Malware Analysis Report

2024-11-16 13:12

Sample ID 240625-tqcvwszfje
Target 0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118
SHA256 b6928ada9b353108cb8fe31881ad6dbafc958187ca2ad80bcd9a7ba509339ddf
Tags
sality backdoor evasion upx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6928ada9b353108cb8fe31881ad6dbafc958187ca2ad80bcd9a7ba509339ddf

Threat Level: Known bad

The file 0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion upx trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies firewall policy service

Sality

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Loads dropped DLL

Windows security modification

UPX packed file

Executes dropped EXE

Enumerates connected drives

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 16:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 16:15

Reported

2024-06-25 16:17

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Documents and Settings\tazebama.dl_ N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Documents and Settings\tazebama.dl_ N/A

Sality

backdoor sality

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Documents and Settings\tazebama.dl_ N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\L: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\I: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\H: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\G: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\W: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\U: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\M: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\Y: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\S: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\Q: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\P: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\O: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\N: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\K: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\J: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\T: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\E: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\X: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\R: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\Z: C:\Documents and Settings\tazebama.dl_ N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Documents and Settings\tazebama.dl_ N/A
File opened for modification C:\autorun.inf C:\Documents and Settings\tazebama.dl_ N/A
File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf C:\Documents and Settings\tazebama.dl_ N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE C:\Documents and Settings\tazebama.dl_ N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Documents and Settings\tazebama.dl_ N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe"

C:\Documents and Settings\tazebama.dl_

"C:\Documents and Settings\tazebama.dl_"

Network

N/A

Files

memory/2164-0-0x0000000000400000-0x000000000041E000-memory.dmp

\Users\tazebama.dll

MD5 b6a03576e595afacb37ada2f1d5a0529
SHA1 d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA256 1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512 181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

\Users\tazebama.dl_

MD5 8960b7b1a3ae1828bf926b8661f59e39
SHA1 4f984da264ada230e319b938fd411ece1fd5cd4c
SHA256 dc22eccf113bd383b1ac2bde5433b59d09f2eb9ac0af1a582221a8c5096bc072
SHA512 8e559d5a94ed940a94e8f1c5784a90e5d36d8f613f452aed496888623a6eb9c70331b51d9cf481b396ab841c2dd9dfed2862b8d0111ae23abcb713ca9bf8138d

memory/2280-15-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2164-14-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2164-13-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2164-12-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2164-44-0x0000000000400000-0x000000000041E000-memory.dmp

C:\autorun.inf

MD5 163e20cbccefcdd42f46e43a94173c46
SHA1 4c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA256 7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512 e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

C:\zPharaoh.exe

MD5 cc801a3ebba6e5e3f636741e4ab30e5f
SHA1 071095b2ddc55a40d3b4a7e7022dd4f01d51cf1a
SHA256 04e6080995b2c7f0053e813a999e2b29ae39dd95b79bb9d455718a08764b836a
SHA512 0a2065575e3ab374dbf0ae77dbf615ec983851bbad471016e313a536488152a12239f89df75ba9fee0b854c4c043d88aea235cdad72a39ba21f060175ed393c8

F:\zPharaoh.exe

MD5 af2e0aa433dfa505aad400c89c31ea15
SHA1 8aca5f03b447bde200d58ece49981e834e0269cb
SHA256 537172c530d5236052ec4b90f03ea9ab70edc393ec7dfc2e042ae583dbe9de8b
SHA512 72ec6d5efb3e8332bdea269b76d4f3e1aacfe95f08555434cb317978fc56382679eb3cbc8efeb058b3d1a1e7cf44f3407f386301b6df946af5e1ab451a650079

memory/2164-48-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2164-47-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2164-46-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2164-20-0x0000000002A40000-0x0000000003ACE000-memory.dmp

memory/2280-65-0x0000000000400000-0x0000000000416000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 16:15

Reported

2024-06-25 16:17

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Documents and Settings\tazebama.dl_ N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Documents and Settings\tazebama.dl_ N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\R: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\P: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\L: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\K: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\I: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\Z: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\X: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\T: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\S: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\Q: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\M: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\J: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\V: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\U: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\N: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\H: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\G: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\E: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\W: C:\Documents and Settings\tazebama.dl_ N/A
File opened (read-only) \??\O: C:\Documents and Settings\tazebama.dl_ N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Documents and Settings\tazebama.dl_ N/A
File opened for modification C:\autorun.inf C:\Documents and Settings\tazebama.dl_ N/A
File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf C:\Documents and Settings\tazebama.dl_ N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE C:\Documents and Settings\tazebama.dl_ N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Documents and Settings\tazebama.dl_

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Documents and Settings\tazebama.dl_ N/A
N/A N/A C:\Documents and Settings\tazebama.dl_ N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118.exe"

C:\Documents and Settings\tazebama.dl_

"C:\Documents and Settings\tazebama.dl_"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 740

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4188-1-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\tazebama.dll

MD5 b6a03576e595afacb37ada2f1d5a0529
SHA1 d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA256 1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512 181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

memory/4188-10-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Documents and Settings\tazebama.dl_

MD5 8960b7b1a3ae1828bf926b8661f59e39
SHA1 4f984da264ada230e319b938fd411ece1fd5cd4c
SHA256 dc22eccf113bd383b1ac2bde5433b59d09f2eb9ac0af1a582221a8c5096bc072
SHA512 8e559d5a94ed940a94e8f1c5784a90e5d36d8f613f452aed496888623a6eb9c70331b51d9cf481b396ab841c2dd9dfed2862b8d0111ae23abcb713ca9bf8138d

memory/4984-11-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4188-16-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4188-19-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4188-12-0x0000000002BE0000-0x0000000003C6E000-memory.dmp

memory/4188-15-0x0000000002BE0000-0x0000000003C6E000-memory.dmp

memory/4188-14-0x0000000002BE0000-0x0000000003C6E000-memory.dmp

C:\autorun.inf

MD5 163e20cbccefcdd42f46e43a94173c46
SHA1 4c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA256 7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512 e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

C:\zPharaoh.exe

MD5 03eb17c71b01b61affbbe326a483f2b8
SHA1 3561b5cb2a51440949014ce54586839e32bd27be
SHA256 71c91da9542f3b461b152d8bbf30d52fa0bf101aec9371021b85e466256f9a21
SHA512 bc9450ef02accc390b4be0c2476027f8f77cdf7d6d2f9045a9cf5957485370e690655d4a59d8398346834ba5019599042353a410527123a3e70fdeeb3d0f7397

F:\zPharaoh.exe

MD5 849815976fb6977a528e1c459b2945b8
SHA1 98d51963dc6fe4109c8e2e9b6d7d2ec3a0c4cec6
SHA256 bf150c13cac50856f21954b24d011022be66a9e0ff1011e400679b46414aa384
SHA512 a16cd2c9aa2fcc40f38d8fe1c08dae8879382c525607c6d0d11b3fdff5697c20cc55b7241f61c105e78cf7b15a7a2b5aa0d3cd78e1c3d43d6a4f9f160b58a15f

memory/4984-47-0x0000000000400000-0x0000000000416000-memory.dmp