babadeda | 93dc6becd9d4c16eecf188a19798f9cbbde3281270efe869f8f6c81a7815a74f

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Size

5.1MB
MD5

a6e9b1557039c81fc4d4afabc0399f6a
SHA1

0be9fb79d915d83e1f0566a428becd18660edcd9
SHA256

93dc6becd9d4c16eecf188a19798f9cbbde3281270efe869f8f6c81a7815a74f
SHA512

da8772164b38eacb523a551b6a36d96857e21154586f6d5e8aa0116bc50cb634039171988167c6631aa7a39d30d48d3f978010b307a2ed57918b51e56beadebb
SSDEEP

98304:oPdx/6o/EJ6N6ExIxrnumYqF2w/IXO1tL6l5fj4yRDepJ:oL6ocnTWXE+l5f3iJ

Score

10^/10

babadeda cryptbot crypter loader spyware stealer

Malware Config

Extracted

Family

cryptbot

cemujq44.top

morihg04.top

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001950c-256.dat	family_babadeda

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Executes dropped EXE 1 IoCs

pid	Process
1204	cecilcore.exe

Loads dropped DLL 11 IoCs

pid	Process
2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
2568	MsiExec.exe
2568	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
1204	cecilcore.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1544	msiexec.exe
5	2556	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\V:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\E:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\L:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\W:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\N:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\P:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\R:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\U:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\Z:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\J:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\Y:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\T:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE5B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE67E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE73B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE826.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF080.tmp	msiexec.exe
File created	C:\Windows\Installer\f76e032.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e032.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE43B.tmp	msiexec.exe
File created	C:\Windows\Installer\f76e035.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e035.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cecilcore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cecilcore.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1048	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2556	msiexec.exe
2556	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeSecurityPrivilege	2556	msiexec.exe
Token: SeCreateTokenPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeTcbPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeSecurityPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeBackupPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeRestorePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeShutdownPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeDebugPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeAuditPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeUndockPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeTcbPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeSecurityPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeBackupPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeRestorePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeShutdownPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeDebugPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeAuditPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeUndockPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1544	msiexec.exe
1544	msiexec.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2568	2556	msiexec.exe	29
PID 2556 wrote to memory of 2568	2556	msiexec.exe	29
PID 2556 wrote to memory of 2568	2556	msiexec.exe	29
PID 2556 wrote to memory of 2568	2556	msiexec.exe	29
PID 2556 wrote to memory of 2568	2556	msiexec.exe	29
PID 2556 wrote to memory of 2568	2556	msiexec.exe	29
PID 2556 wrote to memory of 2568	2556	msiexec.exe	29
PID 2180 wrote to memory of 1544	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe	30
PID 2180 wrote to memory of 1544	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe	30
PID 2180 wrote to memory of 1544	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe	30
PID 2180 wrote to memory of 1544	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe	30
PID 2180 wrote to memory of 1544	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe	30
PID 2180 wrote to memory of 1544	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe	30
PID 2180 wrote to memory of 1544	2180	a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 1924	2556	msiexec.exe	33
PID 2556 wrote to memory of 1924	2556	msiexec.exe	33
PID 2556 wrote to memory of 1924	2556	msiexec.exe	33
PID 2556 wrote to memory of 1924	2556	msiexec.exe	33
PID 2556 wrote to memory of 1924	2556	msiexec.exe	33
PID 2556 wrote to memory of 1924	2556	msiexec.exe	33
PID 2556 wrote to memory of 1924	2556	msiexec.exe	33
PID 2556 wrote to memory of 1204	2556	msiexec.exe	34
PID 2556 wrote to memory of 1204	2556	msiexec.exe	34
PID 2556 wrote to memory of 1204	2556	msiexec.exe	34
PID 2556 wrote to memory of 1204	2556	msiexec.exe	34
PID 1204 wrote to memory of 1660	1204	cecilcore.exe	35
PID 1204 wrote to memory of 1660	1204	cecilcore.exe	35
PID 1204 wrote to memory of 1660	1204	cecilcore.exe	35
PID 1204 wrote to memory of 1660	1204	cecilcore.exe	35
PID 1660 wrote to memory of 1048	1660	cmd.exe	37
PID 1660 wrote to memory of 1048	1660	cmd.exe	37
PID 1660 wrote to memory of 1048	1660	cmd.exe	37
PID 1660 wrote to memory of 1048	1660	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\adv2.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1711919732 " AI_EUIMSI=""
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1544

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91FC1B46A781A3C163818CF8D04943DB C
  2⤵
  - Loads dropped DLL
  PID:2568
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B63CB0E1F4D0D0F3E171DF032286965E
  2⤵
  - Loads dropped DLL
  PID:1924
- C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe
  "C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\mYIWJGIsgXQmW & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e036.rbs

