Analysis Overview
SHA256
9a541f72be5b468a4045c8dcefb9eb96ab1b1d864b51e3946b52544ff3078c22
Threat Level: Known bad
The file 442d38dd58513f6a0de7da51976b4839_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-14 03:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 03:48
Reported
2024-07-14 03:51
Platform
win7-20240708-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\secs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe | N/A |
| N/A | N/A | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\secured.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\442d38dd58513f6a0de7da51976b4839_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\442d38dd58513f6a0de7da51976b4839_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe | N/A |
| N/A | N/A | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
| N/A | N/A | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
| N/A | N/A | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
| N/A | N/A | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
| N/A | N/A | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
| N/A | N/A | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
| N/A | N/A | C:\6edd796dfb87dafc18546594eb7978\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\secured.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\secured.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\442d38dd58513f6a0de7da51976b4839_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\442d38dd58513f6a0de7da51976b4839_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\secs.exe
"C:\Users\Admin\AppData\Local\Temp\secs.exe"
C:\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe
"C:\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe"
C:\6edd796dfb87dafc18546594eb7978\Setup.exe
C:\6edd796dfb87dafc18546594eb7978\\Setup.exe /x86 /x64 /web
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\secured.exe'"
C:\Users\Admin\AppData\Local\Temp\secured.exe
"C:\Users\Admin\AppData\Local\Temp\secured.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp |
Files
\Users\Admin\AppData\Local\Temp\secs.exe
| MD5 | 6fb99828380efda6fb357be8e59524f6 |
| SHA1 | 94a3911a1813273e7464e030b6a52859f62dd1f4 |
| SHA256 | 0c34a4722c74afd100e8d59d69d21da8b9c1cd813663b9ba5c55737e6f6170ad |
| SHA512 | 9e6729262f38f3f200309e5ed810b5899adda6295411d20883445c55095f16df63eef44b6d0951ee8fb66e39dc74e8fcab7874576ff88500ae825b1b8c1b21ed |
\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe
| MD5 | ca41dba55a727f01104871b160cd5b1d |
| SHA1 | 5b71b20a455f6eeab79dd1edcab0ba66ad0d2208 |
| SHA256 | bd173d14a371e6786c4ae90be1f2c560458d672ba4cbeb3cf55bebfef2e2778a |
| SHA512 | 90a3a5a57ea8a6508eee0d129303c7cb012aabf651dd9a6befc20da3bbdb09fc47fd087645051d3d45bff909dfc6e6039c22c4816fbc793a847e81701248639e |
memory/2220-14-0x000007FEF5433000-0x000007FEF5434000-memory.dmp
memory/2220-16-0x0000000000A20000-0x0000000000A3C000-memory.dmp
C:\6edd796dfb87dafc18546594eb7978\1040\eula.rtf
| MD5 | 67a9f0946d135a41e51d90220c0c8c67 |
| SHA1 | 81079fbfe8423e87fd5a7ea2b42e34dca7385587 |
| SHA256 | 1478376f05d1bbe824cf1efdebc485d736e3ba1aa72dc8dff69cc9e3b8127cf8 |
| SHA512 | 7b4087bf0e6ffdac910bf1ea004247f89c64ef65b717ae69971d71e3d3d223809fd0a58b5dd618bce242dbdd19c355cfabdf0613c0c1787e20d5072f2edc1a8c |
C:\6edd796dfb87dafc18546594eb7978\1053\eula.rtf
| MD5 | 8ca89fafa113bdca3dfb5a141e206b84 |
| SHA1 | 529075ffb30e400e4a24f4aac678295b04502c62 |
| SHA256 | 411414181d515ad8ca0ed1b1f462a067648a98d26451b7414d91601c1e6c449a |
| SHA512 | a90179a9a8a14e6d6ddefcbc1641ebeff567fa028d65705429fa81b352647c6a973b5fb5bc585c23ef9dc2587566ce3e0086f9cfb31b8eeb5d4fc2fd7a7b1bf7 |
\6edd796dfb87dafc18546594eb7978\Setup.exe
| MD5 | c40d7a37493b19dd3e561031bf75b2c0 |
| SHA1 | 373104ad382298bad3d071edf0c353aa0d6b08f3 |
| SHA256 | f62e3547e530261790bd18f894b36c1ae168d2b0620c155b486237e4931fffae |
| SHA512 | 35db5b3d1369ca3046c1fc297dce1b51bc948f78bdd9625ee0b8524651b7cf231cb37da607d99eddc901475b9e9a2103d6f4e0f549033470ea9283707833737e |
C:\6edd796dfb87dafc18546594eb7978\SetupEngine.dll
| MD5 | 38116d0c084663148206c2f5d7d4e3bf |
| SHA1 | 40627acddf32a18dd7731eee737473a0514adba9 |
