arkei | 2ea6afd8cd172d7a43de0e037d7250b9036de4b87e1f0c10ba04c286c8c58704

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Size

5.5MB
MD5

22fbdbddd05ab5346e7a7f5adb79cc2e
SHA1

d42ad7f2723f699cc7de6fa079fb5373d81802d3
SHA256

2ea6afd8cd172d7a43de0e037d7250b9036de4b87e1f0c10ba04c286c8c58704
SHA512

c6b342f3fa6c6bf70f3f56a94fc29fd8a45cdda7b31f5654c10b9fa6af7bc2f52680c65a1d8ccc6c8eb52b71069c97d78e5089770bb1da40df39f18be643c3e2
SSDEEP

98304:AH7CgqLPRPYv7cZuwYx72XPo0+X+6zVfdUgqr2/xCQM70GpdQwssWhLcm0kch/0:A+gqLKB2p5c1UP2zM701wsxLN9ch/0

Score

10^/10

arkei babadeda default crypter loader stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

185.215.113.39/7vlcKuayFx.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\nqf	family_babadeda

Executes dropped EXE 1 IoCs

Processes:

plotbinding.exe

pid process

1952 plotbinding.exe

pid	process
1952	plotbinding.exe

Loads dropped DLL 11 IoCs

Processes:

22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exeMsiExec.exeMsiExec.exeplotbinding.exe

pid	process
2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
2500	MsiExec.exe
2500	MsiExec.exe
1968	MsiExec.exe
1968	MsiExec.exe
1968	MsiExec.exe
1968	MsiExec.exe
1968	MsiExec.exe
2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
1952	plotbinding.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

4 2948 msiexec.exe
5 2620 msiexec.exe

flow	pid	process
4	2948	msiexec.exe
5	2620	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\Y:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\X:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\R:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\P:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\Z:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\L:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\S:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\U:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\N:	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f7613e1.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f7613e1.ipi	msiexec.exe
File created	C:\Windows\Installer\f7613de.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7613de.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1636.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI152A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI155A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1599.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18F6.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2620 msiexec.exe
2620 msiexec.exe

pid	process
2620	msiexec.exe
2620	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exe22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe

description	pid	process
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeSecurityPrivilege	2620	msiexec.exe
Token: SeCreateTokenPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeTcbPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeBackupPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeRestorePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeShutdownPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeDebugPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeAuditPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeUndockPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeTcbPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeBackupPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeRestorePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeShutdownPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeDebugPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeAuditPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeUndockPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2948 msiexec.exe
2948 msiexec.exe

pid	process
2948	msiexec.exe
2948	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

msiexec.exe22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe

description	pid	process	target process
PID 2620 wrote to memory of 2500	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 2500	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 2500	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 2500	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 2500	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 2500	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 2500	2620	msiexec.exe	MsiExec.exe
PID 2360 wrote to memory of 2948	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe	msiexec.exe
PID 2360 wrote to memory of 2948	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe	msiexec.exe
PID 2360 wrote to memory of 2948	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe	msiexec.exe
PID 2360 wrote to memory of 2948	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe	msiexec.exe
PID 2360 wrote to memory of 2948	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe	msiexec.exe
PID 2360 wrote to memory of 2948	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe	msiexec.exe
PID 2360 wrote to memory of 2948	2360	22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe	msiexec.exe
PID 2620 wrote to memory of 1968	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 1968	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 1968	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 1968	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 1968	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 1968	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 1968	2620	msiexec.exe	MsiExec.exe
PID 2620 wrote to memory of 1952	2620	msiexec.exe	plotbinding.exe
PID 2620 wrote to memory of 1952	2620	msiexec.exe	plotbinding.exe
PID 2620 wrote to memory of 1952	2620	msiexec.exe	plotbinding.exe
PID 2620 wrote to memory of 1952	2620	msiexec.exe	plotbinding.exe

C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1711458851 " AI_EUIMSI=""
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 57D09F54D9B6178515001849B1C15F03 C
2⤵
- Loads dropped DLL
PID:2500

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1CA0CE7656D0DBE959D9E19E242C291C
2⤵
- Loads dropped DLL
PID:1968

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe
"C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7613e2.rbs

