Malware Analysis Report

2024-09-22 16:35

Sample ID 240329-qjj4vahd41
Target 22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118
SHA256 2ea6afd8cd172d7a43de0e037d7250b9036de4b87e1f0c10ba04c286c8c58704
Tags
arkei babadeda default crypter loader stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ea6afd8cd172d7a43de0e037d7250b9036de4b87e1f0c10ba04c286c8c58704

Threat Level: Known bad

The file 22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

arkei babadeda default crypter loader stealer

Babadeda

Babadeda Crypter

Arkei

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Blocklisted process makes network request

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-29 13:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 13:17

Reported

2024-03-29 13:19

Platform

win7-20240220-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe"

Signatures

Arkei

stealer arkei

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f7613e1.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7613e1.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7613de.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7613de.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1636.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI16C4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI152A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI155A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1599.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI18F6.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 2500 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2500 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2500 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2500 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2500 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2500 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 2500 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2360 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2360 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2360 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2360 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2360 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2360 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2360 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2620 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2620 wrote to memory of 1952 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe
PID 2620 wrote to memory of 1952 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe
PID 2620 wrote to memory of 1952 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe
PID 2620 wrote to memory of 1952 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 57D09F54D9B6178515001849B1C15F03 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1711458851 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1CA0CE7656D0DBE959D9E19E242C291C

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe

"C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe"

Network

Files

\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\decoder.dll

MD5 831e0b597db11a6eb6f3f797105f7be8
SHA1 d89154670218f9fba4515b0c1c634ae0900ca6d4
SHA256 e3404d4af16702a67dcaa4da4c5a8776ef350343b179ae6e7f2d347e7e1d1fb7
SHA512 e5e71a62c937e7d1c2cf7698bc80fa42732ddd82735ba0ccaee28aee7a7ea7b2132650dfd2c483eb6fb93f447b59643e1a3d6d077a50f0cd42b6f3fc78c1ad8f

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\adv.msi

MD5 38e86aa5edd43ebb9fde9e7f91d401ab
SHA1 8692b4df65292468ff980a1db65e7430a8e28338
SHA256 4728fecc96ddafbb605e1495520cc6f0481c01c347c18be5a9f1c2438b645ce1
SHA512 7c27a44e4c7beaca814eea950c2e456c937e20bfd66b78de1e859bbe197a76b238c6eaaf7b4caf3f107cd54d27b3b436e039bd9f340f2436db74258af98ea07a

C:\Users\Admin\AppData\Local\Temp\Cab1019.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar102C.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\MSI11D6.tmp

MD5 a32decee57c661563b038d4f324e2b42
SHA1 3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2
SHA256 fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04
SHA512 e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

C:\Users\Admin\AppData\Local\Temp\MSI1235.tmp

MD5 4e2e67fc241ab6e440ad2789f705fc69
SHA1 bda5f46c1f51656d3cbad481fa2c76a553f03aba
SHA256 98f4ebaa6ea1083e98ea0dd5c74c2cb22b1375c55b6a12cfdc5d877f716de392
SHA512 452df66dd2b09485bf92d92b72b3ad2638cbf0a570741b80309056d1e67e68a18cbd0ad3616a2943bb29de62a057848a7382b6c64c3821335a51b0a03131564c

C:\Users\Admin\AppData\Local\Temp\Cab1333.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb45640375b81c0eda9cd20b6a1eb5e4
SHA1 9afc7ac5c82da2a771c97dbccf3cf98eb1aa91e6
SHA256 5b0fdbd13b75f22c819bb61b74aa1e914c7d7f8f5705f44a9aa811984a56a5d0
SHA512 bfb0ab761b0c0f56939fab59c9ad91e43cb59b91e45e13ccbc6111920baed2afe4d58a4ab3399edda3afee49edb03593429d91965fae9eec7a75600942a53ca7

C:\Users\Admin\AppData\Local\Temp\Tar13A3.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 449cdb4bbcba0496859c0325e79aa7a0
SHA1 a0762ff0c35ec60750e3850de8dbfccfa1795cc2
SHA256 225e0f7451df88179628555f003c709681daad3d88da62d28071a3fcd9d8295c
SHA512 468da824caf490a19c81fdf6ea860292c047325dcdc3295e1dd3393ea7580c4c4be78b75bb38fa01f224ab2d201d6ceb49af00b6b19aa83d9168aea0bbaadf4f

C:\Windows\Installer\MSI16C4.tmp

MD5 0be7cdee6c5103c740539d18a94acbd0
SHA1 a364c342ff150f69b471b922c0d065630a0989bb
SHA256 41abe8eb54a1910e6fc97fcea4de37a67058b7527badae8f39fba3788c46de14
SHA512 f96ef5458fdc985501e0dca9cac3c912b3f2308be29eb8e6a305a3b02a3c61b129c4db2c98980b32fd01779566fa5173b2d841755d3cb30885e2f130e4ad6e2c

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\VolePaint30.dll

MD5 795c8341c32fefc35f2ffd2d551d7ef6
SHA1 24d8a74be9f65b3efed95b07a41f9881bb10e59a
SHA256 52690baae3a6bd6c645d3434fc5016382e416cb86c21dab5635e846f6cf8c253
SHA512 0ce68673541d806604cf618a7b2b8f68a7662ed06f2a0af892dbfe4da5e8a92f8fe340342d7759869dc9de9e13850015ab65dbc601ea4381424092cba6af34a8

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\plotbinding.exe

MD5 dd4f414eaa72de78b0e96a65bb50a4b9
SHA1 b62de26bef42ed77d5dcae0580e555e436006456
SHA256 9edbeedf3d8376f5922784c8c9c33af0d0836a9b98aaac60e1e32108270726d7
SHA512 63ef9372375587b4a61cc655e5b722259e1c6b2314df57c27f44cb811a1a7237ca58e5a068c84f70c8d1bc1b689aa6fa7b997b57dd1f35fe9ee52db93c20eb5e

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\nqf

MD5 409a406d256db9eb024aaeeb346f7a65
SHA1 3a18ea9e1e80c2b1dea030a2f3cf689b52e1543f
SHA256 5686b211ee592583291cf562d369390b376f5d67a1ed7b5ad9adb86b4bc0f603
SHA512 b326172fa7cef082fe99204b14fd02bb53260a11abebdea24a52c0b5abfce63baf5150880b047a45707a81dfdd06930e2ed3d4b1a5e336c768f39643e6c83d70

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\ssleay32.dll

MD5 cb48c0854cf3264c3baa3c2da76ec014
SHA1 01152fecaf127f9874ce8c9978bf570aa6309beb
SHA256 dc1684abc539f789791ad1518557d5ad654816dee904eaa5021556419ae5325b
SHA512 dd67a556a7c20e51129640eb1ab590c4da5fbbff9ae965adb56bdbc5079f9f468473728c60d229c1a1bc70a872da2ac250b080df1ad55534b88a1d61bd3b5e10

