Analysis Overview
SHA256
7a4dd19689e0e617cdbb9a6f2c85568e58321113e8111d0474ab6a5fade9780d
Threat Level: Shows suspicious behavior
The file JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Event Triggered Execution: Component Object Model Hijacking
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 18:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 18:53
Reported
2025-01-19 18:56
Platform
win7-20240729-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| N/A | N/A | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| N/A | N/A | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe | N/A |
| N/A | N/A | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CelebSauce Browser Plugin Loader = "C:\\PROGRA~2\\CELEBS~1\\bar\\1.bin\\kabrmon.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{e8c699e4-65a3-432c-91bf-9990864d1681} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{e8c699e4-65a3-432c-91bf-9990864d1681}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabarsvc.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kamedint.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\LOGO.BMP | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\IE9Mesg\COMMON.T8S | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\INSTALL.RDF | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\Message\COMMON.T8S | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaimpipe.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskplay.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\chrome\kaffxtbr.jar | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\Settings\s_pid.dat | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaimpipe.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrmon.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\INSTALL.RDF | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\chrome\kaffxtbr.jar | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\IE9Mesg\COMMON.T8S | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\CHROME.MANIFEST | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieuser.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskplay.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrmon.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kadlghk.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{2083a5f7-39dd-410a-95db-0afc2dcc29f4} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\AppName = "kaSrchMn.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\AppName = "kaSkPlay.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\AppName = "kaimpipe.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\AppName = "kamedint.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{1558273e-0e2b-49c8-b7bd-24b26e5e4262} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\AppName = "kaSlSrch.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4105f671-0671-47c5-aa9b-1d070f1b3488} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{519d34db-2c0a-4695-b9e0-2ae6d5a2850f}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.MultipleButton.1\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c74d863a-a397-4082-8a7f-010999de7ba1}\ProgID\ = "CelebSauce.MultipleButton.1" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{622E060D-777A-41A3-B772-45D5684E8E1A}\ = "IRadioSettings" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{373683C2-3B62-4FAD-9CB0-71ECB20EDBF1}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CBDFDD45-59DF-44CD-A287-0A250E965497}\ = "ITemplateBarFeedManager" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1d91ba62-eac5-4b33-a9fc-98a473530cc4}\ProgID | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b518d7a9-921d-4d19-bcd3-463a54223eb3}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84}\ = "IDataCtrl" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FA17F68-AD2B-405B-97AC-629C41179745}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A1E3675-6BA2-40B9-BA51-15FA2AC46552}\ = "_It8HTMLPanelEvents" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.PseudoTransparentPlugin\CLSID\ = "{ef272c33-0aaf-4156-8bd5-6f56d4096378}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{75A5A7EA-0520-401F-962D-C3BB1C04857C}\ = "_ITemplateBarSettingsEvents" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7EB1E4D-6293-4A3B-B770-9C6E158D40CE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4105f671-0671-47c5-aa9b-1d070f1b3488}\VersionIndependentProgID\ = "CelebSauce.HTMLPanel" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2B4EC73A-87CB-4513-BCF7-EB687160E366}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ba07869-4777-4518-82a0-7a9a218efb1d}\InprocServer32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\kadyn.dll" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5879DBEA-0744-4C66-8694-E4A3D79CA3B9}\1.0\0\win32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\t8res.dll\\1306" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EEA03E7F-CB31-4360-8D84-6B338446141D}\ = "ITemplateXMLElement" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\MiscStatus\1\ = "131473" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{eb358b58-deb0-4dfa-b31a-98e73e0a973b}\InprocServer32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\kabar.dll" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26965EF9-F7F2-4570-9518-C8AFEEC9C0F3}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b518d7a9-921d-4d19-bcd3-463a54223eb3}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{2083a5f7-39dd-410a-95db-0afc2dcc29f4}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D4A1154-EDA8-45ED-A72C-3D651F84F407}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFCDECCF-2319-4024-AD96-A5A3A6BEA2C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A28CF0DF-1325-440C-8E1D-B3965967C697} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EEA03E7F-CB31-4360-8D84-6B338446141D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DAA83B37-A1A8-4C03-8C19-BDB60CD3B3F2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.HTMLPanel.1 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\Version | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26965EF9-F7F2-4570-9518-C8AFEEC9C0F3}\1.0\0\win32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\t8res.dll\\1406" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{519d34db-2c0a-4695-b9e0-2ae6d5a2850f}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFCDECCF-2319-4024-AD96-A5A3A6BEA2C4}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26699127-B3DC-47DD-83B5-9F6120A03422}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e8c699e4-65a3-432c-91bf-9990864d1681} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{75A5A7EA-0520-401F-962D-C3BB1C04857C}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A28CF0DF-1325-440C-8E1D-B3965967C697}\1.0\0\win32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\t8res.dll\\1604" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E0A6C2-78C5-4A7A-8F4E-7E7A1C602F77}\ = "ITemplatePopupMenu" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D9E2687B-B800-43D3-A6A3-0A5FF3809A6D} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.MultipleButton.1 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.MultipleButton.1\CLSID | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7563B5D2-F96A-47CA-91BE-B1BAD33AAB21}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD6E77C8-DE93-46A4-B96E-6C1ACD1CDE40}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4EBDFB0-EF5A-4AA1-86C4-C8837A4E3771} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72d4b89e-7dbe-4e98-bdb7-90c0e9953798}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.ScriptButton\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FA17F68-AD2B-405B-97AC-629C41179745}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5879DBEA-0744-4C66-8694-E4A3D79CA3B9}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97192E83-A4D3-48D6-9A28-2E6724FBF31B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5879DBEA-0744-4C66-8694-E4A3D79CA3B9}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECB0E9BA-91A3-42F2-9F1A-F1C5E02972C1}\1.0\ = "RADIOLib" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71915efb-4a33-4795-9559-ee19cd4a071f}\ = "DataCtrl Class" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90E6117C-08C3-4800-804F-6EC993749E6A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B54FA1BC-378D-4560-AEE0-0A34FA7A78AF}\TypeLib\ = "{F2263100-9E31-4540-AB8C-D74121F7E690}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D4A1154-EDA8-45ED-A72C-3D651F84F407} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f2b78d16-8999-4073-b929-a363d2eaea95}\TypeLib\ = "{0fa17f68-ad2b-405b-97ac-629c41179745}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe"
C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
"C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE" /p=Z6/n="CelebSauce"
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe" -remove
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe" -install
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe"
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
"C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe" katpinst.dll,#5
Network
Files
C:\Users\Admin\AppData\Local\Temp\T8SETUP.EX_
| MD5 | 4c2bfd795292c01c4b6f311cd305474b |
| SHA1 | 076822ed7defade59d878cdd9c7ff72d1972bf6b |
| SHA256 | b67a8a67cd5fd8c0a6230c7825df2ecbdf1c86d6de19a7e13203507c592c32f1 |
| SHA512 | b15be3482799208838b854489ce11a00b4824b39ee0473c61e03b7aa93c01d7ff3fbdbd4b72923a9d797697e2092774551a739aec9a23041bc241456af1b7acc |
\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
| MD5 | 4821a0e8a1959ee5fe869afc9d559659 |
| SHA1 | 32a650cd434104c0d2311b6ea7e8678c9abfd1b4 |
| SHA256 | b3a881bc035fd919d0f22454d50c07cd67fd21711b558a571de746fef4c06a94 |
| SHA512 | 2846e50f30bb82f3278154386011a47a9c8496200ff931be3b0d20a11173a61b56208b6948ba190e1198b8e8c9f7eb5f7faaee22efa014c785cb6006bb383e64 |
\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll
| MD5 | 3b62ab8f27042c90d58961c089658747 |
| SHA1 | 490e57338d89da4f2ab8235373cf91f1f6b1bb64 |
| SHA256 | 94d948862137aee8b4bd13831109c42dc60c2198c679d034f61b46bb9a79aaa4 |
| SHA512 | cc81635f26461306af2cf59619c7e53e432ccf718334f690e7bbb52a68215c6ab30c11ebb38aa50c45b593da7d1eea84a5c74a6152a36a1c38bb4222fae6ef3a |