Filesize
17KB

MD5
29157b5120eb284b477f4a08acdd25f2

SHA1
2719900fd07507a0a8315818bb75284fa2eefbff

SHA256
069d6fb04a7eff613de61b3f2017a3aa131e965b4b5639fd4e9ec5b89e1aba2d

SHA512
f7e49e2c88b431d9d40093898f851f0a8a9cbc7ab4512f716d82c0344409bc5c761ac60493e07a0e7f0860c1bddfd36cfbf3327790ca5bd0b4928c9d54c57046

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb45640375b81c0eda9cd20b6a1eb5e4

SHA1
9afc7ac5c82da2a771c97dbccf3cf98eb1aa91e6

SHA256
5b0fdbd13b75f22c819bb61b74aa1e914c7d7f8f5705f44a9aa811984a56a5d0

SHA512
bfb0ab761b0c0f56939fab59c9ad91e43cb59b91e45e13ccbc6111920baed2afe4d58a4ab3399edda3afee49edb03593429d91965fae9eec7a75600942a53ca7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
449cdb4bbcba0496859c0325e79aa7a0

SHA1
a0762ff0c35ec60750e3850de8dbfccfa1795cc2

SHA256
225e0f7451df88179628555f003c709681daad3d88da62d28071a3fcd9d8295c

SHA512
468da824caf490a19c81fdf6ea860292c047325dcdc3295e1dd3393ea7580c4c4be78b75bb38fa01f224ab2d201d6ceb49af00b6b19aa83d9168aea0bbaadf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1019.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1333.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI11D6.tmp

Filesize
391KB

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1235.tmp

Filesize
864KB

MD5
4e2e67fc241ab6e440ad2789f705fc69

SHA1
bda5f46c1f51656d3cbad481fa2c76a553f03aba

SHA256
98f4ebaa6ea1083e98ea0dd5c74c2cb22b1375c55b6a12cfdc5d877f716de392

SHA512
452df66dd2b09485bf92d92b72b3ad2638cbf0a570741b80309056d1e67e68a18cbd0ad3616a2943bb29de62a057848a7382b6c64c3821335a51b0a03131564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar102C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar13A3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\AForge.Video.dll

Filesize
20KB

MD5
0bd34aa29c7ea4181900797395a6da78

SHA1
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8

SHA256
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d

SHA512
a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\AForge.dll

Filesize
17KB

MD5
02c63f568e598aad85dd401d7b26e82a

SHA1
2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c

SHA256
966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da

SHA512
da9bff86be8fa890dda80a35ee6c851aa655f087f81804a23c73f8c586b7e13ac5a643e0a516a35787cd97b392aec16bfb95210080e4e53e6144fec9316acdb1

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\CHANGES.txt

Filesize
7KB

MD5
109e9d23496dc406050f895409be2531

SHA1
5a8659d65025b121c2a16d80d3d55cd9c3a5a7ef

SHA256
b58477a045a7411ff95ca8b1e055801d5d10055e2de52e1a94397919a09d82c2

SHA512
548fa0ec3b1a4056440867e7b7fd7374ab9d08e0156121ef7e1f7c57ae97a58b5c357cdd69ebd18df80ca4078fb595cddebda245b317213b140cac5069ab7058

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\COPYING.txt

Filesize
34KB

MD5
3c34afdc3adf82d2448f12715a255122

SHA1
7713a1753ce88f2c7e6b054ecc8e4c786df76300

SHA256
0b383d5a63da644f628d99c33976ea6487ed89aaa59f0b3257992deac1171e6b

SHA512
4937848b94f5b50ea16c51f9e98fdcd3953aca63d63ca3bb05d8a62c107e382b71c496838d130ae504a52032398630b957acaea6c48032081a6366d27cba5ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\Interop.IWshRuntimeLibrary.dll

Filesize
48KB

MD5
9569c5ddd9ab1e7bfd24e41250a67903

SHA1
304afddbbaac26843cf53b9713e09a85fe525cac

SHA256
6a80b9d1bd609a3cb6af8cf8c1534f7baca1d78ad353ce6ed5b578a0ba96eb83

SHA512
7bc2a98f9fb934212cbc7b8dac21ec38b89b39a3f60ef53490bb25d07c286d1db4da1757b766f323615185aa26f094e601337110da14224fcfe3ce016eaf0c54

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\LICENSE.TXT

Filesize
2KB

MD5
fc292eaec94367e0775fa0638880ebce

SHA1
fa5ff95ef7e8f5ad9cfc77738f5e6c0ca96572dd

SHA256
971f1733cb237ddd626e579954938c6fc0e925ccbf885074ad5fcf19b4efbe2e

SHA512
4f3ceb0d390f47fae7294db5399177a1128dd196cf58a45768984c1783ae4e0c0d0746aae716b2a08f7058df214494a7fb20c8bc982d0e3b8cb3d70ccef7917f