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\plugin_core.dll

MD5 b79d7159ba735958c18148dcdf543571
SHA1 d7d4d4aedf7897092665dfc573e9fe9c313c2fe4
SHA256 638aa5d39ae52d09317c001bb8163fbf1ffdea03e371ed61457d765ad35a5e52
SHA512 79b7ae9a722714c6d640f35b81e54fb9a0b8e6042b99705094d6e968736d1389ed0e2a90c5120955a458d158d9af8a485ff4b5dbc9227165c11dcf62fd180c71

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\skin_draw.dll

MD5 72ad6c45aaf461326f5a512afb4b33b0
SHA1 4b6791aa02c76e96256bf19ec9ff828303a308b8
SHA256 dcf318a760aeecca2496417d5111b059867471919d2721d766da7d29d29df305
SHA512 5c495d059aa51beb4be143a9beb496f380b84f28bc4090e2c21f942e5847dfb5c2cdfd759636eacf4b2820fb6f68cccd8b60ce336a721d03575f45f9496f6b99

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\clock_common.dll

MD5 85d02f053f1151ac4d3fdda5ea10adc6
SHA1 a134e20a33387a3bfe256b36585d9ccb6113a29f
SHA256 989354441731eafd1cd63285ab681176a43f08ea999362c5d792c9b2bcbd6564
SHA512 146233b07a3d81f7aa7c2a5e055935fb61307e20dc15b168c248f6d83f934d916184b568e39f7ad8c6ce28d26eb5b1605d6b2200b5ddc2b6cf0bc0dd114981c2

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\Qt5TextToSpeech.dll

MD5 3cdb361b43a3ce45145df5bad519df63
SHA1 8f7cfe31068584151bf913171c82949fd7a945f2
SHA256 8f5a39d8e35d981a8200fb4a83b42b72ec71a9c5db16a09c5df69b001bfb2e13
SHA512 88722199a716dbe665204d9d192207594cd3819130d22c07133e8a229628f66e5eddab60dbb1759ba389cf42398c32eafca8b74e07b3dfce4c916fd8715d566c

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libEGL.dll

MD5 b84df33197a94abb399c7e08fcd1fcae
SHA1 5b6d24397dafcfab12dda13921d12e1f20439a19
SHA256 900ebaee275fcddc81cce3b04c6a1e13dba18670c0aba82d54eeefa76355edfa
SHA512 83ffb35a026b4e72de3f024243d630fd17ce498f9d552db0a3292199899c7520c01f9a5e1d4709ab7f7e8b2cb9c5168a93e8b3d9f3b98b32a28329f99714321e

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\Interop.IWshRuntimeLibrary.dll

MD5 9569c5ddd9ab1e7bfd24e41250a67903
SHA1 304afddbbaac26843cf53b9713e09a85fe525cac
SHA256 6a80b9d1bd609a3cb6af8cf8c1534f7baca1d78ad353ce6ed5b578a0ba96eb83
SHA512 7bc2a98f9fb934212cbc7b8dac21ec38b89b39a3f60ef53490bb25d07c286d1db4da1757b766f323615185aa26f094e601337110da14224fcfe3ce016eaf0c54

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\LICENSE.TXT

MD5 fc292eaec94367e0775fa0638880ebce
SHA1 fa5ff95ef7e8f5ad9cfc77738f5e6c0ca96572dd
SHA256 971f1733cb237ddd626e579954938c6fc0e925ccbf885074ad5fcf19b4efbe2e
SHA512 4f3ceb0d390f47fae7294db5399177a1128dd196cf58a45768984c1783ae4e0c0d0746aae716b2a08f7058df214494a7fb20c8bc982d0e3b8cb3d70ccef7917f

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\postinstall_readme.txt

MD5 24ac8ba156f8fbfd86a4292e4f44631b
SHA1 081d1ec03058bba9ff43b40f39891b82a3cb3b6e
SHA256 37c45cea617294e1aff68e83fdf0ff14ca454049f9896b5ccd2bdeb22140fa1e
SHA512 9874047be537596921ee8375e274499dce122f45257c714c0bcab5ba5e9a91540c37578b9f96e4a9a3376c3a311ef934b85758db1aa8d71329dce74ed17f6581

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\README.txt

MD5 7539e219a0d2331524b97605c4fe641d
SHA1 718d7c209915ff4944a81ef38701542d63ea30e2
SHA256 3f169438204953468391d382ca1813c54a0301b733c59bef9178c2d55e9e7e0b
SHA512 c8886ba4445e612bedb7c9f8b8b7044c016ea45ad5f80b1a9082707a2b7c5334bfe6b7ac8df4c2f603d0bfd1dbb727691d65e3a6c14acc78104b869c9bb97dca

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\CHANGES.txt

MD5 109e9d23496dc406050f895409be2531
SHA1 5a8659d65025b121c2a16d80d3d55cd9c3a5a7ef
SHA256 b58477a045a7411ff95ca8b1e055801d5d10055e2de52e1a94397919a09d82c2
SHA512 548fa0ec3b1a4056440867e7b7fd7374ab9d08e0156121ef7e1f7c57ae97a58b5c357cdd69ebd18df80ca4078fb595cddebda245b317213b140cac5069ab7058

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libogg-0.dll

MD5 84e8e72572d53558d52403011fa0d388
SHA1 865160da7dbfaaea224541eb44e9430e1a7b7b20
SHA256 ca717b5cf2a7b0e047aabad985c631278941c58f16e2e9650ca12c3a331fcd4f
SHA512 47ee932bfa4ee3c51c3828ef8c6923e5b946966ad8e255bc2c53a60443aa2d4ab17521f21912a6f0469c7898d6543dc4b1783a86ddb5a84568818a7b37ec3992

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\Mono.Cecil.Mdb.dll

MD5 a269c436d17634aecf2ac0e95c44728c
SHA1 3dae54046aa5edbcf58ff38acc1d12682e3442b5
SHA256 f02a2d8154ef002863702d6513c6773ebbb83e520834c2ac8e38c6a7f0174e27
SHA512 bbd1740bce3d1eecccaa560696cc5b0999a1e00c3d6747f3bb93ab44a5f9a2186f01048fa69e173b89c40b98bddf13c4de92564b13c0ec36eb96b69ec65dc157