| SHA256 | fdea9ce112489862635f6d3384c70b14b8675cff80335e111985fd9d831778e1 |
| SHA512 | c1d817e912de3f5ea52a0958a0ff45b01aa69aabc5b8a9df58420cee1e6fb605daf1ebeeba580a6da7d58d17aee8677337a89f12d358177722249b0e4b286279 |
C:\6edd796dfb87dafc18546594eb7978\sqmapi.dll
| MD5 | d475bbd6fef8db2dde0da7ccfd2c9042 |
| SHA1 | 80887bdb64335762a3b1d78f7365c4ee9cfaeab5 |
| SHA256 | 8e9d77a216d8dd2be2b304e60edf85ce825309e67262fcff1891aede63909599 |
| SHA512 | f760e02d4d336ac384a0125291b9deac88c24f457271be686b6d817f01ea046d286c73deddbf0476dcc2ade3b3f5329563abd8f2f1e40aee817fee1e3766d008 |
C:\Users\Admin\AppData\Local\Temp\HFIB904.tmp.html
| MD5 | 74c2b676f291483adb318b379f5ff434 |
| SHA1 | 71771eded7bafa22ca8a7a716aaf6e69c1029e7e |
| SHA256 | d6bec206a9573ad5af9497bd2a019aec367f16e62cdfaa1e20a0859cc4aff091 |
| SHA512 | 4cdf074ce41e405b9d4c21db25de1cbb2a8946f6bfbe9fdc0c9ee53cfce42a621fca9bd6107a1760ea64d4c03500309f8267a0135cf352d4460fbab98778280c |
C:\6edd796dfb87dafc18546594eb7978\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
memory/2220-234-0x0000000000250000-0x0000000000260000-memory.dmp
memory/2220-235-0x0000000000270000-0x0000000000288000-memory.dmp
C:\6edd796dfb87dafc18546594eb7978\UiInfo.xml
| MD5 | d8f565bd1492ef4a7c4bc26a641cd1ea |
| SHA1 | d4c9c49b47be132944288855dc61dbf8539ec876 |
| SHA256 | 6a0e20df2075c9a58b870233509321372e283ccccc6afaa886e12ba377546e64 |
| SHA512 | ecf57cc6f3f8c4b677246a451ad71835438d587fadc12d95ef1605eb9287b120068938576da95c10edc6d1d033b5968333a5f8b25ce97ecd347a42716cd2a102 |
C:\6edd796dfb87dafc18546594eb7978\SplashScreen.bmp
| MD5 | 0966fcd5a4ab0ddf71f46c01eff3cdd5 |
| SHA1 | 8f4554f079edad23bcd1096e6501a61cf1f8ec34 |
| SHA256 | 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3 |
| SHA512 | a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce |
C:\6edd796dfb87dafc18546594eb7978\ParameterInfo.xml
| MD5 | 449d88028f698021c18fedc4e1c55711 |
| SHA1 | e84650f3045dcbb500e3532f0088612d536d1b17 |
| SHA256 | 7f74b977ce488cbff129fa2688ecb99a67f761d64b5d5c2721b9299f4049a344 |
| SHA512 | df93050d9ee6bd8ea7073420597eb0dc9a7aa72f11c58aaf146b09f8341f880db03d16401a136ce8dab24a84cde30f37366320a123ea4d199e6e1e26d0cc4981 |
C:\6edd796dfb87dafc18546594eb7978\1053\LocalizedData.xml
| MD5 | d21f3f1f18812b8a3d18e8976c131d18 |
| SHA1 | 63045886d22e76c11df23a827147c4e1b155beb4 |
| SHA256 | ac4676cc053f3f2577e526d2c395ff28368bc30284a1e8565017264c5c223bac |
| SHA512 | ba35495b6c6233bb9d453370af577d98bed79612530cdb577f0c1862879e9109719f5fb21dccfce930606ecc22b5796a712848282c513d2cc9705b60df2a5c41 |
C:\6edd796dfb87dafc18546594eb7978\1049\LocalizedData.xml
| MD5 | 0f60c968bbb0534bbe2ea7da40bcd571 |
| SHA1 | 661c0e6372cebc7d343af29a08eb0c5b189773b7 |
| SHA256 | dcd832b208f3d02bce0bf320c8c0b3486f92cf8c7eac0c136d6dddea0964e858 |
| SHA512 | 1aaf6ca9a256029257e1752f00c514b5751f2ef4022d5497e8d57a6426fff8f4a7e1040f662d81675ef7e1acc52f8d671bb1f414396a643e1a2587eb71c1b2c6 |
C:\6edd796dfb87dafc18546594eb7978\1046\LocalizedData.xml
| MD5 | 7bcf32de27b17b486a81363e98562a4a |
| SHA1 | 6d08dd72c36190984a589402d7c0b608d6aecbb4 |
| SHA256 | a5fddd50c8c54ebff1caddf75dbf34ebabf96746e0cdbd6b5190cac18c037f97 |
| SHA512 | bdc549b334772d8db9baf00ecc9fee0d904b2d0aa17a292b15fca29076513c003f376818d047f66c4c327ea707d2509f509897a05b3578daf21a3668046f0a88 |
C:\6edd796dfb87dafc18546594eb7978\1045\LocalizedData.xml
| MD5 | df8773afe81f42771b380af5793e1884 |
| SHA1 | 947828f2b8dcf0e129fe7b9cfad2c5016dab495f |
| SHA256 | 61aa6d64c71e342fb60d1621daed8801774e2901babab484f646be8c317031fd |
| SHA512 | 53ffb488428d1a3856d986e9874fb5509451ddd688c0d7ae28fceb730c7e109c3e997eeee5176cd0546fe5214b73102677b0f7103de53a157cdcf24be29f623f |
C:\6edd796dfb87dafc18546594eb7978\1044\LocalizedData.xml
| MD5 | 8129335ad250d11640c5f916004a0510 |
| SHA1 | 379f82c01ddb8704b22818b28e0d781a3f292ce1 |
| SHA256 | 69156fa84009e79b95374f1cb034843273a7f0bb4508eeb689a7f37f9a818410 |
| SHA512 | bfc454d02c4e5e7c8841dc32d3b7c3f6ed11df106bd3472ffce87c7237b962caa22573632da4bd6a5dd1b989a516e66c4d69ebc8970b0dfa33c60155777972a6 |
C:\6edd796dfb87dafc18546594eb7978\1043\LocalizedData.xml
| MD5 | a0963a5cb208a5188eb6b99d0022b770 |
