Analysis Overview
SHA256
98bfb6dbce441f0045bb41cbff65a491837b292611aa26c1048f5f58c879b234
Threat Level: Known bad
The file 0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Loads dropped DLL
Drops file in Program Files directory
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-23 12:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 12:38
Reported
2024-06-23 12:40
Platform
win7-20240508-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\%SESSIONNAME%\gtgmy.pic | C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k regsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | udp |
Files
\??\c:\program files (x86)\%sessionname%\gtgmy.pic
| MD5 | 0815469301c930c991627762bc68cadc |
| SHA1 | f6c9335e65491aaa8a82ba036f8a5634ac680872 |
| SHA256 | 4b72d5c45b0d335a77a06f3ce9ef30ed227d18862c0e3daff21c5e7b9f4b2138 |
| SHA512 | 739f773e7506a5697b0ab3d5e3333787b802baf9234f6e64b22139623bd987ddf8d93d41749b88007f1abc80ce6cf45bf3f2f6a7df264c856cea77639814c832 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 12:38
Reported
2024-06-23 12:40
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Loads dropped DLL
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\%SESSIONNAME%\lvsjf.pic | C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe | N/A |
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0606cc01c4d8feb608e500a4eadd82f7_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1036 -ip 1036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2788 -ip 2788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2676 -ip 2676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3884 -ip 3884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4688 -ip 4688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1164 -ip 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 4932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2608 -ip 2608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1192 -ip 1192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4272 -ip 4272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3964 -ip 3964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1568 -ip 1568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2052 -ip 2052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3472 -ip 3472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2024 -ip 2024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4556 -ip 4556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3856 -ip 3856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3280 -ip 3280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1792 -ip 1792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2788 -ip 2788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 516 -ip 516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4384 -ip 4384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3940 -ip 3940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2368 -ip 2368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4688 -ip 4688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 756 -ip 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 540 -ip 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5048 -ip 5048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 936 -ip 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2304 -ip 2304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | dfee2f01495c76601875a46d8e6ab1e8 |
| SHA1 | b1804dc410b986e9cb6029c2a3696eb0b99cc96b |
| SHA256 | 3b8f795ecce5eba3bd5e4381da68601b434a74c27c6980aae275adc74586138b |
| SHA512 | 908e413e551ecaaabfa56faac417f5df4389becef19d18b241255be5a4c698e48f3b2a1358c28323ccdf1321e94126ea90c556fe2ddd732816c8414c5477b259 |
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | 265a2be32d3f9a5b28739a383baf1e0c |
| SHA1 | e5273f37026651ecbd6537dbcb356ecc1642bdff |
| SHA256 | c636663278d8fad009ad033407c83bcc547c3c95977eafe7d9b1a119933e0017 |
| SHA512 | 14fc134a16a5bf73eead701ed1160fb4440be55fc05e63d4056a5297a5a99f1af01bc8c66ab801f85ddd7bc4057d8894228afd3e93028e88248e0eec17440795 |