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\liborc-test-0.4-0.dll

MD5 00d68e20169f763376095705c1520c4f
SHA1 75ec5e1974654613c9eeeff047f1eb58694fd656
SHA256 3c12f0a9f43cf88d82f5cc482627237f51a63a293ef95f2342222ebde1fb909f
SHA512 4e180a8ce0e30cfc82883d05d8708fe82442541a4c522055d00f381bf47a0a4f269bc1f5e1ebbfec888edbe455ce145e24cb4c734e682e830322e13479a62c34

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libffi-6.dll

MD5 c4059a8eec8ad3abc6432238f7491a2b
SHA1 f1c6cf3fa216f73ba44bd481c685ef30cfd3d284
SHA256 a9d3f2056f8e888edc5abfa18178fc0b3ef99880c9c410e2c7d6a64386fb57da
SHA512 0bb582a9a02cbd29c007e9cfed9dabe53ef087814c7aa8195c82d4b15302f95408a15710a3f83a970c35db26f77a9a34549d6906a7440fa7d0127aeca9bc8efc

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libgmodule-2.0-0.dll

MD5 4d233a220f91de3b1510d017b5481942
SHA1 c59f449b0d09127d18268e7b07da3f7d749b2720
SHA256 08336089e280805c8ac89f7476526f944b5868c014748b6dc29f65167e9e3ab0
SHA512 a86a1f9b5d160813c6e2f771962f303428604057b9613021bf7844c1204cfca0a18571a28d950d7999acc4ecde0605095f9a460a9b79fe2bbe02f080c2683923

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libgthread-2.0-0.dll

MD5 cf2571c125fa1d2ec55b9977054f380a
SHA1 91014dd50f0eeb0d3d1faed77541c76a05b712b8
SHA256 02b817b6db18db2dfccefdd08eed64a696e2bf326f4120ee7e93ae6aa73bccb3
SHA512 a95bf3436ea2fac443924c5fc31fcd4337a44702ef38ca82d744474301e53f14721eaeb0f21e515ccff8569e7b7d81107fb5a4cf2ae485cd4a5d2dc95dae8f9b

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\mingwm10.dll

MD5 a5a239c980d6791086b7fe0e2ca38974
SHA1 dbd8e70db07ac78e007b13cc8ae80c9a3885a592
SHA256 fb33c708c2f83c188dc024b65cb620d7e2c3939c155bc1c15dc73dccebe256b7
SHA512 8667904dda77c994f646083ef39b1f69c2961758c3da60cecadfe6d349dd99934c4d8784f8e38ae8b8c9eb9762edd546f2a7b579f02612578f8049e9d10e8da7

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pthreadGC2.dll

MD5 928c9eea653311af8efc155da5a1d6a5
SHA1 27300fcd5c22245573f5595ecbd64fce89c53750
SHA256 6dc4bee625a2c5e3499e36fe7c6ff8ead92adf6aae40c4099fdc8ef82e85b387
SHA512 0541d706bb53f8a04c78fcf327c4557553fa901d645ad2fd446e79753b4729f1e36793f42fbdd9b5e92073a30ed9a3dd853773a06ebea8e9302ece91a6c5362c

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\TurboJpegWrapper.dll

MD5 f5639d78d8c860df0176b1499695e8b3
SHA1 a70f699d75903ca2ae31098f4687add23245804d
SHA256 9c8de413bf48e680ded9db3b3a4c7773642b9d6c76973ae95d40eb0cba31d4e2
SHA512 2098dd214db72b7f9b70c58cd1fcb53dd4982e441c19b3571941f9026e0dde0ae9005bb084ecb2f21ee2e24776fc95d60cb50b11fc536a68ad153efc1dc8ef0c

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\COPYING.txt

MD5 3c34afdc3adf82d2448f12715a255122
SHA1 7713a1753ce88f2c7e6b054ecc8e4c786df76300
SHA256 0b383d5a63da644f628d99c33976ea6487ed89aaa59f0b3257992deac1171e6b
SHA512 4937848b94f5b50ea16c51f9e98fdcd3953aca63d63ca3bb05d8a62c107e382b71c496838d130ae504a52032398630b957acaea6c48032081a6366d27cba5ea9

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\AForge.dll

MD5 02c63f568e598aad85dd401d7b26e82a
SHA1 2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
SHA256 966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
SHA512 da9bff86be8fa890dda80a35ee6c851aa655f087f81804a23c73f8c586b7e13ac5a643e0a516a35787cd97b392aec16bfb95210080e4e53e6144fec9316acdb1

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\fonts\fonts.conf

MD5 4291285924e90d1a1fcf1ddfc51adad3
SHA1 74f2d9b2f9665a1ff083701456a0fbfe351f855a
SHA256 68011bc3741ebcea48f08ff2aed8519762a946f3e0fb9c224b1d3810ebf5bf4b
SHA512 80b570051324f0987f388b78f2b2b2a50df2ece82eb6c003ed4ab5fc1456789fdb4a616c3be760580d30f48aef656eb3604cbd0a7808c49f03b347f2d4388cee

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pango\pango.modules

MD5 7a7327019610dfb25d5fafb2d2b0f3ab
SHA1 812af1f65174c63c4a90dd72d29d6e1180075a6e
SHA256 cab115828e04766fbf8e20b5ca6e5632e089f407b338832081d8b42f62fea38a
SHA512 9d7d7fd408d0e0cbe8df24cf1184aa9c24f41dc94d98e7262d04e617b7252381e6845b9e2724557246af8696a5e0cb99f1d15b3889aebd7887fac99e68b79849

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\black.png

MD5 a875753fd4e92edad63f5d8b9a79426b
SHA1 241b7f8bc325993b8044498ec4a6c03d576c6b48
SHA256 d09f2e254540dc26a948cf49ac09de2ffea210ad9d8fb77ab7a943ce938b5570
SHA512 b04ee55b20c42a36e6125ef883161eaae11a990a99042b7fefccf0433455e35c621b8f10587a6292adc0f71ccf9a896c0264c8607614196d311de86b28c338dc

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\blue.png

MD5 b8ea81eb3944bd027399ca0fcb30352c
SHA1 7cc576da81018985c254d717f5b5d1df92501676
SHA256 bc0824b76bf4a3340f9314795d6d7bb91d768ccde49ce559a409db35d79c7a31
SHA512 7ac010c47be59bda5c805101f482e5c5ec2a4246685985a2452a0fcb368bcedfabf0e1a45d195049c8c45088242bd5d63aa62d2187d839be92e3f7b028f4069b

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\default-pen.png

MD5 c4955d57acd2624a50c575f6caa260b5
SHA1 4628d5e10edbe3756f663dde3fdfaf9e3293d9c3
SHA256 e743ec338f096a7169823d00a2d84ff60f8f88e85fc4ceb4f056335256e29636
SHA512 296bbdcc4dce24281240c798719cd819b8a2d0e0f2a3dc862adfba7dc9c8e1d1055cb01fc422ae8cd683d88b4ba5256b90b84248d290adb04f57172f5c04dcd1