| SHA1 | 6de0ec37065241be89fa9ca4b7224c160b6d13fb |
| SHA256 | 3231146c17b376611245f654bf886bea56a98e1bae2045d04e18bfd3c23f023f |
| SHA512 | a06ab6ad0822d5c36c2528aadf011283187c9dcdf1b065bce8e01fc827b376af61176c3f812e9714696bf01cf2a67acb931a3efedd11e8f80d2412324daa45bc |
C:\6edd796dfb87dafc18546594eb7978\1042\LocalizedData.xml
| MD5 | ae3d8abc864f0355c94ee0427340e780 |
| SHA1 | 9021b48a2209bf5b96898206efe1795012b8be3c |
| SHA256 | 95fc7873f94c5f4e061aac21a6e72f646b94582b266c079d21ea5b3142478604 |
| SHA512 | 30da881b2e3ea0a70bab1b90fe0b10e48a29e9ceba002b919fcb0421b2951b7944c9012a1a4f45398f5ac3fecabebd8865ff479b6b957ea58d332668028f8a63 |
C:\6edd796dfb87dafc18546594eb7978\1041\LocalizedData.xml
| MD5 | 2bad10a78f811664e82c7934bffd6694 |
| SHA1 | 8125490619be7aa09997dba5000b3878e53190c4 |
| SHA256 | 9319adb57c8244c30e3d850f62c8612789d3b7f875d173e16bbbc7171291cad5 |
| SHA512 | 4b64f75545ef56fb66aab2142db3d78c97f8274742028d504d2d1c600b48aa4104e6214541fec9bea3362bda4942c4677919ed63c1a3b22864b7397a7547eaf6 |
C:\6edd796dfb87dafc18546594eb7978\1040\LocalizedData.xml
| MD5 | 322828cac4996e388aa80b6b4595db18 |
| SHA1 | 014cd3c79b47aab94bbc956f996e587425648e90 |
| SHA256 | 414e1a512061ea81919484d0261026b30ccbcac4dfe26debc4014e0faba45821 |
| SHA512 | 540721cd54ec5e41bfb843e77e87db89c136fc1fc5464cbd0d1149918774021c33c4fdf5fb36edaabdf573b33ec4a0bd473c582ed108bd2e671366d183f8d061 |
C:\6edd796dfb87dafc18546594eb7978\1038\LocalizedData.xml
| MD5 | c6d12ad2e34f2e8532e6b106fcb7a1bb |
| SHA1 | 768e07bdb24e78d68ebc7c63ef4f762ca851c3bb |
| SHA256 | 599aecb8f3a82f2252151f8dd34b31b3ef8221f055a0516db6c96ad9d0dea564 |
| SHA512 | ac5c556150c70a256eec764c63f9b437d29723842f053cd9b1d563002c811cd1d055241ec61508d9d84577539272e16045935277f1a7793f433bef656ba0e55b |
C:\6edd796dfb87dafc18546594eb7978\1037\LocalizedData.xml
| MD5 | e86180d0c4410b9589f38fd338307c38 |
| SHA1 | 52d2dde64a7abf6728ae3cc979b7cf4d11317220 |
| SHA256 | 3fa9430eb031b9d1ceb0b4b15b4c655e181376cb59137f1997de3f19431840e6 |
| SHA512 | aa7bfe90ff7a4a5e7dd906f9f0439e144c4162e8b15ceb4f79baedbdd3fe3d79df9137b9fa3dcfa37f83ae378f10ac5f5feb7d717be3b354777ef6872875a0a9 |
C:\6edd796dfb87dafc18546594eb7978\1036\LocalizedData.xml
| MD5 | b4418708f11b2bf02dc0efd9e6fcf13b |
| SHA1 | 35b75a1db263a9660fb481cc9021e0e970384e57 |
| SHA256 | aad3228b4e64116a8f3ecf9b261fe87e207b0396d40d52856618336e9b85e977 |
| SHA512 | 564a83cadb5680cee85bb20094acbf0cdb69b733ddaf55ea0d98c308bac77682af5cff469e7ca4dc803a6614d8c58af93dd9f95e918ebfc1cb4a403dc5a29ae3 |
C:\6edd796dfb87dafc18546594eb7978\1035\LocalizedData.xml
| MD5 | 7d735c8a4ef08c7d5909964cd06475f6 |
| SHA1 | 45fa00364bfe4e9499f29a3669d3b69c666a4f91 |
| SHA256 | 878a063ea2031a74b86d382a9ea9fe7b908945d3584b1d6875c22f31d0cc0b5c |
| SHA512 | 33863a827fc97b3176ea4db1dd4b4ae4eee660b28cd754b63f5c922e2b2e448715a15541e5fda4fc3a82bccea6790c614a63422f4cbe72c10c3908388d929c2c |
C:\6edd796dfb87dafc18546594eb7978\1032\LocalizedData.xml
| MD5 | 9a04fe417b406b9c7cf2226fe9f0af7d |
| SHA1 | e173c8ba058d040a3c478b376e42abe8efd0d221 |
| SHA256 | cf056fe4b9db893d36c15c998fc6d5d7b4a6a6e1939166019e58f33052fe4f7c |
| SHA512 | 79f3a4e50c0d145c4a6e3600efcbe50dd0678f1cf08b08802e55ab199ccd99f40882c4cafadae7b92143b9962942c97e563705e6dec742e1e0a3b8ad71373bcb |
C:\6edd796dfb87dafc18546594eb7978\1031\LocalizedData.xml
| MD5 | 89a3fb7103317a6e267d182be4ae0d16 |
| SHA1 | 0a8ef00064cf10705258199284b239672d1e1c5a |
| SHA256 | 7b0e08284718cc55504e4d003d1b4714c272eae670fe5c3977c1334aba2c82bd |
| SHA512 | a3e91b0fd206b54d62b28cd0d9f7899fe58865f5d48812929ff81596464a48f285054f2b1a1f2b8bc4c4e1a7a26dc9e0649881a84aa322da01d6f37107c442e6 |
C:\6edd796dfb87dafc18546594eb7978\1030\LocalizedData.xml
| MD5 | 111044d7549526b58dc10ca58112787a |
| SHA1 | 4ff9b611b36ca1c4a6853383810a0d2c3ee9cf8d |
| SHA256 | d0ac98e2da9bd6543ff4b3865dde2af96f8bf9cdcbf42e1ebb9b87fb8080cd37 |
| SHA512 | 8eaeb85f1ba0a4f38c0ef8726f3fe9f5466b62208cabbc4fbd4002737cbbf9f261a79ff868fbb74a34b07ed5cf636fe1d6fb8b410fdfbb7dcef7ec643c1268ac |
C:\6edd796dfb87dafc18546594eb7978\1029\LocalizedData.xml
| MD5 | 07c962a72af57b19cac85c0959cf9e9f |
| SHA1 | 757a89226cb71f88e96c3ada64b996406ccbaa3f |