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\Mono.Cecil.Mdb.dll

Filesize
42KB

MD5
a269c436d17634aecf2ac0e95c44728c

SHA1
3dae54046aa5edbcf58ff38acc1d12682e3442b5

SHA256
f02a2d8154ef002863702d6513c6773ebbb83e520834c2ac8e38c6a7f0174e27

SHA512
bbd1740bce3d1eecccaa560696cc5b0999a1e00c3d6747f3bb93ab44a5f9a2186f01048fa69e173b89c40b98bddf13c4de92564b13c0ec36eb96b69ec65dc157

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\Qt5TextToSpeech.dll

Filesize
49KB

MD5
3cdb361b43a3ce45145df5bad519df63

SHA1
8f7cfe31068584151bf913171c82949fd7a945f2

SHA256
8f5a39d8e35d981a8200fb4a83b42b72ec71a9c5db16a09c5df69b001bfb2e13

SHA512
88722199a716dbe665204d9d192207594cd3819130d22c07133e8a229628f66e5eddab60dbb1759ba389cf42398c32eafca8b74e07b3dfce4c916fd8715d566c

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\README.txt

Filesize
8KB

MD5
7539e219a0d2331524b97605c4fe641d

SHA1
718d7c209915ff4944a81ef38701542d63ea30e2

SHA256
3f169438204953468391d382ca1813c54a0301b733c59bef9178c2d55e9e7e0b

SHA512
c8886ba4445e612bedb7c9f8b8b7044c016ea45ad5f80b1a9082707a2b7c5334bfe6b7ac8df4c2f603d0bfd1dbb727691d65e3a6c14acc78104b869c9bb97dca

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\TurboJpegWrapper.dll

Filesize
19KB

MD5
f5639d78d8c860df0176b1499695e8b3

SHA1
a70f699d75903ca2ae31098f4687add23245804d

SHA256
9c8de413bf48e680ded9db3b3a4c7773642b9d6c76973ae95d40eb0cba31d4e2

SHA512
2098dd214db72b7f9b70c58cd1fcb53dd4982e441c19b3571941f9026e0dde0ae9005bb084ecb2f21ee2e24776fc95d60cb50b11fc536a68ad153efc1dc8ef0c

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\VolePaint30.dll

Filesize
2.3MB

MD5
795c8341c32fefc35f2ffd2d551d7ef6

SHA1
24d8a74be9f65b3efed95b07a41f9881bb10e59a

SHA256
52690baae3a6bd6c645d3434fc5016382e416cb86c21dab5635e846f6cf8c253

SHA512
0ce68673541d806604cf618a7b2b8f68a7662ed06f2a0af892dbfe4da5e8a92f8fe340342d7759869dc9de9e13850015ab65dbc601ea4381424092cba6af34a8

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\adv.msi

Filesize
2.1MB

MD5
38e86aa5edd43ebb9fde9e7f91d401ab

SHA1
8692b4df65292468ff980a1db65e7430a8e28338

SHA256
4728fecc96ddafbb605e1495520cc6f0481c01c347c18be5a9f1c2438b645ce1

SHA512
7c27a44e4c7beaca814eea950c2e456c937e20bfd66b78de1e859bbe197a76b238c6eaaf7b4caf3f107cd54d27b3b436e039bd9f340f2436db74258af98ea07a

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\clock_common.dll

Filesize
64KB

MD5
85d02f053f1151ac4d3fdda5ea10adc6

SHA1
a134e20a33387a3bfe256b36585d9ccb6113a29f

SHA256
989354441731eafd1cd63285ab681176a43f08ea999362c5d792c9b2bcbd6564

SHA512
146233b07a3d81f7aa7c2a5e055935fb61307e20dc15b168c248f6d83f934d916184b568e39f7ad8c6ce28d26eb5b1605d6b2200b5ddc2b6cf0bc0dd114981c2

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\fonts\fonts.conf

Filesize
5KB

MD5
4291285924e90d1a1fcf1ddfc51adad3

SHA1
74f2d9b2f9665a1ff083701456a0fbfe351f855a

SHA256
68011bc3741ebcea48f08ff2aed8519762a946f3e0fb9c224b1d3810ebf5bf4b

SHA512
80b570051324f0987f388b78f2b2b2a50df2ece82eb6c003ed4ab5fc1456789fdb4a616c3be760580d30f48aef656eb3604cbd0a7808c49f03b347f2d4388cee

