""

C:\Windows\explorer.exe

explorer.exe C:\Required\DOMDocument.vbs

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Required\DOMDocument.vbs"

C:\Windows\System32\rundll32.exe

rundll32 c:\Required\occurs\PFSDOFKGAM.dll,DllRegisterServer

C:\Windows\SysWOW64\rundll32.exe

rundll32 c:\Required\occurs\PFSDOFKGAM.dll,DllRegisterServer

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 996 -ip 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 95.101.29.159:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 159.29.101.95.in-addr.arpa udp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
BR 179.127.88.41:449 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RU 89.223.126.186:443 89.223.126.186 tcp
DE 148.251.185.165:443 tcp
US 8.8.8.8:53 186.126.223.89.in-addr.arpa udp
US 8.8.8.8:53 151.133.100.95.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FR 213.32.84.27:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 185.234.72.35:443 185.234.72.35 tcp
IN 103.36.48.103:449 tcp
US 8.8.8.8:53 35.72.234.185.in-addr.arpa udp
US 195.123.240.104:443 tcp
ID 36.94.33.102:449 tcp
US 8.8.8.8:53 udp

Files

memory/5092-0-0x00007FFCA6330000-0x00007FFCA6340000-memory.dmp

memory/5092-1-0x00007FFCE634D000-0x00007FFCE634E000-memory.dmp

memory/5092-3-0x00007FFCA6330000-0x00007FFCA6340000-memory.dmp

memory/5092-2-0x00007FFCA6330000-0x00007FFCA6340000-memory.dmp

memory/5092-6-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

memory/5092-5-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

memory/5092-4-0x00007FFCA6330000-0x00007FFCA6340000-memory.dmp

memory/5092-8-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

memory/5092-9-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

memory/5092-7-0x00007FFCA6330000-0x00007FFCA6340000-memory.dmp

memory/5092-10-0x00007FFCA40B0000-0x00007FFCA40C0000-memory.dmp

memory/5092-11-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

memory/5092-12-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

memory/5092-13-0x00007FFCA40B0000-0x00007FFCA40C0000-memory.dmp

memory/5092-31-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

C:\Required\DOMDocument.vbs

MD5 260fb1215f12dc252f18fcd7f742e641
SHA1 f7359f7384e1c0ea0d742904062d3d03bfbca65a
SHA256 085c48a7dccd84eb72924d23124d54c22bc7d681fbcb9d2956c11f803e56f310
SHA512 8a2021a43c95bda9ccaf0d47b839da7df4d0873f235cc5c81e3029eae1a4037c34242a1acc5b1f04b017ade2d69fca403f8aca40910f59a4fd24928c2581e67b

\??\c:\Required\occurs\PFSDOFKGAM.dll

MD5 9c7297f808358284407c2243f7087aa5
SHA1 5f355103c0eed80063232b534d7a0a55e66724be
SHA256 f6de646af9af051954ae507227567377b2198ed50fd7cc90fe4ead0318d7c62a
SHA512 3d8ab6f36e5408895ba1fcd403117a6d5bcd602a5e54358a8291c61fac4cc0651656cfe95dd3d59b9425f8f6380fab889e3de409cc251aa943d38b46a865e5d9

memory/996-45-0x0000000002970000-0x00000000029A7000-memory.dmp

memory/996-50-0x00000000029B0000-0x00000000029E6000-memory.dmp

memory/5092-52-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

memory/5092-54-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

memory/5092-55-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

memory/5092-53-0x00007FFCE634D000-0x00007FFCE634E000-memory.dmp

memory/5092-56-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 6844f9ccc95bea78ff2ed8b4eaa4a3f0
SHA1 f137f1936c2fe6db32cb1a515f14f411c12ca240
SHA256 5bdfcdcab47c5fafd62aee8f98cf8772ca7175cf1b987affa55df675392a0dc9
SHA512 e06a24083999a8ef341d068f95519fc7ac7c71c8f6c958df22a30dc16839a7744a752bf75bfc5bec7efaedaa380091d78aad1dbbc536bd0111d222e24d627695

memory/5092-62-0x00007FFCE62B0000-0x00007FFCE64A5000-memory.dmp

memory/5060-63-0x0000024198200000-0x0000024198201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDE4F9.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810