| SHA256 | 38bbb29178bcc905b2a3f67b19356e3c2e64b30ee836c53dbdb945003e7fa685 |
| SHA512 | f74f3286648368eeddc2bbb6d9b7954af82bb5c9bbdc4e980ff7716545fa7ee4c976c3db1f6de101ee289a6688012b7722f3c088c99e77d52f8a8dfad8654fbd |
C:\6edd796dfb87dafc18546594eb7978\1028\LocalizedData.xml
| MD5 | 02610419c4367dc8ca6e6c1b1aa7d00c |
| SHA1 | 8ce2f790ebc62e72f933a009d0dcc26e16a481b3 |
| SHA256 | fbb93c31ddec3cf0e3a402c5861c5ce9f38077465ea37321a8bc8bd9138bcbe8 |
| SHA512 | 848ac4e1f0639f923227c96a58e9e72355c1638dc5c87bd42586a3dcce0a04f06848637819e949b0fa5c28e69c364af297c89d3d61646b60e89cbe42709799e1 |
C:\6edd796dfb87dafc18546594eb7978\1025\LocalizedData.xml
| MD5 | 36299b49a0d3dd743284754d9d8a0dea |
| SHA1 | f012f6a102e2fd7179fc20737bc43cd67d60d93c |
| SHA256 | 762b4311928f1f2be9bf8aa3cf0c54b53ded0a87cdf015c370d0aaf81d3247f5 |
| SHA512 | 839d5b016b2e21a6a4fc29b61d3dfe0736e5648e4058925b34dd93ce43598bc6b59a21ee3f73c15af0d919d997c1bc5922bc9c78df2dd97abfc12d6d9e36fbb6 |
C:\6edd796dfb87dafc18546594eb7978\1033\LocalizedData.xml
| MD5 | cdc9ababfc281df11a1256c16c37f298 |
| SHA1 | 9a6a48e77d3e3d464e8517a2aa42aaf35396afd5 |
| SHA256 | d1f065f8de3936021626c3edaa1efbc29d3ad040cd1e4c842c1f33426e573ebe |
| SHA512 | d6a15f0ce360af32860f6c8bf553db7887884d077e01a84fbd950242347d12ae3bdaa460658f31f1c71c5cb10af66a9b57dfdc739b6a0d6fce8acf3a52a710b4 |
C:\6edd796dfb87dafc18546594eb7978\1055\LocalizedData.xml
| MD5 | 305bfad75d969521b49193a7d2300502 |
| SHA1 | 047d8a833c6c735a773b45045294b4e53ff469e7 |
| SHA256 | b733ceaa74c6a49ef36957d47e37e7b6d231574529c745d8c9ea2e1f4cd356ef |
| SHA512 | 3631a0ba4ec98cee474e562ed3a9d68b8251201c309ba4e0b8a23359748674dd5b263e53d39beaefee67ebcd4e050fc60e398785951a0ba4e91271acd580fd52 |
C:\6edd796dfb87dafc18546594eb7978\2052\LocalizedData.xml
| MD5 | a905e8fc19234d4535ae9fd752976b91 |
| SHA1 | 6979d6591d8d5f8282a159a7c4d8cd27de5296f4 |
| SHA256 | 0ab0473df4a26cc1b0e3798959dce598d89030ae1d9449568565326a11bdcb11 |
| SHA512 | b5546b5eb2cfd77812cc34198cbe5b57ef2978f821cebe7fc887e0db4b43b2fad52b2aab6c8729693704b2391a2ecaba138fe93f5371ca6c64a95e7835fe3084 |
C:\6edd796dfb87dafc18546594eb7978\3082\LocalizedData.xml
| MD5 | df442eaac1e1abd82633edb1fffa0859 |
| SHA1 | 540b85f121296c53128e46b00c61967a26f9971d |
| SHA256 | 5122037a4881bed83ba15c65913911b7a58d9fa9caf073ee2aa092bf03f5c999 |
| SHA512 | 99812f8b5c075e5b6acf2223c340c6a75992ec79acf3b4502c368115cd9fe2882b8d3777e432b2e6466d8fc0d91d34b024def8e8ad3f486c0f7214e38ee92c40 |
C:\6edd796dfb87dafc18546594eb7978\2070\LocalizedData.xml
| MD5 | 90758f62ecc928cd4e2ef9be9e6a97de |
| SHA1 | 74b2cf1c6c5cf0b82a08c6821caf9491534dcb10 |
| SHA256 | 9b1576ac369acc11686c4dc313beac4077fe0b812f9762b65aa50c6c7efa8470 |
| SHA512 | e9f01f01510afeb8d47b3ab1352986e9f9b263eb85fdb073a21413c0cceb5d8d6ee8d0d7bac8ec546270e03b2d76ba702c0e41a3016468a8617415ad6a9c51cb |
C:\6edd796dfb87dafc18546594eb7978\SetupUi.dll
| MD5 | b093cfd235683b615176a6ba9df10c27 |
| SHA1 | 2f6aed7a7b87322cb32d26b1f82cb325f2fad5a0 |
| SHA256 | 7f88e74a3d92f6a6c5985417176bc915855a53f2cc4ea921e94e4409663709e7 |
| SHA512 | 945f7f8a5c1e86374211dbc40a78d7afa70fd1800922c6889fa699da1f45bc8ac4f6b4947db837a65d737f6094630b21cc99a5f38d9b82f8a5345410de4caed7 |
\6edd796dfb87dafc18546594eb7978\1033\SetupResources.dll
| MD5 | 1a83c2fbc264d052d140936c3c45022a |
| SHA1 | 1875ad490270d592f332322862911997ad687af0 |
| SHA256 | 622d6db165fb8e6707c77bf56f54806aec394706ff36baf11821cb16fc0de24b |
| SHA512 | b781a3a3274b2b8c4a673eaa37a53f9d7ae04b6e51142060608b272dcebc75a246658989d5912f325b82051e29732022ab066c17a3b927191872798f664868b4 |
C:\6edd796dfb87dafc18546594eb7978\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
C:\6edd796dfb87dafc18546594eb7978\Strings.xml
| MD5 | 8a28b474f4849bee7354ba4c74087cea |
| SHA1 | c17514dfc33dd14f57ff8660eb7b75af9b2b37b0 |
| SHA256 | 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b |
| SHA512 | a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369 |
C:\6edd796dfb87dafc18546594eb7978\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
C:\6edd796dfb87dafc18546594eb7978\graphics\warn.ico
| MD5 | b2b1d79591fca103959806a4bf27d036 |