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libEGL.dll

Filesize
24KB

MD5
b84df33197a94abb399c7e08fcd1fcae

SHA1
5b6d24397dafcfab12dda13921d12e1f20439a19

SHA256
900ebaee275fcddc81cce3b04c6a1e13dba18670c0aba82d54eeefa76355edfa

SHA512
83ffb35a026b4e72de3f024243d630fd17ce498f9d552db0a3292199899c7520c01f9a5e1d4709ab7f7e8b2cb9c5168a93e8b3d9f3b98b32a28329f99714321e

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libffi-6.dll

Filesize
49KB

MD5
c4059a8eec8ad3abc6432238f7491a2b

SHA1
f1c6cf3fa216f73ba44bd481c685ef30cfd3d284

SHA256
a9d3f2056f8e888edc5abfa18178fc0b3ef99880c9c410e2c7d6a64386fb57da

SHA512
0bb582a9a02cbd29c007e9cfed9dabe53ef087814c7aa8195c82d4b15302f95408a15710a3f83a970c35db26f77a9a34549d6906a7440fa7d0127aeca9bc8efc

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libgmodule-2.0-0.dll

Filesize
41KB

MD5
4d233a220f91de3b1510d017b5481942

SHA1
c59f449b0d09127d18268e7b07da3f7d749b2720

SHA256
08336089e280805c8ac89f7476526f944b5868c014748b6dc29f65167e9e3ab0

SHA512
a86a1f9b5d160813c6e2f771962f303428604057b9613021bf7844c1204cfca0a18571a28d950d7999acc4ecde0605095f9a460a9b79fe2bbe02f080c2683923

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libgthread-2.0-0.dll

Filesize
35KB

MD5
cf2571c125fa1d2ec55b9977054f380a

SHA1
91014dd50f0eeb0d3d1faed77541c76a05b712b8

SHA256
02b817b6db18db2dfccefdd08eed64a696e2bf326f4120ee7e93ae6aa73bccb3

SHA512
a95bf3436ea2fac443924c5fc31fcd4337a44702ef38ca82d744474301e53f14721eaeb0f21e515ccff8569e7b7d81107fb5a4cf2ae485cd4a5d2dc95dae8f9b

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libogg-0.dll

Filesize
45KB

MD5
84e8e72572d53558d52403011fa0d388

SHA1
865160da7dbfaaea224541eb44e9430e1a7b7b20

SHA256
ca717b5cf2a7b0e047aabad985c631278941c58f16e2e9650ca12c3a331fcd4f

SHA512
47ee932bfa4ee3c51c3828ef8c6923e5b946966ad8e255bc2c53a60443aa2d4ab17521f21912a6f0469c7898d6543dc4b1783a86ddb5a84568818a7b37ec3992

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\liborc-test-0.4-0.dll

Filesize
51KB

MD5
00d68e20169f763376095705c1520c4f

SHA1
75ec5e1974654613c9eeeff047f1eb58694fd656

SHA256
3c12f0a9f43cf88d82f5cc482627237f51a63a293ef95f2342222ebde1fb909f

SHA512
4e180a8ce0e30cfc82883d05d8708fe82442541a4c522055d00f381bf47a0a4f269bc1f5e1ebbfec888edbe455ce145e24cb4c734e682e830322e13479a62c34

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\mingwm10.dll

Filesize
7KB

MD5
a5a239c980d6791086b7fe0e2ca38974

SHA1
dbd8e70db07ac78e007b13cc8ae80c9a3885a592

SHA256
fb33c708c2f83c188dc024b65cb620d7e2c3939c155bc1c15dc73dccebe256b7

SHA512
8667904dda77c994f646083ef39b1f69c2961758c3da60cecadfe6d349dd99934c4d8784f8e38ae8b8c9eb9762edd546f2a7b579f02612578f8049e9d10e8da7

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\nqf

Filesize
304KB

MD5
409a406d256db9eb024aaeeb346f7a65

SHA1
3a18ea9e1e80c2b1dea030a2f3cf689b52e1543f

SHA256
5686b211ee592583291cf562d369390b376f5d67a1ed7b5ad9adb86b4bc0f603

SHA512
b326172fa7cef082fe99204b14fd02bb53260a11abebdea24a52c0b5abfce63baf5150880b047a45707a81dfdd06930e2ed3d4b1a5e336c768f39643e6c83d70