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | 79b52489ce6d63ce813c84b525cb0540 |
| SHA1 | 4490120961bfd98fbb6cf56ea168f25025052e31 |
| SHA256 | 5b1d2df8f792a96946eab45bf460d5f0b7d3eb05f9ed7908b04600e297275eae |
| SHA512 | 22348ea097b30de7d2a7cd4770ebd01681472abc1b33296135427187827af0fb4e44a4ba1152256eb44a150a3f9604e3e4466763f7a9317b95be158ada9eb286 |
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | 0d1b9b5b75781080b7554b2f568d89ea |
| SHA1 | 925893c2a69a8e292ef79ceb6931eb391f1657cc |
| SHA256 | 69d9727be3577017ffba9327047363459a27da5947be828793c8a85117735426 |
| SHA512 | e16ca69fc56706bf6944bff619a0d17db64029dceefc3530c907d6da82abe5b4245de573ec8505fb391c69f5133394025141a4e98b9f7b7855c7615328c3badc |
C:\Program Files (x86)\%SESSIONNAME%\lvsjf.pic
| MD5 | 99920ac919edd0319fa76c7ad559ffd3 |
| SHA1 | 1c6b75e9831d0819111541c0590f4f306b1a2998 |
| SHA256 | 9d4ab4947b130114388c9e967f137aafad4d8cf6c7eafb94b24da74c62a89953 |
| SHA512 | de2b14a8b7a382991d6f9ae0545a348fc61e33ea91915faab251b0d0e21c60580bec58f89f115494e1f4d7ec16aee5d12283885aeb52fdfc656972fb146bc649 |
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | ab8959c26adaca624970ff04a69f6ecc |
| SHA1 | 5a19ccd6072881ac2f8b8e35fd09894444a49dcf |
| SHA256 | 22d985cbc1977f5a0c941b0cfe79475c79a8f8005eb991466cd7252292876c63 |
| SHA512 | d4796d971337a00999a2e4b04d7aa99aab631291ca4a89fa558e448038b68ce4a0aa05a7b82f90169640b2c6afe61d1f06a4104574df6169a55b2afd0c54c71f |
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | 3b791c0a6cc660600a829092742fba8a |
| SHA1 | 13b04ebedcb7137af73f826fefcd51532ee8660d |
| SHA256 | 81504fe4cdada87e891f5bd31526221cb913600ba514e7b935a21c99ea6b5877 |
| SHA512 | d908ce256ba5fd2e06c341f8d4444a0903adaed817eee8989b036cc8c90835c699b08b0e3f28ff93625714ad963498bbc913ec21701e490e4c946cbb5fa21cb9 |
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | 0e8d4373744bf061ee702fd2f37b0ff8 |
| SHA1 | 14526cdec3b24f4ffd2ac2156f29745793d86810 |
| SHA256 | 40eae4a86f0e3976dd382e4d539cc503a1544af79dbcc9f0a490a6f0a80bad18 |
| SHA512 | 218f8f8fde8b0a7ad025cde1cc33466a8e5ec0f967fcbf15e81ab5e0cb021689f2b1f4ff443213e0b8016779b7fac508e94f5814706df93c4abc5718f2ffe75b |
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | fba5ff24547d980f03e9b7cbc675a872 |
| SHA1 | befbe8ba205df78132b250895e55bd15e2a22bac |
| SHA256 | a133342b842b2ef32f9fa74f1c358089719bae4816a31ddbf26ab96eb68bcaaa |
| SHA512 | df99de87e748d65c30958f0f5cdd7d8924ebd0299c481b180cd8603fae9da0014500a9df37b0c44c47ff7701f4bfa789fd5aeaf399c8fcd0a318743ef336da90 |
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | 088881915e573951e311179100e90c3f |
| SHA1 | cd3a3e620ed72bc8b9001befac9e3309255b5b77 |
| SHA256 | 794af9593cd18ea77f0f57a22af1fa72e252b45c72cc1928249a79f04f717c8b |
| SHA512 | 85c493ffd8f9b795aa2907888776ebcf5f28ab965332e13a40a7cde8207e07b641c99f2b8f528a4082dc15d172cbb448c0872955cfa1ba072578d72b6440e9e5 |
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | 8e7e79b79a2dc51a8ece865f60ef49d1 |
| SHA1 | 8445a5b47a6736dc6a90fbe836ad235c40251f0c |
| SHA256 | 957c2dcf11fe131a663acccde64479b06aa289cd529f820b69d380a6ccc2af1c |
| SHA512 | 267df50a9cd3b79fa7abeb86976f06dc0630632b6c70f97538c7f0ad752ea2d4dd224a1444ad728a7a2c62fb7b443ed5c9804fbf23cc5a669ef3a3a34137f77b |
\??\c:\program files (x86)\%sessionname%\lvsjf.pic
| MD5 | ff715d897f6c20311bec97daa42679f3 |
| SHA1 | e750bf2b35ba6649720bfcde8a50db0eb3b14c5d |
| SHA256 | efa83e2348a126d5c67c56b84d3c180cf1f6f8833d111075c4a09c771852298c |
| SHA512 | e5ca4f5230d29c93cc8495bb3d7daefaac07129ae8895e079bf759c24041fd4e040ce2835ea28376f72e03f5c3c059f4f1cd599e10891f10f5c24718f6e8efa6 |
C:\Program Files (x86)\%SESSIONNAME%\lvsjf.pic
| MD5 | 30f8e5b92f2dd811e85a43917819a766 |
| SHA1 | 3728e37bb5eef7e8473ed56654302b7e9c95503f |
| SHA256 | 707ed5f227d4f70944963bff10b0cd9fa282cfcc19f13318ab7121a0aa2a91ff |
| SHA512 | 411d695487ab7e75aa7dd3c010e7d7d3bb728f0164bd550d0f7a583e5d61659aee1f3666b6b7d6aae5c4acb4dfb8441ca813b781cc505a0e97d25203664cc3c0 |