| SHA1 | 481fd13a0b58299c41b3e705cb085c533038caf5 |
| SHA256 | fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11 |
| SHA512 | 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2 |
C:\6edd796dfb87dafc18546594eb7978\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
C:\6edd796dfb87dafc18546594eb7978\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
memory/2092-280-0x00000000000B0000-0x00000000000CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-14 03:48
Reported
2024-07-14 03:51
Platform
win10v2004-20240709-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
LimeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\442d38dd58513f6a0de7da51976b4839_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\secs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\secs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\secured.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
| N/A | N/A | C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\secured.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\secured.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\442d38dd58513f6a0de7da51976b4839_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\442d38dd58513f6a0de7da51976b4839_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\secs.exe
"C:\Users\Admin\AppData\Local\Temp\secs.exe"
C:\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe
"C:\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe"
C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe
C:\fefa836f9e51fcf908f4865caf28f8\\Setup.exe /x86 /x64 /web
C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\secured.exe'"
C:\Users\Admin\AppData\Local\Temp\secured.exe
"C:\Users\Admin\AppData\Local\Temp\secured.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 193.161.193.99:40760 | tcp | |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp | |
| DE | 193.161.193.99:40760 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\secs.exe
| MD5 | 6fb99828380efda6fb357be8e59524f6 |
| SHA1 | 94a3911a1813273e7464e030b6a52859f62dd1f4 |
| SHA256 | 0c34a4722c74afd100e8d59d69d21da8b9c1cd813663b9ba5c55737e6f6170ad |
| SHA512 | 9e6729262f38f3f200309e5ed810b5899adda6295411d20883445c55095f16df63eef44b6d0951ee8fb66e39dc74e8fcab7874576ff88500ae825b1b8c1b21ed |
C:\Users\Admin\AppData\Local\Temp\NDP452-KB2901954-Web.exe
| MD5 | ca41dba55a727f01104871b160cd5b1d |
| SHA1 | 5b71b20a455f6eeab79dd1edcab0ba66ad0d2208 |
| SHA256 | bd173d14a371e6786c4ae90be1f2c560458d672ba4cbeb3cf55bebfef2e2778a |
| SHA512 | 90a3a5a57ea8a6508eee0d129303c7cb012aabf651dd9a6befc20da3bbdb09fc47fd087645051d3d45bff909dfc6e6039c22c4816fbc793a847e81701248639e |
memory/3168-19-0x00007FFE5E013000-0x00007FFE5E015000-memory.dmp
memory/3168-23-0x0000000000050000-0x000000000006C000-memory.dmp
memory/3168-24-0x00000000020C0000-0x00000000020D0000-memory.dmp
memory/3168-25-0x00000000021F0000-0x0000000002208000-memory.dmp
memory/3168-26-0x00007FFE5E010000-0x00007FFE5EAD1000-memory.dmp
C:\fefa836f9e51fcf908f4865caf28f8\1040\eula.rtf
| MD5 | 67a9f0946d135a41e51d90220c0c8c67 |
| SHA1 | 81079fbfe8423e87fd5a7ea2b42e34dca7385587 |
| SHA256 | 1478376f05d1bbe824cf1efdebc485d736e3ba1aa72dc8dff69cc9e3b8127cf8 |
| SHA512 | 7b4087bf0e6ffdac910bf1ea004247f89c64ef65b717ae69971d71e3d3d223809fd0a58b5dd618bce242dbdd19c355cfabdf0613c0c1787e20d5072f2edc1a8c |
C:\fefa836f9e51fcf908f4865caf28f8\1053\eula.rtf
| MD5 | 8ca89fafa113bdca3dfb5a141e206b84 |
| SHA1 | 529075ffb30e400e4a24f4aac678295b04502c62 |
| SHA256 | 411414181d515ad8ca0ed1b1f462a067648a98d26451b7414d91601c1e6c449a |
| SHA512 | a90179a9a8a14e6d6ddefcbc1641ebeff567fa028d65705429fa81b352647c6a973b5fb5bc585c23ef9dc2587566ce3e0086f9cfb31b8eeb5d4fc2fd7a7b1bf7 |
C:\fefa836f9e51fcf908f4865caf28f8\Setup.exe
| MD5 | c40d7a37493b19dd3e561031bf75b2c0 |
| SHA1 | 373104ad382298bad3d071edf0c353aa0d6b08f3 |
| SHA256 | f62e3547e530261790bd18f894b36c1ae168d2b0620c155b486237e4931fffae |
| SHA512 | 35db5b3d1369ca3046c1fc297dce1b51bc948f78bdd9625ee0b8524651b7cf231cb37da607d99eddc901475b9e9a2103d6f4e0f549033470ea9283707833737e |
C:\fefa836f9e51fcf908f4865caf28f8\SetupEngine.dll
| MD5 | 38116d0c084663148206c2f5d7d4e3bf |