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pango\pango.modules

Filesize
178B

MD5
7a7327019610dfb25d5fafb2d2b0f3ab

SHA1
812af1f65174c63c4a90dd72d29d6e1180075a6e

SHA256
cab115828e04766fbf8e20b5ca6e5632e089f407b338832081d8b42f62fea38a

SHA512
9d7d7fd408d0e0cbe8df24cf1184aa9c24f41dc94d98e7262d04e617b7252381e6845b9e2724557246af8696a5e0cb99f1d15b3889aebd7887fac99e68b79849

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\black.png

Filesize
113B

MD5
a875753fd4e92edad63f5d8b9a79426b

SHA1
241b7f8bc325993b8044498ec4a6c03d576c6b48

SHA256
d09f2e254540dc26a948cf49ac09de2ffea210ad9d8fb77ab7a943ce938b5570

SHA512
b04ee55b20c42a36e6125ef883161eaae11a990a99042b7fefccf0433455e35c621b8f10587a6292adc0f71ccf9a896c0264c8607614196d311de86b28c338dc

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\blue.png

Filesize
133B

MD5
b8ea81eb3944bd027399ca0fcb30352c

SHA1
7cc576da81018985c254d717f5b5d1df92501676

SHA256
bc0824b76bf4a3340f9314795d6d7bb91d768ccde49ce559a409db35d79c7a31

SHA512
7ac010c47be59bda5c805101f482e5c5ec2a4246685985a2452a0fcb368bcedfabf0e1a45d195049c8c45088242bd5d63aa62d2187d839be92e3f7b028f4069b

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\default-pen.png

Filesize
1KB

MD5
c4955d57acd2624a50c575f6caa260b5

SHA1
4628d5e10edbe3756f663dde3fdfaf9e3293d9c3

SHA256
e743ec338f096a7169823d00a2d84ff60f8f88e85fc4ceb4f056335256e29636

SHA512
296bbdcc4dce24281240c798719cd819b8a2d0e0f2a3dc862adfba7dc9c8e1d1055cb01fc422ae8cd683d88b4ba5256b90b84248d290adb04f57172f5c04dcd1

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\eraser.png

Filesize
885B

MD5
965f4596779c9396a0d16ab2d81a81dc

SHA1
1eb33e421405af7a7fdbb8f5866b75ccd0faaf5b

SHA256
8b38c37c750492f3984c64e9f0ac8ba5832b2b29800b945f43f1ade9ddcd2f1b

SHA512
beb7ade2bff13258f337bc42c7dcd55629330270e28e01449f30b2f9eb5a184f5c6b3547d4ab22748c8790ce162b22692b23c5b9430fa1b103172fe9ecc8eec4

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\fullscreen.png

Filesize
836B

MD5
04caf9e7479493621e6962147e092540

SHA1
5de82e54ea9b1fc4998103931646f254d507b472

SHA256
f44df404099bd1c100bc9dcb678b717374ea854ea031a1c128391a087c6eb7ab

SHA512
30b9bf1d7178555a1edea44a1bf93e87863f83bac8d545860477207c8463b01323306288eb4cadd086d1bd1f0990596d1c78eee34a834e63f3a9a3c6d799b404

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\gray.png

Filesize
133B

MD5
c89a78efc324ac45ab7f3e4d945ef35b

SHA1
fdfdf1971f8094b6b4ee86754ad72566766614ea

SHA256
42645af572363377e59ba2628987d439b6ec124d86026e7e8991ed9ba269d402

SHA512
1378aa65ea69ee55acf5b90952323aa50c6f5353c00df0a81c6fc26e98f376b2b8badc6993bccb81cf463570781a9ea53366f2de5ac05bf3a18c576a22f42a5d

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\green.png

Filesize
131B

MD5
307c26bd60cd59634672c8b139921428

SHA1
7ce1006156580c340f75c2514e60734b55b18cd0

SHA256
5507b254b0eb434dc49c85f5d1bff54bf427f7419636dace91ed2c583db84b8c

SHA512
96fea9bf2b9c2ea3a6a1be7556f28f12ddea77a5490af57d3d2ca7334861f92a7ed43ee53093e5fee9c65c66cd16caf51437a01e5b76b0176565b1bb581251b5