Filesize
16KB

MD5
a5c040adf5cfe01cf03235559110bff2

SHA1
cb20a699bd5350dc4a5f390277a445849d0b616f

SHA256
9079bfe26b707079d36dd01508605364abc3901c5e5cf3e0c3b2969b42aa0c21

SHA512
b6d9412596e462203ec38460520ef2053f348c89ecda2e67ea252a8ccd425b31a5c88178df436201a856792f2202a782924bc48775ad2a5c352f7e3aa283be49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb7a6d27c9a126a77af2746c4c4f312a

SHA1
56a60a353240812e1e7009869694e0ff37035a15

SHA256
4cd750ca332aa25ce5f7267776119014853dd847c311061449197e3b41f0b040

SHA512
8dac4f9c935cb80a428c8c79250dae7cdc04745f4c89a774e5a207c81954d3d1462597600fee65fa79098e6e60f9cf563be643de80161d5e7b43baf4629adb58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d745d13cc84429559eba5fc7e109d02

SHA1
15d4a9cb4109c448a6a853565afc497853b405a4

SHA256
d68d5ee86db0620c2d7a6393eb5374fa7fddee5e4c9c1275cffe60d495cc64b1

SHA512
de4fcc7d1259b866aa01dda00ed81806f0a198f8fd45d0194cd031e3e84df342c8c9ff71ee5dffa898a3a7993dba8cb9c0df3b43ed590d340ac1ae6efa09420a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFFE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID777.tmp

Filesize
393KB

MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID95C.tmp

Filesize
866KB

MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD06E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD525.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\AForge.Video.dll

Filesize
20KB

MD5
0bd34aa29c7ea4181900797395a6da78

SHA1
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8

SHA256
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d

SHA512
a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\AForge.dll

Filesize
17KB

MD5
02c63f568e598aad85dd401d7b26e82a

SHA1
2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c

SHA256
966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da

SHA512
da9bff86be8fa890dda80a35ee6c851aa655f087f81804a23c73f8c586b7e13ac5a643e0a516a35787cd97b392aec16bfb95210080e4e53e6144fec9316acdb1

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\CHANGES.txt

Filesize
7KB

MD5
109e9d23496dc406050f895409be2531

SHA1
5a8659d65025b121c2a16d80d3d55cd9c3a5a7ef

SHA256
b58477a045a7411ff95ca8b1e055801d5d10055e2de52e1a94397919a09d82c2

SHA512
548fa0ec3b1a4056440867e7b7fd7374ab9d08e0156121ef7e1f7c57ae97a58b5c357cdd69ebd18df80ca4078fb595cddebda245b317213b140cac5069ab7058

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\COPYING.txt

Filesize
34KB

MD5
3c34afdc3adf82d2448f12715a255122

SHA1
7713a1753ce88f2c7e6b054ecc8e4c786df76300

SHA256
0b383d5a63da644f628d99c33976ea6487ed89aaa59f0b3257992deac1171e6b

SHA512
4937848b94f5b50ea16c51f9e98fdcd3953aca63d63ca3bb05d8a62c107e382b71c496838d130ae504a52032398630b957acaea6c48032081a6366d27cba5ea9

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Common.dll

Filesize
14KB

MD5
5026b281f29df1f4c2ab120a70f3550f

SHA1
7ae56eb0d2fa8b52f95d1f4ba692cd6caa95545f

SHA256
e3dc7ea9412525f29f4a13d412a8b64d7da0e18f5c506d26df5d958f7667280a

SHA512
0a1afe8f22d8362b55b86a40589116e94f4c1ce56ec1ee5ce633eb881314304f31a69d683b70011d3d9ac3b25b6af96315573d270dbcb28148919a435affa7d6

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\css\bootstrap.min.css

Filesize
156KB

MD5
930dcbc9f2338de708fc0a1b83bf4509

SHA1
d7d00b64854a54676c86095289e5def76b98ac96

SHA256
e57af0825712ee377ae2058e81fad4f4f0797ff8f8a25db7986a9e64d4c1696f

SHA512
ebccc26d94d200b015ed6ff9887c969aea1de694ec559724fd06f26a6e40fbeed15cc27be7b7fd051b08b8724a78993feddad5211e1d5b9e0d9ae07ffe22df15

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\css\codemirror-show-hint.css