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\eraser.png

MD5 965f4596779c9396a0d16ab2d81a81dc
SHA1 1eb33e421405af7a7fdbb8f5866b75ccd0faaf5b
SHA256 8b38c37c750492f3984c64e9f0ac8ba5832b2b29800b945f43f1ade9ddcd2f1b
SHA512 beb7ade2bff13258f337bc42c7dcd55629330270e28e01449f30b2f9eb5a184f5c6b3547d4ab22748c8790ce162b22692b23c5b9430fa1b103172fe9ecc8eec4

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\fullscreen.png

MD5 04caf9e7479493621e6962147e092540
SHA1 5de82e54ea9b1fc4998103931646f254d507b472
SHA256 f44df404099bd1c100bc9dcb678b717374ea854ea031a1c128391a087c6eb7ab
SHA512 30b9bf1d7178555a1edea44a1bf93e87863f83bac8d545860477207c8463b01323306288eb4cadd086d1bd1f0990596d1c78eee34a834e63f3a9a3c6d799b404

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\green.png

MD5 307c26bd60cd59634672c8b139921428
SHA1 7ce1006156580c340f75c2514e60734b55b18cd0
SHA256 5507b254b0eb434dc49c85f5d1bff54bf427f7419636dace91ed2c583db84b8c
SHA512 96fea9bf2b9c2ea3a6a1be7556f28f12ddea77a5490af57d3d2ca7334861f92a7ed43ee53093e5fee9c65c66cd16caf51437a01e5b76b0176565b1bb581251b5

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\hand.png

MD5 5477c6f1b114884d907cd215adde9e84
SHA1 5fc527a9e978c506a6971ba628bdb5f4f147b459
SHA256 06d42e7dd5e554cfc3075d3222234633b15811786ca69a732f0b369632b02292
SHA512 5abf754e51ce74280000bd6a567b64ba339b396fb9315ed79acfa98331f754c45587325a17a0f9b36a532880502dba2b28cdf2eaf53658732c84a7ecd07bb0cd

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\gray.png

MD5 c89a78efc324ac45ab7f3e4d945ef35b
SHA1 fdfdf1971f8094b6b4ee86754ad72566766614ea
SHA256 42645af572363377e59ba2628987d439b6ec124d86026e7e8991ed9ba269d402
SHA512 1378aa65ea69ee55acf5b90952323aa50c6f5353c00df0a81c6fc26e98f376b2b8badc6993bccb81cf463570781a9ea53366f2de5ac05bf3a18c576a22f42a5d

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\highlighter.png

MD5 9145636a155628aa5b08f50d241b5162
SHA1 9c58534e13496d4979e9c7baa1d8d2eeb85e450e
SHA256 e4dba621d326a8faf3639c102b82909737d26e176bf4a95fd7dcc901bce715bd
SHA512 7b2949a005a063abc68fd6aed7be8f69f369d73075bd75dd89bc2f2fa66c20b2976dc7f079bbb9ba165a6582b795f2d99e705f867d53de99084e59028ee4fb84

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\lasso.png

MD5 9b8bd91306bf3a0f15b9a1ad41d81eb1
SHA1 59c0690f6740edde06b7263f4da7ec64a7fc38b3
SHA256 1eb68b3a86580821bb6500df0d5b5d2ba4df33dbe50b4e6b3f5de5b452b8cf80
SHA512 f751c47abbe210877dfc5101c0a4a4c7d392c5a5885c344904ba72b3b55c000508999442d1dfc670f5ba5d491df87a420b87eb88e63194ad8b12107916be6fc5

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\orange.png

MD5 508e1009dc053e2033a9018023b48868
SHA1 02e1e20fa7472df9f21c8d18566ada54ff8c5560
SHA256 e9a1c3ebd4822747a4c83607746d6cc68ac5ed80d7f08ade928dc178f798dd32
SHA512 f43cc7e62dda86b89d9b690465f2307a9f89bdd30231ac5cf0fc21c7ac2daf89e42d0178f08a0951c4c5a957ee37fd20d60ce36d58726d53e2729f530ffbcb54

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\medium.png

MD5 4e6ca2356866781fac9205631a107697
SHA1 55a0846403d3dcadefef218772383072e59f2adb
SHA256 13b92c015aee903af3bdeaa3964fdc5891006756da507bcdc491369703fb2d30
SHA512 3c3dc97ca9cd38bd71b977d3401a4a8bdfdf6257c50ef59382ff468881b9ff38f02b0cc97a0eb3f55882cb471e99425b811d3d404d83fad9788ebc79a20b13c1

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\magenta.png

MD5 c83c2fcc196e434b12c26e6b9c21ab3b
SHA1 8078e6fb3302cb2d54b48d1709429c14926a8f14
SHA256 b3d5848f1b4fea9070ab8ffc0b6e30c81eda6691bc5f16ddd375506e9191101e
SHA512 e49893f19254ba6e451cdfe2e0915615272c18f3fce1d122ed52453051f4231cc8fe9e11bc2a1242e437ff5681065cea960fe06635dfb6b46cc3a9a08084808a

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\lightgreen.png

MD5 90a9382db46c60f9a3093c33b52dc260
SHA1 7fe3d05123b4547c8dfca90230b908f5a4ebb9e8
SHA256 e9a7a05f3bc1e15cad99814666d53169047294efb41c20a1f28cff6a6a65a15e
SHA512 76ef977dd27aec97722e73b3fcad6633feb16a0317d26b6be72a4406c265b58e6e89e39a87592fa0f2effe6101f435097d210fae4ee2cbfacacb0be49f4ea5e5

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\lightblue.png

MD5 9b810e6318fe4d7ccea2370934167157
SHA1 2db4d6f6c38bc26aa27ea2af8901e491f27a2774
SHA256 4fbe3e58c531bb3b7286c28882a0051a39c6381b5a68d2303b9d3f114964e790
SHA512 d8665bd27eb797b017f9b63cc1a558fc612e9beecbc9ba4d69551fe18da335554ab8f0da1d4289c1a9ef5866892f68f7a4dabe7bb88cce18b054053038702945

C:\Config.Msi\f7613e2.rbs

MD5 29157b5120eb284b477f4a08acdd25f2
SHA1 2719900fd07507a0a8315818bb75284fa2eefbff
SHA256 069d6fb04a7eff613de61b3f2017a3aa131e965b4b5639fd4e9ec5b89e1aba2d
SHA512 f7e49e2c88b431d9d40093898f851f0a8a9cbc7ab4512f716d82c0344409bc5c761ac60493e07a0e7f0860c1bddfd36cfbf3327790ca5bd0b4928c9d54c57046

memory/1952-451-0x0000000000400000-0x0000000000902000-memory.dmp

memory/1952-454-0x0000000000400000-0x0000000000902000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 13:17