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\hand.png

Filesize
618B

MD5
5477c6f1b114884d907cd215adde9e84

SHA1
5fc527a9e978c506a6971ba628bdb5f4f147b459

SHA256
06d42e7dd5e554cfc3075d3222234633b15811786ca69a732f0b369632b02292

SHA512
5abf754e51ce74280000bd6a567b64ba339b396fb9315ed79acfa98331f754c45587325a17a0f9b36a532880502dba2b28cdf2eaf53658732c84a7ecd07bb0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\highlighter.png

Filesize
232B

MD5
9145636a155628aa5b08f50d241b5162

SHA1
9c58534e13496d4979e9c7baa1d8d2eeb85e450e

SHA256
e4dba621d326a8faf3639c102b82909737d26e176bf4a95fd7dcc901bce715bd

SHA512
7b2949a005a063abc68fd6aed7be8f69f369d73075bd75dd89bc2f2fa66c20b2976dc7f079bbb9ba165a6582b795f2d99e705f867d53de99084e59028ee4fb84

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\lasso.png

Filesize
852B

MD5
9b8bd91306bf3a0f15b9a1ad41d81eb1

SHA1
59c0690f6740edde06b7263f4da7ec64a7fc38b3

SHA256
1eb68b3a86580821bb6500df0d5b5d2ba4df33dbe50b4e6b3f5de5b452b8cf80

SHA512
f751c47abbe210877dfc5101c0a4a4c7d392c5a5885c344904ba72b3b55c000508999442d1dfc670f5ba5d491df87a420b87eb88e63194ad8b12107916be6fc5

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\lightblue.png

Filesize
132B

MD5
9b810e6318fe4d7ccea2370934167157

SHA1
2db4d6f6c38bc26aa27ea2af8901e491f27a2774

SHA256
4fbe3e58c531bb3b7286c28882a0051a39c6381b5a68d2303b9d3f114964e790

SHA512
d8665bd27eb797b017f9b63cc1a558fc612e9beecbc9ba4d69551fe18da335554ab8f0da1d4289c1a9ef5866892f68f7a4dabe7bb88cce18b054053038702945

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\lightgreen.png

Filesize
129B

MD5
90a9382db46c60f9a3093c33b52dc260

SHA1
7fe3d05123b4547c8dfca90230b908f5a4ebb9e8

SHA256
e9a7a05f3bc1e15cad99814666d53169047294efb41c20a1f28cff6a6a65a15e

SHA512
76ef977dd27aec97722e73b3fcad6633feb16a0317d26b6be72a4406c265b58e6e89e39a87592fa0f2effe6101f435097d210fae4ee2cbfacacb0be49f4ea5e5

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\magenta.png

Filesize
131B

MD5
c83c2fcc196e434b12c26e6b9c21ab3b

SHA1
8078e6fb3302cb2d54b48d1709429c14926a8f14

SHA256
b3d5848f1b4fea9070ab8ffc0b6e30c81eda6691bc5f16ddd375506e9191101e

SHA512
e49893f19254ba6e451cdfe2e0915615272c18f3fce1d122ed52453051f4231cc8fe9e11bc2a1242e437ff5681065cea960fe06635dfb6b46cc3a9a08084808a

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\medium.png

Filesize
318B

MD5
4e6ca2356866781fac9205631a107697

SHA1
55a0846403d3dcadefef218772383072e59f2adb

SHA256
13b92c015aee903af3bdeaa3964fdc5891006756da507bcdc491369703fb2d30

SHA512
3c3dc97ca9cd38bd71b977d3401a4a8bdfdf6257c50ef59382ff468881b9ff38f02b0cc97a0eb3f55882cb471e99425b811d3d404d83fad9788ebc79a20b13c1

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\orange.png

Filesize
131B

MD5
508e1009dc053e2033a9018023b48868

SHA1
02e1e20fa7472df9f21c8d18566ada54ff8c5560

SHA256
e9a1c3ebd4822747a4c83607746d6cc68ac5ed80d7f08ade928dc178f798dd32

SHA512
f43cc7e62dda86b89d9b690465f2307a9f89bdd30231ac5cf0fc21c7ac2daf89e42d0178f08a0951c4c5a957ee37fd20d60ce36d58726d53e2729f530ffbcb54