\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll
| MD5 | 22ae719e91b4bfcdf6122d3e2a0f272e |
| SHA1 | 99df98dfef4b483889fa88162d20ee46340a5dbe |
| SHA256 | 2529f6465570ac7f0b82613c694181cc10515ee045cfaa48dd7402e9b9d791bf |
| SHA512 | 61028e30c28501f0c18c00ec8888cec3eade43b823a545608fc6ee9c6c2529723b5bede0cb2d4a016562a8ad4a59b1cf2b6ed00d1f745387ef9f15b05b63ce8f |
\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll
| MD5 | 59168deae86d063a37f86bd12834041b |
| SHA1 | 8939992eef4d8b71d69910f6202c3967a3853727 |
| SHA256 | 1c5b310b55a9140c322854b2105213fe0ea9f6b85ae3e4f86ade977946eae7eb |
| SHA512 | 5999f1066276bf33fc98a1e9e6f75cc3e813156c5e035e67cb1d423a1d4d6640ee94d09adae41cb3609565642c897fc7fd9eadf58fc9a09426c0b426556a026b |
C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL
| MD5 | 0d7ef723dbd20013483caa7da981128c |
| SHA1 | 3ccd89a0d7747b4ae3d3ff16b1b0cb04d9d11b1d |
| SHA256 | 36f7381843b86e858e3d8d4f71e9ee5a189cf61143c569808783622f0892b074 |
| SHA512 | 9fdc1b7a392eb5c8d40804101f333cb08b033b2cc7e854571f406dda8bd0d22f7ed53266616abc4938cdcca3d2593d0e468fd97bbc245297681574cd6a3c3d41 |
\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
| MD5 | 622fcf264119f7df127be353f796b319 |
| SHA1 | 56cf4f2ac44c6add5cdcd419ba4b99d22dc7a0e3 |
| SHA256 | 6689d8f62f860178685496ef45520967afaeff94cfbcc64cf77074f21577e0a2 |
| SHA512 | 57b261c5b9f30d6fc7da6ee70200c22cd07d11b94bf9107fba7fe793195112ce90b34bcc7774adf87de00b0abbc621602e7e164caf28975056d952d0eb1d7c6c |
\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll
| MD5 | d3efe03300caf0fa2215206280d31220 |
| SHA1 | 12ff3195bdaca5482034aac3c3e132d5ada421a9 |
| SHA256 | b67d6eba635dc1cec42eec2d1a1ceee34e43cb3a55e6080b1a17d29af5d9cf08 |
| SHA512 | a2e32cc4926e017f04a7feb3ed9da4a32741109b75ca845cdadc20b577c4d96f1de4d05e08466559c174b46731e0f8c35f305082c845f298c55779c6058e96a0 |
\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
| MD5 | 35d6caaa9e4d82974a74dbdb53801f98 |
| SHA1 | 0f78fe90af015b0a511ede007bd1791a341e891e |
| SHA256 | 5418b7bb40b097da6370ada1194f8b2d2d3eefa3ca36a6eb31d39df7791a25a3 |
| SHA512 | bdace57d273841bb476289d6fe9803c57a48ab7ce630b8797f848f6eb7816b00b43223fd28c8caa440b1b1d027a2dcf3cc9cee007fcf5905650d15e800c8b245 |
\Program Files (x86)\CelebSauce\bar\1.bin\kadlghk.dll
| MD5 | cfc3ff05478e454681e6f1cb2aa8396f |
| SHA1 | ee6acfdfc1e0b2327dd18f4ad6e8c64b3e91e20e |
| SHA256 | 909e45c4e208907b99fef410ec4f5fe848e06be036b7a3d3a49e94bd8f259530 |
| SHA512 | 515ac446b8a4dca8a16e650e4a57112afec138c0eaf629749c701b6982493253bac9e05792a7e166c06c769aa1e49d7d1689f3e29954a1bfc7daa64389815412 |
\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll
| MD5 | 70a6b86cb0a6a3f7b35421ec7b9f5b7f |
| SHA1 | baefcb03679575349e01668c4f0938643baaa022 |
| SHA256 | 0059d01f099fffa09373a6ead57f3cd1c6772667b9a7eeb6edabca3cd1963cf1 |
| SHA512 | 4d6cdd61afb68b3fe6b705c2298ce35a1e42834c17e4faae11413bda44f0739647b6d773e73b530046c37ec0e15d8687f7546c0cdf30dedf5b5ab2adbd8c427d |
\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll
| MD5 | 8d721a2bc356a862ac8b2349bbeb614c |
| SHA1 | 8090e240f528004402b29c11e5072bed79d95384 |
| SHA256 | 5dc33b6ae31bb0b277f6db3b983e4adf5c509646b574c0630864ef462c6626c3 |
| SHA512 | 57a61aef5c03e69ee26fc7baf3ae30198b95c28b0d8887e86015683c94ced7cb7e6a5cc310da13bb32d87f81ab33778c412d60f48a4f646e18d17242b609fb10 |
\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll
| MD5 | f18d8bcb38dfd1409cf19f3ebd3de3ea |
| SHA1 | 2ca2ea6cf1ad1fe87c25d4ab6b1c7729e48c6390 |
| SHA256 | 090686b394ebf791b262b97249b20083c6a78e6cb04847a3ba643eb64c5ff184 |
| SHA512 | b251f89728dda4f7250d39c6875d5362a89076340df34fc04f5d03773c354b0297bce2d9d898c5359339bdba49620fb143d72b5d9a6ce4ef2ab33ddab57e73a7 |
\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll
| MD5 | 977731fd992e5190de741d6d1631f251 |
| SHA1 | 91434eb0c345139654b34c6d76531fa3b5f0dc00 |
| SHA256 | a8b9edb8e090cb28bb4c9578fa1aab53c816b5a9d95853089135f41ff66d7385 |
| SHA512 | 08d39cb7b6cbd2546c4c95c8df7c402bb9545298c87176da4ef424508ec77ae8be0c17aaedc623c611a4675b3f15613dbb00cbc500d6ccce24302e20addfede2 |
\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll
| MD5 | 568c1f7d72e5eeddc97b05fb3e786ccf |
| SHA1 | 53f3044159ffcf82c746898941dbe3dc2ac9a24c |
| SHA256 | 264e123877da29452933488131e025c7c78abcf4390e09daa4c9530133f8c4a0 |
| SHA512 | aa2ec24caee713882663762bdefb8e54a43da53bc6f43f6e8af46461a32425de4e5aa52c0b2ec994df7565553f7100c89f87c745934f9f97be29d81f6490b9f2 |
\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll
| MD5 | 6df45cd8b40014f94f1a949fb96d3284 |
| SHA1 | 978867b422339e68971e56c49c66f14f2acd745d |
| SHA256 | c7a2447a749292e6aa3a8db104b46058af0f044ee376d6ca49a3764955d9b6b1 |
| SHA512 | aacbf2c8cf9e06d94b622762d33d2f8614410589ef8f0e02b87006e74c7c0dddab1ebd9e6018b6857b34ffcf5100b896c2bf06067e3bde659972ef966a64d996 |
\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll
| MD5 | 121fe87b463651d75c9bff704883c978 |
| SHA1 | dc971c75ffce77cc952fb6660a2603e09d62d4d9 |
| SHA256 | 120b46557864c807dde6be7c0c1e71a2110d784a242dc79159945669d920fdb6 |
| SHA512 | 75337eb17c5db5276ecdc789e8e075376c18941047358e0946dc710580a5bbf2bf122d0c443e02e04f908bad18b5eb31c84b4e29a0676886af51d754b3bf1520 |