Reported

2024-03-29 13:19

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe"

Signatures

Arkei

stealer arkei

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e5759f7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5759f7.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5B51.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5A84.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5C0E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5C5D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{7DF96840-4DBA-4728-9728-2C78FF4F67A4} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5AE2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5BA0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6066.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 384 wrote to memory of 3016 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 384 wrote to memory of 3016 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 384 wrote to memory of 3016 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 116 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 116 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 116 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 384 wrote to memory of 4560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 384 wrote to memory of 4560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 384 wrote to memory of 4560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 384 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe
PID 384 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe
PID 384 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E2AF78E0BE3DC0FAB42778AB612FB2D7 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\22fbdbddd05ab5346e7a7f5adb79cc2e_JaffaCakes118.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1711477644 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A154353E4FEC43FD9DE2CF1C7CB06C4F

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe

"C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer\plotbinding.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\decoder.dll

MD5 831e0b597db11a6eb6f3f797105f7be8
SHA1 d89154670218f9fba4515b0c1c634ae0900ca6d4
SHA256 e3404d4af16702a67dcaa4da4c5a8776ef350343b179ae6e7f2d347e7e1d1fb7
SHA512 e5e71a62c937e7d1c2cf7698bc80fa42732ddd82735ba0ccaee28aee7a7ea7b2132650dfd2c483eb6fb93f447b59643e1a3d6d077a50f0cd42b6f3fc78c1ad8f

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\adv.msi

MD5 38e86aa5edd43ebb9fde9e7f91d401ab
SHA1 8692b4df65292468ff980a1db65e7430a8e28338
SHA256 4728fecc96ddafbb605e1495520cc6f0481c01c347c18be5a9f1c2438b645ce1
SHA512 7c27a44e4c7beaca814eea950c2e456c937e20bfd66b78de1e859bbe197a76b238c6eaaf7b4caf3f107cd54d27b3b436e039bd9f340f2436db74258af98ea07a

C:\Users\Admin\AppData\Local\Temp\MSI56EB.tmp

MD5 a32decee57c661563b038d4f324e2b42
SHA1 3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2
SHA256 fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04
SHA512 e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

C:\Users\Admin\AppData\Local\Temp\MSI57C7.tmp

MD5 4e2e67fc241ab6e440ad2789f705fc69
SHA1 bda5f46c1f51656d3cbad481fa2c76a553f03aba
SHA256 98f4ebaa6ea1083e98ea0dd5c74c2cb22b1375c55b6a12cfdc5d877f716de392
SHA512 452df66dd2b09485bf92d92b72b3ad2638cbf0a570741b80309056d1e67e68a18cbd0ad3616a2943bb29de62a057848a7382b6c64c3821335a51b0a03131564c

C:\Windows\Installer\MSI5C5D.tmp

MD5 0be7cdee6c5103c740539d18a94acbd0
SHA1 a364c342ff150f69b471b922c0d065630a0989bb
SHA256 41abe8eb54a1910e6fc97fcea4de37a67058b7527badae8f39fba3788c46de14
SHA512 f96ef5458fdc985501e0dca9cac3c912b3f2308be29eb8e6a305a3b02a3c61b129c4db2c98980b32fd01779566fa5173b2d841755d3cb30885e2f130e4ad6e2c

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\VolePaint30.dll

MD5 795c8341c32fefc35f2ffd2d551d7ef6
SHA1 24d8a74be9f65b3efed95b07a41f9881bb10e59a
SHA256 52690baae3a6bd6c645d3434fc5016382e416cb86c21dab5635e846f6cf8c253
SHA512 0ce68673541d806604cf618a7b2b8f68a7662ed06f2a0af892dbfe4da5e8a92f8fe340342d7759869dc9de9e13850015ab65dbc601ea4381424092cba6af34a8

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\plotbinding.exe

MD5 dd4f414eaa72de78b0e96a65bb50a4b9
SHA1 b62de26bef42ed77d5dcae0580e555e436006456
SHA256 9edbeedf3d8376f5922784c8c9c33af0d0836a9b98aaac60e1e32108270726d7
SHA512 63ef9372375587b4a61cc655e5b722259e1c6b2314df57c27f44cb811a1a7237ca58e5a068c84f70c8d1bc1b689aa6fa7b997b57dd1f35fe9ee52db93c20eb5e

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\ssleay32.dll

MD5 cb48c0854cf3264c3baa3c2da76ec014
SHA1 01152fecaf127f9874ce8c9978bf570aa6309beb
SHA256 dc1684abc539f789791ad1518557d5ad654816dee904eaa5021556419ae5325b
SHA512 dd67a556a7c20e51129640eb1ab590c4da5fbbff9ae965adb56bdbc5079f9f468473728c60d229c1a1bc70a872da2ac250b080df1ad55534b88a1d61bd3b5e10

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libgthread-2.0-0.dll

MD5 cf2571c125fa1d2ec55b9977054f380a
SHA1 91014dd50f0eeb0d3d1faed77541c76a05b712b8
SHA256 02b817b6db18db2dfccefdd08eed64a696e2bf326f4120ee7e93ae6aa73bccb3
SHA512 a95bf3436ea2fac443924c5fc31fcd4337a44702ef38ca82d744474301e53f14721eaeb0f21e515ccff8569e7b7d81107fb5a4cf2ae485cd4a5d2dc95dae8f9b

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libgmodule-2.0-0.dll

MD5 4d233a220f91de3b1510d017b5481942
SHA1 c59f449b0d09127d18268e7b07da3f7d749b2720
SHA256 08336089e280805c8ac89f7476526f944b5868c014748b6dc29f65167e9e3ab0
SHA512 a86a1f9b5d160813c6e2f771962f303428604057b9613021bf7844c1204cfca0a18571a28d950d7999acc4ecde0605095f9a460a9b79fe2bbe02f080c2683923

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libffi-6.dll

MD5 c4059a8eec8ad3abc6432238f7491a2b
SHA1 f1c6cf3fa216f73ba44bd481c685ef30cfd3d284
SHA256 a9d3f2056f8e888edc5abfa18178fc0b3ef99880c9c410e2c7d6a64386fb57da
SHA512 0bb582a9a02cbd29c007e9cfed9dabe53ef087814c7aa8195c82d4b15302f95408a15710a3f83a970c35db26f77a9a34549d6906a7440fa7d0127aeca9bc8efc