| SHA1 | 40627acddf32a18dd7731eee737473a0514adba9 |
| SHA256 | fdea9ce112489862635f6d3384c70b14b8675cff80335e111985fd9d831778e1 |
| SHA512 | c1d817e912de3f5ea52a0958a0ff45b01aa69aabc5b8a9df58420cee1e6fb605daf1ebeeba580a6da7d58d17aee8677337a89f12d358177722249b0e4b286279 |
C:\fefa836f9e51fcf908f4865caf28f8\sqmapi.dll
| MD5 | d475bbd6fef8db2dde0da7ccfd2c9042 |
| SHA1 | 80887bdb64335762a3b1d78f7365c4ee9cfaeab5 |
| SHA256 | 8e9d77a216d8dd2be2b304e60edf85ce825309e67262fcff1891aede63909599 |
| SHA512 | f760e02d4d336ac384a0125291b9deac88c24f457271be686b6d817f01ea046d286c73deddbf0476dcc2ade3b3f5329563abd8f2f1e40aee817fee1e3766d008 |
C:\Users\Admin\AppData\Local\Temp\HFIAC6D.tmp.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\fefa836f9e51fcf908f4865caf28f8\UiInfo.xml
| MD5 | d8f565bd1492ef4a7c4bc26a641cd1ea |
| SHA1 | d4c9c49b47be132944288855dc61dbf8539ec876 |
| SHA256 | 6a0e20df2075c9a58b870233509321372e283ccccc6afaa886e12ba377546e64 |
| SHA512 | ecf57cc6f3f8c4b677246a451ad71835438d587fadc12d95ef1605eb9287b120068938576da95c10edc6d1d033b5968333a5f8b25ce97ecd347a42716cd2a102 |
C:\fefa836f9e51fcf908f4865caf28f8\ParameterInfo.xml
| MD5 | 449d88028f698021c18fedc4e1c55711 |
| SHA1 | e84650f3045dcbb500e3532f0088612d536d1b17 |
| SHA256 | 7f74b977ce488cbff129fa2688ecb99a67f761d64b5d5c2721b9299f4049a344 |
| SHA512 | df93050d9ee6bd8ea7073420597eb0dc9a7aa72f11c58aaf146b09f8341f880db03d16401a136ce8dab24a84cde30f37366320a123ea4d199e6e1e26d0cc4981 |
C:\fefa836f9e51fcf908f4865caf28f8\SplashScreen.bmp
| MD5 | 0966fcd5a4ab0ddf71f46c01eff3cdd5 |
| SHA1 | 8f4554f079edad23bcd1096e6501a61cf1f8ec34 |
| SHA256 | 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3 |
| SHA512 | a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce |
C:\fefa836f9e51fcf908f4865caf28f8\1025\LocalizedData.xml
| MD5 | 36299b49a0d3dd743284754d9d8a0dea |
| SHA1 | f012f6a102e2fd7179fc20737bc43cd67d60d93c |
| SHA256 | 762b4311928f1f2be9bf8aa3cf0c54b53ded0a87cdf015c370d0aaf81d3247f5 |
| SHA512 | 839d5b016b2e21a6a4fc29b61d3dfe0736e5648e4058925b34dd93ce43598bc6b59a21ee3f73c15af0d919d997c1bc5922bc9c78df2dd97abfc12d6d9e36fbb6 |
C:\fefa836f9e51fcf908f4865caf28f8\1033\LocalizedData.xml
| MD5 | cdc9ababfc281df11a1256c16c37f298 |
| SHA1 | 9a6a48e77d3e3d464e8517a2aa42aaf35396afd5 |
| SHA256 | d1f065f8de3936021626c3edaa1efbc29d3ad040cd1e4c842c1f33426e573ebe |
| SHA512 | d6a15f0ce360af32860f6c8bf553db7887884d077e01a84fbd950242347d12ae3bdaa460658f31f1c71c5cb10af66a9b57dfdc739b6a0d6fce8acf3a52a710b4 |
C:\fefa836f9e51fcf908f4865caf28f8\1028\LocalizedData.xml
| MD5 | 02610419c4367dc8ca6e6c1b1aa7d00c |
| SHA1 | 8ce2f790ebc62e72f933a009d0dcc26e16a481b3 |
| SHA256 | fbb93c31ddec3cf0e3a402c5861c5ce9f38077465ea37321a8bc8bd9138bcbe8 |
| SHA512 | 848ac4e1f0639f923227c96a58e9e72355c1638dc5c87bd42586a3dcce0a04f06848637819e949b0fa5c28e69c364af297c89d3d61646b60e89cbe42709799e1 |
C:\fefa836f9e51fcf908f4865caf28f8\1030\LocalizedData.xml
| MD5 | 111044d7549526b58dc10ca58112787a |
| SHA1 | 4ff9b611b36ca1c4a6853383810a0d2c3ee9cf8d |
| SHA256 | d0ac98e2da9bd6543ff4b3865dde2af96f8bf9cdcbf42e1ebb9b87fb8080cd37 |
| SHA512 | 8eaeb85f1ba0a4f38c0ef8726f3fe9f5466b62208cabbc4fbd4002737cbbf9f261a79ff868fbb74a34b07ed5cf636fe1d6fb8b410fdfbb7dcef7ec643c1268ac |
C:\fefa836f9e51fcf908f4865caf28f8\1031\LocalizedData.xml
| MD5 | 89a3fb7103317a6e267d182be4ae0d16 |
| SHA1 | 0a8ef00064cf10705258199284b239672d1e1c5a |
| SHA256 | 7b0e08284718cc55504e4d003d1b4714c272eae670fe5c3977c1334aba2c82bd |
| SHA512 | a3e91b0fd206b54d62b28cd0d9f7899fe58865f5d48812929ff81596464a48f285054f2b1a1f2b8bc4c4e1a7a26dc9e0649881a84aa322da01d6f37107c442e6 |
C:\fefa836f9e51fcf908f4865caf28f8\1029\LocalizedData.xml
| MD5 | 07c962a72af57b19cac85c0959cf9e9f |
| SHA1 | 757a89226cb71f88e96c3ada64b996406ccbaa3f |
| SHA256 | 38bbb29178bcc905b2a3f67b19356e3c2e64b30ee836c53dbdb945003e7fa685 |
| SHA512 | f74f3286648368eeddc2bbb6d9b7954af82bb5c9bbdc4e980ff7716545fa7ee4c976c3db1f6de101ee289a6688012b7722f3c088c99e77d52f8a8dfad8654fbd |
C:\fefa836f9e51fcf908f4865caf28f8\1032\LocalizedData.xml
| MD5 | 9a04fe417b406b9c7cf2226fe9f0af7d |
| SHA1 | e173c8ba058d040a3c478b376e42abe8efd0d221 |