\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll
| MD5 | b315203e6d9995156946194516cf5332 |
| SHA1 | 92ac05fff3ad68271062a3dcb87e12ee6b816ddb |
| SHA256 | aa30c65ee96701116138ebae7d1f0e831452a749f1f9724232a03e660ef13f51 |
| SHA512 | 83d897c787d37804dee112dac89c51066969c59b77080404da0c2f0cd36db478f0eed31f127bc1e636ce3ce4ca4b96a2fc8a4aa62d2da52336fff8d33762ce5d |
\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll
| MD5 | 896943b4b92b7e3f406844674f629076 |
| SHA1 | 3eb4a6a25199e6339ec04f36189c71738de63ce7 |
| SHA256 | f8274d77f804ad805806d531e940956d096f75c6b6b17f34a753f1cbce6c1632 |
| SHA512 | 35a39b00cf7e0da8b151a6261f833f12e442107157602d0a8cf991a424978158177203b79290f4b0ad8e6d0fee70e4655980727c3db3f26b249c49d98afa7e71 |
\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll
| MD5 | 92aad41d2e12e797af52d4bcd75cbed7 |
| SHA1 | dfd07b722e317d1cddaab7d5b31bfab57cc5e739 |
| SHA256 | a2122cc682e9155708a0a8c12d1e0935231c82a30f4ec1afe0245d8ea4c7e7f6 |
| SHA512 | b005d8ed9d9413914a7c3b28277ab7b126843dcf2a4ca28e58c8e5cdb942d11384deb69cd7ecd5bb7d6ac9f5d593de36a5ded07bc8dc68f0b833ae3110276397 |
\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll
| MD5 | 7fe6411c286f058dcc66737d3dc70665 |
| SHA1 | fd0e8ee8f0c71e865a62634a7e5fca7670f0342b |
| SHA256 | 6cd1b42dd81576c6ae99322d9b20c03f57cbfa416faa9a3e1f9c4124d313ee0f |
| SHA512 | 0a7e96fddccf59c5ca67c100a0108f4d1ef3c2d6d5db3eff86f0cf8a98fa97894b97e002d7b2d4d1ba51a5e63f4a1e299cc4cb8b68c63fe7a657a270b1123cea |
\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll
| MD5 | 2b504b781291d71f4578dc7e439d0792 |
| SHA1 | bd4977fb13a32d2b423a0245e8566656076ce0b2 |
| SHA256 | c62eed5e3d305ce631e274ff8171065fb1fc8659fe08d7613f83419d613fb4ab |
| SHA512 | ac277330ec53028f047a745be7f2b97e97228a5b98f09fab6625abbb02e556f4dec046aca1c4d87ad2bfede8f1681ea32a74266abe46d2026f5c19134a49cd78 |
\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll
| MD5 | 5de55f0f8967fdb31ee5b259a5aba975 |
| SHA1 | c5f26031d5e0c487bff0d60aa44603135bf60395 |
| SHA256 | 159ffbb40567e8ebbcb29a24fa76bad6f1af81f5ec45a75cc5875dcdb5a78e4b |
| SHA512 | 72320cec163ee236569a7f747e4aa819a81796f7de13feccd553477546223ca706e67f2554f724b240b1445753129d476485bd2b8e57d413877467437c684028 |
\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll
| MD5 | a4c73c71941826db74af6598336eda99 |
| SHA1 | 65d604a070334183e5034cdeec5838e46d705794 |
| SHA256 | 64fa4044c2e8657b84eea6de847254731f20c010eed16bce9e82201dad825c13 |
| SHA512 | a8471104d239709c039a56f1aefb0f9004c1b038df3bf830e125a1efbcab5fbe2e77e19d4d78fee50c8357c192dc27e67957cb951225a01907a6322591efe6c4 |
\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll
| MD5 | 2c0327baa4c4e39bc839fcaeb7156dd2 |
| SHA1 | 72e48f7f37e208a52ad975eaecab29fc50223c27 |
| SHA256 | 5b1fe0d4b92c46a303e112763b926c978d5a60462f72327aa4655d7663507652 |
| SHA512 | 9b2b3e90fdfc5067e3d3f5c13d60103eb036f9e3ba8cce990fb97a17a4668b9033ce823793f03fb39070b140d0e3d1956000d0b339735e938dba40b95c566034 |
\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll
| MD5 | 00fbbb2b564dd1f2f54ed0810a08b8d9 |
| SHA1 | 857980a7b7ab77ff8e34a090ccd76b8ba628e7e4 |
| SHA256 | 5925099be414f4f006fdbbac9d46b50d2c25e97410e9f1bd931e13ec586cd669 |
| SHA512 | 13b6e9965fdfe4ec390b5d9146303d34e12dc0e23f85202a0954345cdb83d9d004a98eaf45dd4fb0cfd684546d483b7a23e7dbc63f64df506dd7b5bbc5ed4547 |
\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll
| MD5 | eb7022a733078c97e32b518fcb24919c |
| SHA1 | b847567f8cba2e1680ad3f9bf1c980ac05b98d4a |
| SHA256 | 45ece0a7e9003fffcc27a324e8f87395ba1b47d80dc8eab2e1105903a9b4d37e |
| SHA512 | d782d9867a080cb9f5582deebd6a89c4f9bfb29e63c65c608c3ba381d894f8c1ca20730422aba0dcecd6bef11c3daa61a27926d659540288375f3865ddc8658f |
\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll
| MD5 | d6bb5aa817f9a78c430ee665903af840 |
| SHA1 | 144d66befd04fde7db6ed56bb813ac70c9208a9b |
| SHA256 | eaa73dd14910aeb09b7e7be3a01da4482326f7fbd79953697d122c0ec04071e3 |
| SHA512 | cea4f7680fdc5723ff20ed17501799009f26f4beaa44d363ba4b541a70fc1643f32b164becf5f0e44cf7571fac56fce746f77d84fc3788410976d221c5c78cf2 |
\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe
| MD5 | 635f5e4b01597d0baf2422245c8ff541 |
| SHA1 | 9788294f2b8ab28dbae4c73bb61a6b1200bdd89d |
| SHA256 | b1c485330062beb4d02e3e67e68de82c6ffa22b0bbf1eeb6356d2ae15d03249d |
| SHA512 | d93fe70d449df96321d30f2ebd725af2cf07f0ebead6ba9db4af47ee513160d1a6a8f78533c642fe685609438a2d1af00089aaee202b820fc7bf7a2cca9ead02 |
\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll
| MD5 | 6335d76eb910f4ae1fc616b208c7c300 |
| SHA1 | 110033f4a78dca521e8ba73f75747e4e3b6ae545 |
| SHA256 | 54fa5362ab82e7b7d631c48b7931ca50efeac29e2bfbbea30619f8f6be3b45e3 |
| SHA512 | 60fef65b4fe22ca617d4b5bf7bf3bb3ba44190437666889f26c4e65244b423b97681fcc44d11606ffdc4ccd71b598f096c7b08de07ecf1c82ac0a617963c5ec7 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 18:53
Reported
2025-01-19 19:25
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| N/A | N/A | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| N/A | N/A | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe | N/A |