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\liborc-test-0.4-0.dll

MD5 00d68e20169f763376095705c1520c4f
SHA1 75ec5e1974654613c9eeeff047f1eb58694fd656
SHA256 3c12f0a9f43cf88d82f5cc482627237f51a63a293ef95f2342222ebde1fb909f
SHA512 4e180a8ce0e30cfc82883d05d8708fe82442541a4c522055d00f381bf47a0a4f269bc1f5e1ebbfec888edbe455ce145e24cb4c734e682e830322e13479a62c34

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libogg-0.dll

MD5 84e8e72572d53558d52403011fa0d388
SHA1 865160da7dbfaaea224541eb44e9430e1a7b7b20
SHA256 ca717b5cf2a7b0e047aabad985c631278941c58f16e2e9650ca12c3a331fcd4f
SHA512 47ee932bfa4ee3c51c3828ef8c6923e5b946966ad8e255bc2c53a60443aa2d4ab17521f21912a6f0469c7898d6543dc4b1783a86ddb5a84568818a7b37ec3992

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\Mono.Cecil.Mdb.dll

MD5 a269c436d17634aecf2ac0e95c44728c
SHA1 3dae54046aa5edbcf58ff38acc1d12682e3442b5
SHA256 f02a2d8154ef002863702d6513c6773ebbb83e520834c2ac8e38c6a7f0174e27
SHA512 bbd1740bce3d1eecccaa560696cc5b0999a1e00c3d6747f3bb93ab44a5f9a2186f01048fa69e173b89c40b98bddf13c4de92564b13c0ec36eb96b69ec65dc157

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\Interop.IWshRuntimeLibrary.dll

MD5 9569c5ddd9ab1e7bfd24e41250a67903
SHA1 304afddbbaac26843cf53b9713e09a85fe525cac
SHA256 6a80b9d1bd609a3cb6af8cf8c1534f7baca1d78ad353ce6ed5b578a0ba96eb83
SHA512 7bc2a98f9fb934212cbc7b8dac21ec38b89b39a3f60ef53490bb25d07c286d1db4da1757b766f323615185aa26f094e601337110da14224fcfe3ce016eaf0c54

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\libEGL.dll

MD5 b84df33197a94abb399c7e08fcd1fcae
SHA1 5b6d24397dafcfab12dda13921d12e1f20439a19
SHA256 900ebaee275fcddc81cce3b04c6a1e13dba18670c0aba82d54eeefa76355edfa
SHA512 83ffb35a026b4e72de3f024243d630fd17ce498f9d552db0a3292199899c7520c01f9a5e1d4709ab7f7e8b2cb9c5168a93e8b3d9f3b98b32a28329f99714321e

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\images\erase.png

MD5 00786f0f3fb7705d81c018199412d814
SHA1 cb194c855dbc41063d5e1f488dc4c443e9329898
SHA256 313f14e773f93d470bcff9e42887d8672838cc64dc4682dc3a36cd3e4ade574f
SHA512 1cbdd14be8457582411fd6e1a18346bdbdddb7da7efe835f86058634d8bdb4a0ee92269b9efe7d4da8ea9f9689bfb03f0950dfc35036d2bf649a0e79d5125940

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\CHANGES.txt

MD5 109e9d23496dc406050f895409be2531
SHA1 5a8659d65025b121c2a16d80d3d55cd9c3a5a7ef
SHA256 b58477a045a7411ff95ca8b1e055801d5d10055e2de52e1a94397919a09d82c2
SHA512 548fa0ec3b1a4056440867e7b7fd7374ab9d08e0156121ef7e1f7c57ae97a58b5c357cdd69ebd18df80ca4078fb595cddebda245b317213b140cac5069ab7058

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\shapes.png

MD5 703e47707419d42fbc7a4988b7fc3718
SHA1 c6c0351539032039297981b6918dbe720b3515dd
SHA256 5314fddb320e575a345a2ba5a922372e086a31ad4baddbd6d4ab30681f2134dc
SHA512 32f751c7fc7cc69646e17b7cae36adff39ff86e60e838fb829208e3a9473dc0c5df18cd48b98464304481b98ab10e7e5dd9ea91b6864d48946c54f91cf8d2fd7

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\README.txt

MD5 7539e219a0d2331524b97605c4fe641d
SHA1 718d7c209915ff4944a81ef38701542d63ea30e2
SHA256 3f169438204953468391d382ca1813c54a0301b733c59bef9178c2d55e9e7e0b
SHA512 c8886ba4445e612bedb7c9f8b8b7044c016ea45ad5f80b1a9082707a2b7c5334bfe6b7ac8df4c2f603d0bfd1dbb727691d65e3a6c14acc78104b869c9bb97dca

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\postinstall_readme.txt

MD5 24ac8ba156f8fbfd86a4292e4f44631b
SHA1 081d1ec03058bba9ff43b40f39891b82a3cb3b6e
SHA256 37c45cea617294e1aff68e83fdf0ff14ca454049f9896b5ccd2bdeb22140fa1e
SHA512 9874047be537596921ee8375e274499dce122f45257c714c0bcab5ba5e9a91540c37578b9f96e4a9a3376c3a311ef934b85758db1aa8d71329dce74ed17f6581

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\magenta.png

MD5 c83c2fcc196e434b12c26e6b9c21ab3b
SHA1 8078e6fb3302cb2d54b48d1709429c14926a8f14
SHA256 b3d5848f1b4fea9070ab8ffc0b6e30c81eda6691bc5f16ddd375506e9191101e
SHA512 e49893f19254ba6e451cdfe2e0915615272c18f3fce1d122ed52453051f4231cc8fe9e11bc2a1242e437ff5681065cea960fe06635dfb6b46cc3a9a08084808a

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\LICENSE.TXT

MD5 fc292eaec94367e0775fa0638880ebce
SHA1 fa5ff95ef7e8f5ad9cfc77738f5e6c0ca96572dd
SHA256 971f1733cb237ddd626e579954938c6fc0e925ccbf885074ad5fcf19b4efbe2e
SHA512 4f3ceb0d390f47fae7294db5399177a1128dd196cf58a45768984c1783ae4e0c0d0746aae716b2a08f7058df214494a7fb20c8bc982d0e3b8cb3d70ccef7917f

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\lasso.png

MD5 9b8bd91306bf3a0f15b9a1ad41d81eb1
SHA1 59c0690f6740edde06b7263f4da7ec64a7fc38b3
SHA256 1eb68b3a86580821bb6500df0d5b5d2ba4df33dbe50b4e6b3f5de5b452b8cf80
SHA512 f751c47abbe210877dfc5101c0a4a4c7d392c5a5885c344904ba72b3b55c000508999442d1dfc670f5ba5d491df87a420b87eb88e63194ad8b12107916be6fc5