Filesize
659B

MD5
d10a1f4608d7efee6e1324f695a97d53

SHA1
4694e77be609ddf88b05776e6a48e1be5ef878d6

SHA256
ca2f7e4e1f3ae6f24dea4530d1689d6047486a2f3fe3e7263cea588ba50308ba

SHA512
44ee29c9521b5ee5d1dcdb19eaf17e494d317c1ed587ee9422b3ff4b5308f4fee532b7fe17cf532327a138b4df6d03b1cd0ac49868d78475d16f9abf5203719b

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\css\codemirror.css

Filesize
8KB

MD5
e055267740a559a23894deaa50d05ac4

SHA1
2d8958657e19ac0b6d4c67c712d51c515d9c2310

SHA256
959c7856fea239bed270e36a5dddbe88e9df41282f7825980ff4f138eb13ea0d

SHA512
64deec31251c458da8e70c33ee9da0af47a11eecfa6ff832bbd5c8e1ad605af42f2b86effc8a35037c69c64ac8880a38721da814cadf8b1593f6a911a01deccc

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\css\strokesplus-net-custom.css

Filesize
10KB

MD5
cfe32358318a1928a7bc0bce112e2327

SHA1
c619fd30dfdf41a2000b9b672df021853ec10ffe

SHA256
c255bbd1adfca403430b817de645bd182a2a3073c5a21c0d453135b54be18b8b

SHA512
0bfc64084cc1d5dfc2218939809e5be92cad7595d7edbb0870bac709a7c3429b1170cb53dd5323c3af29f8674c2bdee8d8d1fcd6200b2c14e986631b9b50b68c

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\codemirror-autorefresh.js

Filesize
1KB

MD5
acf40711fa45f55dc8151c5a5c9dbdc8

SHA1
22bdf3f1a0fce9e7a39acc91e4aae131f970e025

SHA256
e5c187fdd5c12381b40c0353151b4df5f2683974227bb49818979f7b46b7e58f

SHA512
5ce912d75c7dcd5c73894a481eefd5224e6e3d43d80f934240a9cd6611db19dee279f9585d09be1eb5d19097c6ac22154ed5139237a1b1f1d64e9a9496e563ca

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\codemirror-javascript-hint.js

Filesize
6KB

MD5
e02e3288291152006a345a01157f52b1

SHA1
c5e89f23a97da8413d628fe28cacb0cfae9a695a

SHA256
b0ad564bab726f3d22bf6ccdf411c3b3f114137801cafb895b495c142692fa96

SHA512
91af819cd8805ba4fa0eec032539c501fed91072f6747d25100b062b90233900f9d530c68c6711376c4594ff86195d39436e2d9ffe07df389b9295f25b4fb2c2

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\codemirror-matchbrackets.js

Filesize
6KB

MD5
d2142081656b946bc138ceedef12f110

SHA1
30da17d695fd90ef7f6ad1ee0ad687ea003173ea

SHA256
acb4d9f072d524666b6999def93b56f2eb9734efd6e88d01d876449d913dc9b5

SHA512
2835a19c2cffb6aae8316478a8f0ac6bbee5bb8365460008085a016078d661b5a7ff37e88109d387a48a7eeeab099db95899c6909c5124d43a2619120cdcede5

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-applicationeditor.js

Filesize
315B

MD5
84a8abb51fe73fadd307a23e19fc1b4a

SHA1
359cee1fff2096efd100b96118beea7eb476813e

SHA256
a543b62da0d5c46580cd4a458c43fa1470b790ca72723640a16bc5176a8a535b

SHA512
a3c81afd5c587c03f2d69125c439ae847e9f3c791c60d4b1d3f9ad988c27485479bad3f7096def435eeef1be2feefe1c2f918781ac9f6bb73970f1cfae3287bd

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-applicationlist.js

Filesize
3KB

MD5
d0e079183bee5523e5738e0f57353345

SHA1
ca9b3f53c01f29740e4a7960273391acc884a05d

SHA256
6aaad853f929abe47b191d36f34bc37a2c4255f4775bf80853e55a6475fb4ff0

SHA512
a0cf946c1aa32c7885230cdf2d9a19b643f517ec28155cced2c5e6801785d96e7e5c4e8f09b2107cba681e7c438308b15b3c786effbea6fcea9b18fc04343d07

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-load.js

Filesize
3KB

MD5
90647a282f5507897418f1b93b1fd429

SHA1
b9562248342eb5ff8d40f7144858123cf022eba7

SHA256
e638cd7ffd900370eeaefce5f76e67502e4e6c533314fa3884491dda5b34bdc5

SHA512
86fcc0a413a3946141d8fba702902585dfa725dfce26439b3abbd7ba531580f28055a18e497dee84b42633afa14591460e72720e8d3b526d3f9ca18ef6376cc1