| N/A | N/A | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CelebSauce Browser Plugin Loader = "C:\\PROGRA~2\\CELEBS~1\\bar\\1.bin\\kabrmon.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8c699e4-65a3-432c-91bf-9990864d1681} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8c699e4-65a3-432c-91bf-9990864d1681}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{F7FABDD9-C7D2-4260-AC5B-0016C906EEAD} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7fabdd9-c7d2-4260-ac5b-0016c906eead}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kamedint.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskplay.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\INSTALL.RDF | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabarsvc.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\Message\COMMON.T8S | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\IE9Mesg\COMMON.T8S | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kamedint.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\chrome\kaffxtbr.jar | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabarsvc.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrmon.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\LOGO.BMP | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\LOGO.BMP | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieuser.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaimpipe.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\CHROME.MANIFEST | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskplay.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\IE9Mesg\COMMON.T8S | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\INSTALL.RDF | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrmon.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaimpipe.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{2083a5f7-39dd-410a-95db-0afc2dcc29f4} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\AppName = "kaimpipe.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84091b66-93f0-4130-beee-d94efd39c30b}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\AppName = "kaSlSrch.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{af67e4e9-8c55-4bb7-ab4d-885dae3cb819}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36}\AppName = "kaSkPlay.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\AppPath = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\AppName = "kaSrchMn.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc975ccd-0f52-4aca-ba1a-100270ec707d}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7222e8c1-c515-43cf-9e5b-161620e33f36} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{1558273e-0e2b-49c8-b7bd-24b26e5e4262} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6f505587-aeb3-4020-bd98-978cd31e899f}\AppName = "kamedint.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.XMLSessionPlugin\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7563B5D2-F96A-47CA-91BE-B1BAD33AAB21} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75A5A7EA-0520-401F-962D-C3BB1C04857C}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ef272c33-0aaf-4156-8bd5-6f56d4096378}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2263100-9E31-4540-AB8C-D74121F7E690}\1.0\ = "TYPELIB_NAME" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B54FA1BC-378D-4560-AEE0-0A34FA7A78AF}\TypeLib\ = "{F2263100-9E31-4540-AB8C-D74121F7E690}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FFCDECCF-2319-4024-AD96-A5A3A6BEA2C4}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E109D05-78C2-42C4-904A-AD54D16F551E}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.RadioSettings\CLSID | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{622E060D-777A-41A3-B772-45D5684E8E1A}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4C0CB84-2409-485B-9BEB-E5FB3264BA02}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2B4EC73A-87CB-4513-BCF7-EB687160E366}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFAF2D04-3AC2-4543-8E37-E8C2F2EC8EE4}\ = "IDisableAddonRebuttal" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBDFDD45-59DF-44CD-A287-0A250E965497} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A1E3675-6BA2-40B9-BA51-15FA2AC46552} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75A5A7EA-0520-401F-962D-C3BB1C04857C}\ = "_ITemplateBarSettingsEvents" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F33D893-F59E-4A8F-AA89-82630B071D84} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{622E060D-777A-41A3-B772-45D5684E8E1A} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{622E060D-777A-41A3-B772-45D5684E8E1A}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8E0A6C2-78C5-4A7A-8F4E-7E7A1C602F77}\ = "ITemplatePopupMenu" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84091B66-93F0-4130-BEEE-D94EFD39C30B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.ToolbarPlugin.1 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4C0CB84-2409-485B-9BEB-E5FB3264BA02}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA392876-1291-4B50-825D-D087CA3BC78B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E0A6C2-78C5-4A7A-8F4E-7E7A1C602F77}\ = "ITemplatePopupMenu" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECB0E9BA-91A3-42F2-9F1A-F1C5E02972C1}\1.0 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ef272c33-0aaf-4156-8bd5-6f56d4096378}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDBAA43E-246E-4A7C-BC7C-B3B6CE9A1BDF}\ = "POPUPMENU_INTERFACE" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA392876-1291-4B50-825D-D087CA3BC78B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2B4EC73A-87CB-4513-BCF7-EB687160E366}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.XMLSessionPlugin.1 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.MultipleButton\CLSID\ = "{c74d863a-a397-4082-8a7f-010999de7ba1}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.ScriptButton\CurVer | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7222e8c1-c515-43cf-9e5b-161620e33f36}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2b78d16-8999-4073-b929-a363d2eaea95}\ = "Disable Addon Rebuttal Control" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FA17F68-AD2B-405B-97AC-629C41179745}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E0A6C2-78C5-4A7A-8F4E-7E7A1C602F77}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2b78d16-8999-4073-b929-a363d2eaea95}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFAF2D04-3AC2-4543-8E37-E8C2F2EC8EE4} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.PseudoTransparentPlugin.1\CLSID\ = "{ef272c33-0aaf-4156-8bd5-6f56d4096378}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{eb358b58-deb0-4dfa-b31a-98e73e0a973b}\ProgID\ = "CelebSauce.SettingsPlugin.1" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7EB1E4D-6293-4A3B-B770-9C6E158D40CE}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAA83B37-A1A8-4C03-8C19-BDB60CD3B3F2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1256417e-df37-4f66-8160-ad7c63c79b2b}\InprocServer32\ = "C:\\Program Files (x86)\\CelebSauce\\bar\\1.bin\\kascript.dll" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.PseudoTransparentPlugin\CurVer | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CBDFDD45-59DF-44CD-A287-0A250E965497}\TypeLib\ = "{C87BB0AA-DC5A-4187-AD8C-F402B643B1F1}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A1E3675-6BA2-40B9-BA51-15FA2AC46552}\ = "_It8HTMLPanelEvents" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBDFDD45-59DF-44CD-A287-0A250E965497}\TypeLib\ = "{C87BB0AA-DC5A-4187-AD8C-F402B643B1F1}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E109D05-78C2-42C4-904A-AD54D16F551E}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CelebSauce.ToolbarPlugin | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B54FA1BC-378D-4560-AEE0-0A34FA7A78AF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{373683C2-3B62-4FAD-9CB0-71ECB20EDBF1}\TypeLib\ = "{C74F11B2-BF6D-4C62-A1B0-A1CA4D60097A}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26699127-B3DC-47DD-83B5-9F6120A03422}\TypeLib\ = "{26965EF9-F7F2-4570-9518-C8AFEEC9C0F3}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\WOW6432Node\CLSID\{2083a5f7-39dd-410a-95db-0afc2dcc29f4}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF67E4E9-8C55-4BB7-AB4D-885DAE3CB819}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26965EF9-F7F2-4570-9518-C8AFEEC9C0F3}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2b78d16-8999-4073-b929-a363d2eaea95}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9e891022-aac0-43d5-a88b-34064a3fe080}\ProgID\ = "CelebSauce.RadioSettings.1" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{eb358b58-deb0-4dfa-b31a-98e73e0a973b}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{eb358b58-deb0-4dfa-b31a-98e73e0a973b}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAA83B37-A1A8-4C03-8C19-BDB60CD3B3F2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe"
C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
"C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE" /p=Z6/n="CelebSauce"
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe" -remove
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe" -install
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
"C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe"
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
"C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe" katpinst.dll,#5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\T8SETUP.EX_
| MD5 | 4c2bfd795292c01c4b6f311cd305474b |
| SHA1 | 076822ed7defade59d878cdd9c7ff72d1972bf6b |
| SHA256 | b67a8a67cd5fd8c0a6230c7825df2ecbdf1c86d6de19a7e13203507c592c32f1 |
| SHA512 | b15be3482799208838b854489ce11a00b4824b39ee0473c61e03b7aa93c01d7ff3fbdbd4b72923a9d797697e2092774551a739aec9a23041bc241456af1b7acc |
C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
| MD5 | 4821a0e8a1959ee5fe869afc9d559659 |
| SHA1 | 32a650cd434104c0d2311b6ea7e8678c9abfd1b4 |
| SHA256 | b3a881bc035fd919d0f22454d50c07cd67fd21711b558a571de746fef4c06a94 |
| SHA512 | 2846e50f30bb82f3278154386011a47a9c8496200ff931be3b0d20a11173a61b56208b6948ba190e1198b8e8c9f7eb5f7faaee22efa014c785cb6006bb383e64 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll