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\images\go_up.png

MD5 9c32ebe05150e4bd8075b0ca2dfcf5bc
SHA1 c0faa6a7f3d290a8bfda29ceaa3713caa15c1778
SHA256 bf136ab8dc1d65fdd3c281bde4e4eb3b403ba431afaa5e00fbea01033857383f
SHA512 9a7e7a3a69ca19235669775f1b9c8ec4ad3a951275d074e1aedba5ee8993565034849aa0c654ba4e8bca9cf2e49260fe04672af5585b8f0174ea0c5dda97a760

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\images\expan.bmp

MD5 695be8615004be742ddac43db43ac487
SHA1 3747820a5f0b7b52207c2a5293b9449fd677dda3
SHA256 85f372fc9abccc6ae0e9d69be11ba156b99a695785f80f0a4482d50dce86a3e5
SHA512 5d185a73e3954006de9c0c6fe6d48dc918435e5b751789ec3aaf50fdd093bf8f88ba9b172db99d6c49bc8c99e508147f5e6606e2d82d02b76e1011f1f42f20f6

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\images\list_header_right.bmp

MD5 94b5537faebdafaf42a04c1c4fdd7acf
SHA1 bd135a5d37623e0e9bb7e4ac6d89f8c9feba1fa1
SHA256 790e2a2e5fc950fe1053406fcadf8075a8a3ca8cb7712bb5ff81fa903d93e31d
SHA512 394fce01b6f0b4dd583df13fe94cac40a17c39e630d1a53f6e3f271553aa8b1f6c9e6842be29ae526fe0a2112bf48f4dd8d46dd176e76c3304faf61fb662fce1

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\yellow.png

MD5 cb719b65e847812d8b6db2e77d458b4c
SHA1 d15fbfee0cd586b79e32941041e06dc895f3e42a
SHA256 33926479fdfb7a008491979e2dcd10b9d412a12297056400930c6a5ac452233b
SHA512 9cc681db2601f35869af71fa3b1724cef5b33cedab1710a6cb47a0e0591852404963dd4ba418a77ca1dd3b0c4e545cb4c0498d2d57f568b86cf14c7801f64bf8

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\Templates\CommandHandler.dat

MD5 bf2b6fd3796a5a485185b15ba39241e0
SHA1 438ed478342d22622a1ecfc519113e99afb57518
SHA256 585b0ac725ef370124243c99b766dd5d25e63e9c6bc09a6f05cdf0e573a3bf41
SHA512 07485b0a64ad6f039105a9acc9df82f8b6964f3f3978600a1a581121b7ec34b53b45317311d58cf48d4f4eeffeba0d35b5d0cd79a6826eafeace43f5f034b8da

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\images\add.png

MD5 0128ad7e04e9a25c9ab4316c13d8deff
SHA1 55068a4cc67a2fe94ec15ee46be67ad367d31117
SHA256 3386cab5cf90d40db4f15e34c6bd15cb832848c6b61fa1ca5fa3ad60ae7d9b04
SHA512 93baa7a401192059fbd95bd82449e9461ef5124bf748d8a9226e3df9a7194fc5eebb105146258e2629f0b139d00e6d2a30eec09510215fd69b9f788f18784fcd

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\imageformats\qgif4.dll

MD5 b690fdd8fcd1c2700f35388e9b1e5974
SHA1 51669dd917b3f81b7d4526af36938dcf8c0aa7d9
SHA256 3d5a5623cdea823a14102a43cac78902a73840434ba0fe9447aa8f37f887af4a
SHA512 d8f63a1893211d958a47eddc9cfc5de7f8fdf7f530662722d2176c8caf4b8d0791f43bb59048fb075c7f820fb86bd8c79fe96696392a7e336860638a3cee6b9e

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\gio-modules\libgiognutls.dll

MD5 23b5f97cbe4d3689ee08d0ae6abaf679
SHA1 80d7cd7ab23dcc3388531b42b0ee31fcaac16f88
SHA256 3b8faeaac389abd97198569f5e0ffa567e495be01e9a24311d128bd76f1dcc6e
SHA512 a7e4b8e75768e9d3b44b8b48beb5e57dd33a8ad83a8f49bd3adef5bd9a2c25c9832f4f95c13a604a20311a7ed7a74ede4bd6b34662a30e246fbbc2c93fceec98

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\share\themes\Raleigh\gtk-2.0\gtkrc

MD5 5fc9003ddc2c64b110b1161259f61923
SHA1 4ecddbcceddbd90a3a654d3788ec3aef8c197a8a
SHA256 6d9beaf039092aec5c1fbc23a62402bcd0704c45c430189a6ac69ae8aa797a67
SHA512 5c90f3f1037fff9f10aa2030bed2c670edd528482532e617549db2133e26cf801bdec56d4543feb024cdec1c0026909ca9a21b378ec3b89489c18c395660c9fc

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\share\themes\MS-Windows\gtk-2.0\gtkrc

MD5 94d104680cec5f3d8bbec56258d0c926
SHA1 72ede372fcb34b29754f20ad44f49bc8605cf22c
SHA256 e9dd3015f76e05f185ebe7564d364aef8b8168b05e62421c99875e14e4597977
SHA512 cf7d04304fa58e2dd9a8492b31b065c03c1f7ea96ab71d7d3d212eb17436c7c181470c23296fa3f599f1ef56c6b243921ed7f0a92ad3e0a6cd40a5fe857955a9

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\share\themes\Emacs\gtk-2.0-key\gtkrc

MD5 4b600a3c3c2ac37f7d0c13c4d86ac752
SHA1 d1da549c070d74aa9f9456c4c1e0ccbdde5256c8
SHA256 4214bee389645edcc7c9971ba35dc4d96e8c135ebc92c51c05b0c7dd36abd8e5
SHA512 d4ece8e39a80073bec016b375a75bb5ff5c697aff560e5d4aafc6031f26451f8d3ef32faf1a0b2be3470450eb2ea3ae8978cc444ee0e2d2ef374ef43340e64ba

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\share\locale\locale.alias

MD5 c26bd884605e7cb04a295fbf331e11a3
SHA1 7330ab3dc0410db503eba19976f027cf49eaeafe
SHA256 67cd91edbb01ea1eeb59f25c0a8cb6dfe90653fb5fc437d3d32cd0814804075a
SHA512 f88bbd4ce7ef42b710071efc5b3aa99f18b5da1e18b3e0d5b051acf125809a9eb94bcac9d91639660246a2406c30e93449d1ff81eace9caf18c6cd5e52ad85dd