| SHA256 | cf056fe4b9db893d36c15c998fc6d5d7b4a6a6e1939166019e58f33052fe4f7c |
| SHA512 | 79f3a4e50c0d145c4a6e3600efcbe50dd0678f1cf08b08802e55ab199ccd99f40882c4cafadae7b92143b9962942c97e563705e6dec742e1e0a3b8ad71373bcb |
C:\fefa836f9e51fcf908f4865caf28f8\1035\LocalizedData.xml
| MD5 | 7d735c8a4ef08c7d5909964cd06475f6 |
| SHA1 | 45fa00364bfe4e9499f29a3669d3b69c666a4f91 |
| SHA256 | 878a063ea2031a74b86d382a9ea9fe7b908945d3584b1d6875c22f31d0cc0b5c |
| SHA512 | 33863a827fc97b3176ea4db1dd4b4ae4eee660b28cd754b63f5c922e2b2e448715a15541e5fda4fc3a82bccea6790c614a63422f4cbe72c10c3908388d929c2c |
C:\fefa836f9e51fcf908f4865caf28f8\1036\LocalizedData.xml
| MD5 | b4418708f11b2bf02dc0efd9e6fcf13b |
| SHA1 | 35b75a1db263a9660fb481cc9021e0e970384e57 |
| SHA256 | aad3228b4e64116a8f3ecf9b261fe87e207b0396d40d52856618336e9b85e977 |
| SHA512 | 564a83cadb5680cee85bb20094acbf0cdb69b733ddaf55ea0d98c308bac77682af5cff469e7ca4dc803a6614d8c58af93dd9f95e918ebfc1cb4a403dc5a29ae3 |
C:\fefa836f9e51fcf908f4865caf28f8\1038\LocalizedData.xml
| MD5 | c6d12ad2e34f2e8532e6b106fcb7a1bb |
| SHA1 | 768e07bdb24e78d68ebc7c63ef4f762ca851c3bb |
| SHA256 | 599aecb8f3a82f2252151f8dd34b31b3ef8221f055a0516db6c96ad9d0dea564 |
| SHA512 | ac5c556150c70a256eec764c63f9b437d29723842f053cd9b1d563002c811cd1d055241ec61508d9d84577539272e16045935277f1a7793f433bef656ba0e55b |
C:\fefa836f9e51fcf908f4865caf28f8\1037\LocalizedData.xml
| MD5 | e86180d0c4410b9589f38fd338307c38 |
| SHA1 | 52d2dde64a7abf6728ae3cc979b7cf4d11317220 |
| SHA256 | 3fa9430eb031b9d1ceb0b4b15b4c655e181376cb59137f1997de3f19431840e6 |
| SHA512 | aa7bfe90ff7a4a5e7dd906f9f0439e144c4162e8b15ceb4f79baedbdd3fe3d79df9137b9fa3dcfa37f83ae378f10ac5f5feb7d717be3b354777ef6872875a0a9 |
C:\fefa836f9e51fcf908f4865caf28f8\1040\LocalizedData.xml
| MD5 | 322828cac4996e388aa80b6b4595db18 |
| SHA1 | 014cd3c79b47aab94bbc956f996e587425648e90 |
| SHA256 | 414e1a512061ea81919484d0261026b30ccbcac4dfe26debc4014e0faba45821 |
| SHA512 | 540721cd54ec5e41bfb843e77e87db89c136fc1fc5464cbd0d1149918774021c33c4fdf5fb36edaabdf573b33ec4a0bd473c582ed108bd2e671366d183f8d061 |
C:\fefa836f9e51fcf908f4865caf28f8\1042\LocalizedData.xml
| MD5 | ae3d8abc864f0355c94ee0427340e780 |
| SHA1 | 9021b48a2209bf5b96898206efe1795012b8be3c |
| SHA256 | 95fc7873f94c5f4e061aac21a6e72f646b94582b266c079d21ea5b3142478604 |
| SHA512 | 30da881b2e3ea0a70bab1b90fe0b10e48a29e9ceba002b919fcb0421b2951b7944c9012a1a4f45398f5ac3fecabebd8865ff479b6b957ea58d332668028f8a63 |
C:\fefa836f9e51fcf908f4865caf28f8\1043\LocalizedData.xml
| MD5 | a0963a5cb208a5188eb6b99d0022b770 |
| SHA1 | 6de0ec37065241be89fa9ca4b7224c160b6d13fb |
| SHA256 | 3231146c17b376611245f654bf886bea56a98e1bae2045d04e18bfd3c23f023f |
| SHA512 | a06ab6ad0822d5c36c2528aadf011283187c9dcdf1b065bce8e01fc827b376af61176c3f812e9714696bf01cf2a67acb931a3efedd11e8f80d2412324daa45bc |
C:\fefa836f9e51fcf908f4865caf28f8\1041\LocalizedData.xml
| MD5 | 2bad10a78f811664e82c7934bffd6694 |
| SHA1 | 8125490619be7aa09997dba5000b3878e53190c4 |
| SHA256 | 9319adb57c8244c30e3d850f62c8612789d3b7f875d173e16bbbc7171291cad5 |
| SHA512 | 4b64f75545ef56fb66aab2142db3d78c97f8274742028d504d2d1c600b48aa4104e6214541fec9bea3362bda4942c4677919ed63c1a3b22864b7397a7547eaf6 |
C:\fefa836f9e51fcf908f4865caf28f8\1044\LocalizedData.xml
| MD5 | 8129335ad250d11640c5f916004a0510 |
| SHA1 | 379f82c01ddb8704b22818b28e0d781a3f292ce1 |
| SHA256 | 69156fa84009e79b95374f1cb034843273a7f0bb4508eeb689a7f37f9a818410 |
| SHA512 | bfc454d02c4e5e7c8841dc32d3b7c3f6ed11df106bd3472ffce87c7237b962caa22573632da4bd6a5dd1b989a516e66c4d69ebc8970b0dfa33c60155777972a6 |
C:\fefa836f9e51fcf908f4865caf28f8\1046\LocalizedData.xml
| MD5 | 7bcf32de27b17b486a81363e98562a4a |
| SHA1 | 6d08dd72c36190984a589402d7c0b608d6aecbb4 |
| SHA256 | a5fddd50c8c54ebff1caddf75dbf34ebabf96746e0cdbd6b5190cac18c037f97 |
| SHA512 | bdc549b334772d8db9baf00ecc9fee0d904b2d0aa17a292b15fca29076513c003f376818d047f66c4c327ea707d2509f509897a05b3578daf21a3668046f0a88 |
C:\fefa836f9e51fcf908f4865caf28f8\1045\LocalizedData.xml
| MD5 | df8773afe81f42771b380af5793e1884 |
| SHA1 | 947828f2b8dcf0e129fe7b9cfad2c5016dab495f |