| MD5 | 3b62ab8f27042c90d58961c089658747 |
| SHA1 | 490e57338d89da4f2ab8235373cf91f1f6b1bb64 |
| SHA256 | 94d948862137aee8b4bd13831109c42dc60c2198c679d034f61b46bb9a79aaa4 |
| SHA512 | cc81635f26461306af2cf59619c7e53e432ccf718334f690e7bbb52a68215c6ab30c11ebb38aa50c45b593da7d1eea84a5c74a6152a36a1c38bb4222fae6ef3a |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll
| MD5 | 22ae719e91b4bfcdf6122d3e2a0f272e |
| SHA1 | 99df98dfef4b483889fa88162d20ee46340a5dbe |
| SHA256 | 2529f6465570ac7f0b82613c694181cc10515ee045cfaa48dd7402e9b9d791bf |
| SHA512 | 61028e30c28501f0c18c00ec8888cec3eade43b823a545608fc6ee9c6c2529723b5bede0cb2d4a016562a8ad4a59b1cf2b6ed00d1f745387ef9f15b05b63ce8f |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll
| MD5 | 59168deae86d063a37f86bd12834041b |
| SHA1 | 8939992eef4d8b71d69910f6202c3967a3853727 |
| SHA256 | 1c5b310b55a9140c322854b2105213fe0ea9f6b85ae3e4f86ade977946eae7eb |
| SHA512 | 5999f1066276bf33fc98a1e9e6f75cc3e813156c5e035e67cb1d423a1d4d6640ee94d09adae41cb3609565642c897fc7fd9eadf58fc9a09426c0b426556a026b |
C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL
| MD5 | 0d7ef723dbd20013483caa7da981128c |
| SHA1 | 3ccd89a0d7747b4ae3d3ff16b1b0cb04d9d11b1d |
| SHA256 | 36f7381843b86e858e3d8d4f71e9ee5a189cf61143c569808783622f0892b074 |
| SHA512 | 9fdc1b7a392eb5c8d40804101f333cb08b033b2cc7e854571f406dda8bd0d22f7ed53266616abc4938cdcca3d2593d0e468fd97bbc245297681574cd6a3c3d41 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kabarsvc.exe
| MD5 | 622fcf264119f7df127be353f796b319 |
| SHA1 | 56cf4f2ac44c6add5cdcd419ba4b99d22dc7a0e3 |
| SHA256 | 6689d8f62f860178685496ef45520967afaeff94cfbcc64cf77074f21577e0a2 |
| SHA512 | 57b261c5b9f30d6fc7da6ee70200c22cd07d11b94bf9107fba7fe793195112ce90b34bcc7774adf87de00b0abbc621602e7e164caf28975056d952d0eb1d7c6c |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll
| MD5 | d3efe03300caf0fa2215206280d31220 |
| SHA1 | 12ff3195bdaca5482034aac3c3e132d5ada421a9 |
| SHA256 | b67d6eba635dc1cec42eec2d1a1ceee34e43cb3a55e6080b1a17d29af5d9cf08 |
| SHA512 | a2e32cc4926e017f04a7feb3ed9da4a32741109b75ca845cdadc20b577c4d96f1de4d05e08466559c174b46731e0f8c35f305082c845f298c55779c6058e96a0 |
C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
| MD5 | 35d6caaa9e4d82974a74dbdb53801f98 |
| SHA1 | 0f78fe90af015b0a511ede007bd1791a341e891e |
| SHA256 | 5418b7bb40b097da6370ada1194f8b2d2d3eefa3ca36a6eb31d39df7791a25a3 |
| SHA512 | bdace57d273841bb476289d6fe9803c57a48ab7ce630b8797f848f6eb7816b00b43223fd28c8caa440b1b1d027a2dcf3cc9cee007fcf5905650d15e800c8b245 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll
| MD5 | 70a6b86cb0a6a3f7b35421ec7b9f5b7f |
| SHA1 | baefcb03679575349e01668c4f0938643baaa022 |
| SHA256 | 0059d01f099fffa09373a6ead57f3cd1c6772667b9a7eeb6edabca3cd1963cf1 |
| SHA512 | 4d6cdd61afb68b3fe6b705c2298ce35a1e42834c17e4faae11413bda44f0739647b6d773e73b530046c37ec0e15d8687f7546c0cdf30dedf5b5ab2adbd8c427d |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kadlghk.dll
| MD5 | cfc3ff05478e454681e6f1cb2aa8396f |
| SHA1 | ee6acfdfc1e0b2327dd18f4ad6e8c64b3e91e20e |
| SHA256 | 909e45c4e208907b99fef410ec4f5fe848e06be036b7a3d3a49e94bd8f259530 |
| SHA512 | 515ac446b8a4dca8a16e650e4a57112afec138c0eaf629749c701b6982493253bac9e05792a7e166c06c769aa1e49d7d1689f3e29954a1bfc7daa64389815412 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll
| MD5 | 8d721a2bc356a862ac8b2349bbeb614c |
| SHA1 | 8090e240f528004402b29c11e5072bed79d95384 |
| SHA256 | 5dc33b6ae31bb0b277f6db3b983e4adf5c509646b574c0630864ef462c6626c3 |
| SHA512 | 57a61aef5c03e69ee26fc7baf3ae30198b95c28b0d8887e86015683c94ced7cb7e6a5cc310da13bb32d87f81ab33778c412d60f48a4f646e18d17242b609fb10 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll
| MD5 | f18d8bcb38dfd1409cf19f3ebd3de3ea |
| SHA1 | 2ca2ea6cf1ad1fe87c25d4ab6b1c7729e48c6390 |
| SHA256 | 090686b394ebf791b262b97249b20083c6a78e6cb04847a3ba643eb64c5ff184 |
| SHA512 | b251f89728dda4f7250d39c6875d5362a89076340df34fc04f5d03773c354b0297bce2d9d898c5359339bdba49620fb143d72b5d9a6ce4ef2ab33ddab57e73a7 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll
| MD5 | 977731fd992e5190de741d6d1631f251 |
| SHA1 | 91434eb0c345139654b34c6d76531fa3b5f0dc00 |
| SHA256 | a8b9edb8e090cb28bb4c9578fa1aab53c816b5a9d95853089135f41ff66d7385 |
| SHA512 | 08d39cb7b6cbd2546c4c95c8df7c402bb9545298c87176da4ef424508ec77ae8be0c17aaedc623c611a4675b3f15613dbb00cbc500d6ccce24302e20addfede2 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll
| MD5 | 568c1f7d72e5eeddc97b05fb3e786ccf |
| SHA1 | 53f3044159ffcf82c746898941dbe3dc2ac9a24c |
| SHA256 | 264e123877da29452933488131e025c7c78abcf4390e09daa4c9530133f8c4a0 |
| SHA512 | aa2ec24caee713882663762bdefb8e54a43da53bc6f43f6e8af46461a32425de4e5aa52c0b2ec994df7565553f7100c89f87c745934f9f97be29d81f6490b9f2 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll
| MD5 | 6df45cd8b40014f94f1a949fb96d3284 |
| SHA1 | 978867b422339e68971e56c49c66f14f2acd745d |
| SHA256 | c7a2447a749292e6aa3a8db104b46058af0f044ee376d6ca49a3764955d9b6b1 |
| SHA512 | aacbf2c8cf9e06d94b622762d33d2f8614410589ef8f0e02b87006e74c7c0dddab1ebd9e6018b6857b34ffcf5100b896c2bf06067e3bde659972ef966a64d996 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll
| MD5 | 121fe87b463651d75c9bff704883c978 |
| SHA1 | dc971c75ffce77cc952fb6660a2603e09d62d4d9 |
| SHA256 | 120b46557864c807dde6be7c0c1e71a2110d784a242dc79159945669d920fdb6 |
| SHA512 | 75337eb17c5db5276ecdc789e8e075376c18941047358e0946dc710580a5bbf2bf122d0c443e02e04f908bad18b5eb31c84b4e29a0676886af51d754b3bf1520 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll
| MD5 | b315203e6d9995156946194516cf5332 |
| SHA1 | 92ac05fff3ad68271062a3dcb87e12ee6b816ddb |
| SHA256 | aa30c65ee96701116138ebae7d1f0e831452a749f1f9724232a03e660ef13f51 |
| SHA512 | 83d897c787d37804dee112dac89c51066969c59b77080404da0c2f0cd36db478f0eed31f127bc1e636ce3ce4ca4b96a2fc8a4aa62d2da52336fff8d33762ce5d |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll
| MD5 | 896943b4b92b7e3f406844674f629076 |
| SHA1 | 3eb4a6a25199e6339ec04f36189c71738de63ce7 |
| SHA256 | f8274d77f804ad805806d531e940956d096f75c6b6b17f34a753f1cbce6c1632 |
| SHA512 | 35a39b00cf7e0da8b151a6261f833f12e442107157602d0a8cf991a424978158177203b79290f4b0ad8e6d0fee70e4655980727c3db3f26b249c49d98afa7e71 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll
| MD5 | 92aad41d2e12e797af52d4bcd75cbed7 |
| SHA1 | dfd07b722e317d1cddaab7d5b31bfab57cc5e739 |
| SHA256 | a2122cc682e9155708a0a8c12d1e0935231c82a30f4ec1afe0245d8ea4c7e7f6 |
| SHA512 | b005d8ed9d9413914a7c3b28277ab7b126843dcf2a4ca28e58c8e5cdb942d11384deb69cd7ecd5bb7d6ac9f5d593de36a5ded07bc8dc68f0b833ae3110276397 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll
| MD5 | 7fe6411c286f058dcc66737d3dc70665 |
| SHA1 | fd0e8ee8f0c71e865a62634a7e5fca7670f0342b |
| SHA256 | 6cd1b42dd81576c6ae99322d9b20c03f57cbfa416faa9a3e1f9c4124d313ee0f |
| SHA512 | 0a7e96fddccf59c5ca67c100a0108f4d1ef3c2d6d5db3eff86f0cf8a98fa97894b97e002d7b2d4d1ba51a5e63f4a1e299cc4cb8b68c63fe7a657a270b1123cea |
C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll
| MD5 | 2b504b781291d71f4578dc7e439d0792 |
| SHA1 | bd4977fb13a32d2b423a0245e8566656076ce0b2 |
| SHA256 | c62eed5e3d305ce631e274ff8171065fb1fc8659fe08d7613f83419d613fb4ab |
| SHA512 | ac277330ec53028f047a745be7f2b97e97228a5b98f09fab6625abbb02e556f4dec046aca1c4d87ad2bfede8f1681ea32a74266abe46d2026f5c19134a49cd78 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll
| MD5 | 5de55f0f8967fdb31ee5b259a5aba975 |
| SHA1 | c5f26031d5e0c487bff0d60aa44603135bf60395 |
| SHA256 | 159ffbb40567e8ebbcb29a24fa76bad6f1af81f5ec45a75cc5875dcdb5a78e4b |
| SHA512 | 72320cec163ee236569a7f747e4aa819a81796f7de13feccd553477546223ca706e67f2554f724b240b1445753129d476485bd2b8e57d413877467437c684028 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll
| MD5 | a4c73c71941826db74af6598336eda99 |
| SHA1 | 65d604a070334183e5034cdeec5838e46d705794 |
| SHA256 | 64fa4044c2e8657b84eea6de847254731f20c010eed16bce9e82201dad825c13 |
| SHA512 | a8471104d239709c039a56f1aefb0f9004c1b038df3bf830e125a1efbcab5fbe2e77e19d4d78fee50c8357c192dc27e67957cb951225a01907a6322591efe6c4 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll
| MD5 | 2c0327baa4c4e39bc839fcaeb7156dd2 |
| SHA1 | 72e48f7f37e208a52ad975eaecab29fc50223c27 |
| SHA256 | 5b1fe0d4b92c46a303e112763b926c978d5a60462f72327aa4655d7663507652 |
| SHA512 | 9b2b3e90fdfc5067e3d3f5c13d60103eb036f9e3ba8cce990fb97a17a4668b9033ce823793f03fb39070b140d0e3d1956000d0b339735e938dba40b95c566034 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll
| MD5 | 00fbbb2b564dd1f2f54ed0810a08b8d9 |
| SHA1 | 857980a7b7ab77ff8e34a090ccd76b8ba628e7e4 |
| SHA256 | 5925099be414f4f006fdbbac9d46b50d2c25e97410e9f1bd931e13ec586cd669 |
| SHA512 | 13b6e9965fdfe4ec390b5d9146303d34e12dc0e23f85202a0954345cdb83d9d004a98eaf45dd4fb0cfd684546d483b7a23e7dbc63f64df506dd7b5bbc5ed4547 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll
| MD5 | eb7022a733078c97e32b518fcb24919c |
| SHA1 | b847567f8cba2e1680ad3f9bf1c980ac05b98d4a |
| SHA256 | 45ece0a7e9003fffcc27a324e8f87395ba1b47d80dc8eab2e1105903a9b4d37e |
| SHA512 | d782d9867a080cb9f5582deebd6a89c4f9bfb29e63c65c608c3ba381d894f8c1ca20730422aba0dcecd6bef11c3daa61a27926d659540288375f3865ddc8658f |
C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll
| MD5 | d6bb5aa817f9a78c430ee665903af840 |
| SHA1 | 144d66befd04fde7db6ed56bb813ac70c9208a9b |
| SHA256 | eaa73dd14910aeb09b7e7be3a01da4482326f7fbd79953697d122c0ec04071e3 |
| SHA512 | cea4f7680fdc5723ff20ed17501799009f26f4beaa44d363ba4b541a70fc1643f32b164becf5f0e44cf7571fac56fce746f77d84fc3788410976d221c5c78cf2 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe
| MD5 | 635f5e4b01597d0baf2422245c8ff541 |
| SHA1 | 9788294f2b8ab28dbae4c73bb61a6b1200bdd89d |
| SHA256 | b1c485330062beb4d02e3e67e68de82c6ffa22b0bbf1eeb6356d2ae15d03249d |
| SHA512 | d93fe70d449df96321d30f2ebd725af2cf07f0ebead6ba9db4af47ee513160d1a6a8f78533c642fe685609438a2d1af00089aaee202b820fc7bf7a2cca9ead02 |
C:\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll
| MD5 | 6335d76eb910f4ae1fc616b208c7c300 |
| SHA1 | 110033f4a78dca521e8ba73f75747e4e3b6ae545 |
| SHA256 | 54fa5362ab82e7b7d631c48b7931ca50efeac29e2bfbbea30619f8f6be3b45e3 |
| SHA512 | 60fef65b4fe22ca617d4b5bf7bf3bb3ba44190437666889f26c4e65244b423b97681fcc44d11606ffdc4ccd71b598f096c7b08de07ecf1c82ac0a617963c5ec7 |