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pixmaps\black.png

MD5 a875753fd4e92edad63f5d8b9a79426b
SHA1 241b7f8bc325993b8044498ec4a6c03d576c6b48
SHA256 d09f2e254540dc26a948cf49ac09de2ffea210ad9d8fb77ab7a943ce938b5570
SHA512 b04ee55b20c42a36e6125ef883161eaae11a990a99042b7fefccf0433455e35c621b8f10587a6292adc0f71ccf9a896c0264c8607614196d311de86b28c338dc

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pango\pango.modules

MD5 7a7327019610dfb25d5fafb2d2b0f3ab
SHA1 812af1f65174c63c4a90dd72d29d6e1180075a6e
SHA256 cab115828e04766fbf8e20b5ca6e5632e089f407b338832081d8b42f62fea38a
SHA512 9d7d7fd408d0e0cbe8df24cf1184aa9c24f41dc94d98e7262d04e617b7252381e6845b9e2724557246af8696a5e0cb99f1d15b3889aebd7887fac99e68b79849

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\fonts\fonts.conf

MD5 4291285924e90d1a1fcf1ddfc51adad3
SHA1 74f2d9b2f9665a1ff083701456a0fbfe351f855a
SHA256 68011bc3741ebcea48f08ff2aed8519762a946f3e0fb9c224b1d3810ebf5bf4b
SHA512 80b570051324f0987f388b78f2b2b2a50df2ece82eb6c003ed4ab5fc1456789fdb4a616c3be760580d30f48aef656eb3604cbd0a7808c49f03b347f2d4388cee

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\AForge.dll

MD5 02c63f568e598aad85dd401d7b26e82a
SHA1 2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
SHA256 966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
SHA512 da9bff86be8fa890dda80a35ee6c851aa655f087f81804a23c73f8c586b7e13ac5a643e0a516a35787cd97b392aec16bfb95210080e4e53e6144fec9316acdb1

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\TurboJpegWrapper.dll

MD5 f5639d78d8c860df0176b1499695e8b3
SHA1 a70f699d75903ca2ae31098f4687add23245804d
SHA256 9c8de413bf48e680ded9db3b3a4c7773642b9d6c76973ae95d40eb0cba31d4e2
SHA512 2098dd214db72b7f9b70c58cd1fcb53dd4982e441c19b3571941f9026e0dde0ae9005bb084ecb2f21ee2e24776fc95d60cb50b11fc536a68ad153efc1dc8ef0c

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\pthreadGC2.dll

MD5 928c9eea653311af8efc155da5a1d6a5
SHA1 27300fcd5c22245573f5595ecbd64fce89c53750
SHA256 6dc4bee625a2c5e3499e36fe7c6ff8ead92adf6aae40c4099fdc8ef82e85b387
SHA512 0541d706bb53f8a04c78fcf327c4557553fa901d645ad2fd446e79753b4729f1e36793f42fbdd9b5e92073a30ed9a3dd853773a06ebea8e9302ece91a6c5362c

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\mingwm10.dll

MD5 a5a239c980d6791086b7fe0e2ca38974
SHA1 dbd8e70db07ac78e007b13cc8ae80c9a3885a592
SHA256 fb33c708c2f83c188dc024b65cb620d7e2c3939c155bc1c15dc73dccebe256b7
SHA512 8667904dda77c994f646083ef39b1f69c2961758c3da60cecadfe6d349dd99934c4d8784f8e38ae8b8c9eb9762edd546f2a7b579f02612578f8049e9d10e8da7

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\Qt5TextToSpeech.dll

MD5 3cdb361b43a3ce45145df5bad519df63
SHA1 8f7cfe31068584151bf913171c82949fd7a945f2
SHA256 8f5a39d8e35d981a8200fb4a83b42b72ec71a9c5db16a09c5df69b001bfb2e13
SHA512 88722199a716dbe665204d9d192207594cd3819130d22c07133e8a229628f66e5eddab60dbb1759ba389cf42398c32eafca8b74e07b3dfce4c916fd8715d566c

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\clock_common.dll

MD5 85d02f053f1151ac4d3fdda5ea10adc6
SHA1 a134e20a33387a3bfe256b36585d9ccb6113a29f
SHA256 989354441731eafd1cd63285ab681176a43f08ea999362c5d792c9b2bcbd6564
SHA512 146233b07a3d81f7aa7c2a5e055935fb61307e20dc15b168c248f6d83f934d916184b568e39f7ad8c6ce28d26eb5b1605d6b2200b5ddc2b6cf0bc0dd114981c2

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\skin_draw.dll

MD5 72ad6c45aaf461326f5a512afb4b33b0
SHA1 4b6791aa02c76e96256bf19ec9ff828303a308b8
SHA256 dcf318a760aeecca2496417d5111b059867471919d2721d766da7d29d29df305
SHA512 5c495d059aa51beb4be143a9beb496f380b84f28bc4090e2c21f942e5847dfb5c2cdfd759636eacf4b2820fb6f68cccd8b60ce336a721d03575f45f9496f6b99

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\plugin_core.dll

MD5 b79d7159ba735958c18148dcdf543571
SHA1 d7d4d4aedf7897092665dfc573e9fe9c313c2fe4
SHA256 638aa5d39ae52d09317c001bb8163fbf1ffdea03e371ed61457d765ad35a5e52
SHA512 79b7ae9a722714c6d640f35b81e54fb9a0b8e6042b99705094d6e968736d1389ed0e2a90c5120955a458d158d9af8a485ff4b5dbc9227165c11dcf62fd180c71

C:\Users\Admin\AppData\Roaming\Tua Rua Ltd\FreSharp Bindings Viewer 2.0.5.8\install\F4F67A4\nqf

MD5 409a406d256db9eb024aaeeb346f7a65
SHA1 3a18ea9e1e80c2b1dea030a2f3cf689b52e1543f
SHA256 5686b211ee592583291cf562d369390b376f5d67a1ed7b5ad9adb86b4bc0f603
SHA512 b326172fa7cef082fe99204b14fd02bb53260a11abebdea24a52c0b5abfce63baf5150880b047a45707a81dfdd06930e2ed3d4b1a5e336c768f39643e6c83d70

C:\Config.Msi\e5759fa.rbs

MD5 e10156242c9f8418eb835d1e0dc53fd8
SHA1 8a94b6d4b391c74c2586aad37e16bda3f933cc9b
SHA256 92be7888f058625bdafdc9e0e6764f299362b585c72e934b27503179238d0e7a
SHA512 47331912aa0a49e9703bfd79adf35a4a978edf497bebab9ee44ccc5a9f9bdd4af8beb943a1fcf92804284074b122a961a1762e34c9be16090831b507c5ac76ac

memory/1540-387-0x0000000000400000-0x0000000000902000-memory.dmp

memory/1540-390-0x0000000000400000-0x0000000000902000-memory.dmp