| SHA256 | 61aa6d64c71e342fb60d1621daed8801774e2901babab484f646be8c317031fd |
| SHA512 | 53ffb488428d1a3856d986e9874fb5509451ddd688c0d7ae28fceb730c7e109c3e997eeee5176cd0546fe5214b73102677b0f7103de53a157cdcf24be29f623f |
C:\fefa836f9e51fcf908f4865caf28f8\1049\LocalizedData.xml
| MD5 | 0f60c968bbb0534bbe2ea7da40bcd571 |
| SHA1 | 661c0e6372cebc7d343af29a08eb0c5b189773b7 |
| SHA256 | dcd832b208f3d02bce0bf320c8c0b3486f92cf8c7eac0c136d6dddea0964e858 |
| SHA512 | 1aaf6ca9a256029257e1752f00c514b5751f2ef4022d5497e8d57a6426fff8f4a7e1040f662d81675ef7e1acc52f8d671bb1f414396a643e1a2587eb71c1b2c6 |
C:\fefa836f9e51fcf908f4865caf28f8\1053\LocalizedData.xml
| MD5 | d21f3f1f18812b8a3d18e8976c131d18 |
| SHA1 | 63045886d22e76c11df23a827147c4e1b155beb4 |
| SHA256 | ac4676cc053f3f2577e526d2c395ff28368bc30284a1e8565017264c5c223bac |
| SHA512 | ba35495b6c6233bb9d453370af577d98bed79612530cdb577f0c1862879e9109719f5fb21dccfce930606ecc22b5796a712848282c513d2cc9705b60df2a5c41 |
C:\fefa836f9e51fcf908f4865caf28f8\1055\LocalizedData.xml
| MD5 | 305bfad75d969521b49193a7d2300502 |
| SHA1 | 047d8a833c6c735a773b45045294b4e53ff469e7 |
| SHA256 | b733ceaa74c6a49ef36957d47e37e7b6d231574529c745d8c9ea2e1f4cd356ef |
| SHA512 | 3631a0ba4ec98cee474e562ed3a9d68b8251201c309ba4e0b8a23359748674dd5b263e53d39beaefee67ebcd4e050fc60e398785951a0ba4e91271acd580fd52 |
C:\fefa836f9e51fcf908f4865caf28f8\2052\LocalizedData.xml
| MD5 | a905e8fc19234d4535ae9fd752976b91 |
| SHA1 | 6979d6591d8d5f8282a159a7c4d8cd27de5296f4 |
| SHA256 | 0ab0473df4a26cc1b0e3798959dce598d89030ae1d9449568565326a11bdcb11 |
| SHA512 | b5546b5eb2cfd77812cc34198cbe5b57ef2978f821cebe7fc887e0db4b43b2fad52b2aab6c8729693704b2391a2ecaba138fe93f5371ca6c64a95e7835fe3084 |
C:\fefa836f9e51fcf908f4865caf28f8\2070\LocalizedData.xml
| MD5 | 90758f62ecc928cd4e2ef9be9e6a97de |
| SHA1 | 74b2cf1c6c5cf0b82a08c6821caf9491534dcb10 |
| SHA256 | 9b1576ac369acc11686c4dc313beac4077fe0b812f9762b65aa50c6c7efa8470 |
| SHA512 | e9f01f01510afeb8d47b3ab1352986e9f9b263eb85fdb073a21413c0cceb5d8d6ee8d0d7bac8ec546270e03b2d76ba702c0e41a3016468a8617415ad6a9c51cb |
C:\fefa836f9e51fcf908f4865caf28f8\3082\LocalizedData.xml
| MD5 | df442eaac1e1abd82633edb1fffa0859 |
| SHA1 | 540b85f121296c53128e46b00c61967a26f9971d |
| SHA256 | 5122037a4881bed83ba15c65913911b7a58d9fa9caf073ee2aa092bf03f5c999 |
| SHA512 | 99812f8b5c075e5b6acf2223c340c6a75992ec79acf3b4502c368115cd9fe2882b8d3777e432b2e6466d8fc0d91d34b024def8e8ad3f486c0f7214e38ee92c40 |
C:\fefa836f9e51fcf908f4865caf28f8\SetupUi.dll
| MD5 | b093cfd235683b615176a6ba9df10c27 |
| SHA1 | 2f6aed7a7b87322cb32d26b1f82cb325f2fad5a0 |
| SHA256 | 7f88e74a3d92f6a6c5985417176bc915855a53f2cc4ea921e94e4409663709e7 |
| SHA512 | 945f7f8a5c1e86374211dbc40a78d7afa70fd1800922c6889fa699da1f45bc8ac4f6b4947db837a65d737f6094630b21cc99a5f38d9b82f8a5345410de4caed7 |
C:\fefa836f9e51fcf908f4865caf28f8\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
C:\fefa836f9e51fcf908f4865caf28f8\1033\SetupResources.dll
| MD5 | 1a83c2fbc264d052d140936c3c45022a |
| SHA1 | 1875ad490270d592f332322862911997ad687af0 |
| SHA256 | 622d6db165fb8e6707c77bf56f54806aec394706ff36baf11821cb16fc0de24b |
| SHA512 | b781a3a3274b2b8c4a673eaa37a53f9d7ae04b6e51142060608b272dcebc75a246658989d5912f325b82051e29732022ab066c17a3b927191872798f664868b4 |
C:\fefa836f9e51fcf908f4865caf28f8\Strings.xml
| MD5 | 8a28b474f4849bee7354ba4c74087cea |
| SHA1 | c17514dfc33dd14f57ff8660eb7b75af9b2b37b0 |
| SHA256 | 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b |
| SHA512 | a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369 |
C:\fefa836f9e51fcf908f4865caf28f8\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
C:\fefa836f9e51fcf908f4865caf28f8\graphics\warn.ico
| MD5 | b2b1d79591fca103959806a4bf27d036 |
| SHA1 | 481fd13a0b58299c41b3e705cb085c533038caf5 |
| SHA256 | fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11 |
| SHA512 | 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2 |
C:\fefa836f9e51fcf908f4865caf28f8\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
C:\fefa836f9e51fcf908f4865caf28f8\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
memory/3168-295-0x00007FFE5E010000-0x00007FFE5EAD1000-memory.dmp