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\plotbinding.exe

Filesize
5.0MB

MD5
dd4f414eaa72de78b0e96a65bb50a4b9

SHA1
b62de26bef42ed77d5dcae0580e555e436006456

SHA256
9edbeedf3d8376f5922784c8c9c33af0d0836a9b98aaac60e1e32108270726d7

SHA512
63ef9372375587b4a61cc655e5b722259e1c6b2314df57c27f44cb811a1a7237ca58e5a068c84f70c8d1bc1b689aa6fa7b997b57dd1f35fe9ee52db93c20eb5e

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\plugin_core.dll

Filesize
133KB

MD5
b79d7159ba735958c18148dcdf543571

SHA1
d7d4d4aedf7897092665dfc573e9fe9c313c2fe4

SHA256
638aa5d39ae52d09317c001bb8163fbf1ffdea03e371ed61457d765ad35a5e52

SHA512
79b7ae9a722714c6d640f35b81e54fb9a0b8e6042b99705094d6e968736d1389ed0e2a90c5120955a458d158d9af8a485ff4b5dbc9227165c11dcf62fd180c71

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\postinstall_readme.txt

Filesize
1KB

MD5
24ac8ba156f8fbfd86a4292e4f44631b

SHA1
081d1ec03058bba9ff43b40f39891b82a3cb3b6e

SHA256
37c45cea617294e1aff68e83fdf0ff14ca454049f9896b5ccd2bdeb22140fa1e

SHA512
9874047be537596921ee8375e274499dce122f45257c714c0bcab5ba5e9a91540c37578b9f96e4a9a3376c3a311ef934b85758db1aa8d71329dce74ed17f6581

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pthreadGC2.dll

Filesize
35KB

MD5
928c9eea653311af8efc155da5a1d6a5

SHA1
27300fcd5c22245573f5595ecbd64fce89c53750

SHA256
6dc4bee625a2c5e3499e36fe7c6ff8ead92adf6aae40c4099fdc8ef82e85b387

SHA512
0541d706bb53f8a04c78fcf327c4557553fa901d645ad2fd446e79753b4729f1e36793f42fbdd9b5e92073a30ed9a3dd853773a06ebea8e9302ece91a6c5362c

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\skin_draw.dll

Filesize
61KB

MD5
72ad6c45aaf461326f5a512afb4b33b0

SHA1
4b6791aa02c76e96256bf19ec9ff828303a308b8

SHA256
dcf318a760aeecca2496417d5111b059867471919d2721d766da7d29d29df305

SHA512
5c495d059aa51beb4be143a9beb496f380b84f28bc4090e2c21f942e5847dfb5c2cdfd759636eacf4b2820fb6f68cccd8b60ce336a721d03575f45f9496f6b99

Download Submit
C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\ssleay32.dll

Filesize
270KB

MD5
cb48c0854cf3264c3baa3c2da76ec014

SHA1
01152fecaf127f9874ce8c9978bf570aa6309beb

SHA256
dc1684abc539f789791ad1518557d5ad654816dee904eaa5021556419ae5325b

SHA512
dd67a556a7c20e51129640eb1ab590c4da5fbbff9ae965adb56bdbc5079f9f468473728c60d229c1a1bc70a872da2ac250b080df1ad55534b88a1d61bd3b5e10

Download Submit
C:\Windows\Installer\MSI16C4.tmp

Filesize
569KB

MD5
0be7cdee6c5103c740539d18a94acbd0

SHA1
a364c342ff150f69b471b922c0d065630a0989bb

SHA256
41abe8eb54a1910e6fc97fcea4de37a67058b7527badae8f39fba3788c46de14

SHA512
f96ef5458fdc985501e0dca9cac3c912b3f2308be29eb8e6a305a3b02a3c61b129c4db2c98980b32fd01779566fa5173b2d841755d3cb30885e2f130e4ad6e2c

Download Submit
\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\decoder.dll

Filesize
202KB

MD5
831e0b597db11a6eb6f3f797105f7be8

SHA1
d89154670218f9fba4515b0c1c634ae0900ca6d4

SHA256
e3404d4af16702a67dcaa4da4c5a8776ef350343b179ae6e7f2d347e7e1d1fb7

SHA512
e5e71a62c937e7d1c2cf7698bc80fa42732ddd82735ba0ccaee28aee7a7ea7b2132650dfd2c483eb6fb93f447b59643e1a3d6d077a50f0cd42b6f3fc78c1ad8f

Download Submit
memory/1952-451-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/1952-454-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download