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-menu.js

Filesize
2KB

MD5
ef5f68814a70144c054802048ee0db80

SHA1
22af70331159703b4a2c6cac3bcb7e92ac316271

SHA256
786661250d3a23c9edb9a812d8c18151ed38cb47a8dc7dd26194ff735eccb11d

SHA512
74065bc3727b1ecc1c575d5a694f6052835ad87bc83e97841a2802aacfef414c6a60be20dbebe9e0879be3fd89154619842a406f99acf03ba7d63a35be0b145f

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-modals.js

Filesize
2KB

MD5
1ef87a281123c5cf05a27abb05cce9bf

SHA1
4e45ad0f4ac6572cf9f6c3d30b5b2bf417f60aaf

SHA256
2e934f10ea7d49b0a45a80312944ba8c8ade999995a6a54f13ee4ac1a88a94ea

SHA512
2ca5dab215b025d5c5b49a48faad291b580889fef8662ad40dec05166ed9daa0a005e873dff37ed91ff6957ace763525f930963c5563315a11b608445cccb3df

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-scripteditor.js

Filesize
1KB

MD5
c76f02e12e1bd7e8a484ce78913a5881

SHA1
6af07c90c7fa0e8d5b43264d4b3fa4a74c3a25ce

SHA256
8a1dd204ceb91d148dd460b5ba13eed0e60cfabdd17dd8425aca50bb513922c2

SHA512
828e33312deeb0c138e14a6318055e15036bd367f5936a353a3da2c925a039dff98024f2aa861165a9c8ca0107fad21dcb43be009c5f5916c787c455eba52ac9

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-stepsscript.js

Filesize
5KB

MD5
86a6f8437cbfdaa196d7ae2ea3eff024

SHA1
05ef040e39ccbd8eeafeeb3e68c1d581c72aecaf

SHA256
e55a40b29c4d0c6486a5de06339df942df684eefa5cd2467d25912eeb58eaf7d

SHA512
624eb001ca62838f545e68fba6a68601bbd98008c5ea084ae5889b4e6200194c4d441c4cbe1fbae00bd37e91224511563aa927b5deaea4789ba30a084c32e565

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-toolbar.js

Filesize
47B

MD5
3565523f8a48212afba16dda4edb5a79

SHA1
c12de32579532c8a001cd441c2be3aeab89fb973

SHA256
408f0bcec00b4bccaa3e5027fdb9b41f2132f64f6b45cef605d23c7e34cf3c0b

SHA512
f354a906d11c1e1f564ed7dbcd5d3fed5db4485820eae9c435e01cb85d4f679bd791078dbba1b1a16425a53c244bda7e7f4c425078710bce1a406d58df4df2ff

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-utilities.js

Filesize
7KB

MD5
fbbc2c82a901706313fa662d87157b51

SHA1
34a6907255f00544d88cf76c9a9bb9edc36cecae

SHA256
00de4f095edd15c610df1455794befd35f69ddf8cb90d50d5769c32b7af63b97

SHA512
9acbe4fc210882d706a0779627a01ace939bbf6bd0cde89d970249a14e17c9bca8f5aab12e2f56bc8e80f0f282b8aea6fab29314a8b50e726c47fed5a61df041

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\settings.html

Filesize
190KB

MD5
d5bfe7e5091e21b227d2902936d58c4f

SHA1
326b6c6de0e045ab194904ff051839bee344487a

SHA256
1b50734d8509c1a0a56cee933e0fa59871f0d89f433f880fd22bcc6dbaf91667

SHA512
221c2b7da8a2727cf7022fb4403f6859a2193144f72a232a2f3da402507bcc75fd0618c3368b96d0f33581607323379e5584069cfe872996d94d2ca8631c3970

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Interop.IWshRuntimeLibrary.dll

Filesize
48KB

MD5
9569c5ddd9ab1e7bfd24e41250a67903

SHA1
304afddbbaac26843cf53b9713e09a85fe525cac

SHA256
6a80b9d1bd609a3cb6af8cf8c1534f7baca1d78ad353ce6ed5b578a0ba96eb83

SHA512
7bc2a98f9fb934212cbc7b8dac21ec38b89b39a3f60ef53490bb25d07c286d1db4da1757b766f323615185aa26f094e601337110da14224fcfe3ce016eaf0c54

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\LICENSE.electron.txt

Filesize
1KB

MD5
f8436f54558748146ec7ebd61ca6ac38

SHA1
ef226e5b023d458efcdc59dc653694d89802f81c

SHA256
34f6f27c26d1bb8682ebb42ae401f558228fd608455bd7c6561d5fd500b7d05b

SHA512
5b310b48bbee286f03e645e4bfad0ec870a7c68c445d54f46f3eaaa9c427f9de6cd0561d451838bd53c78a5289e9f0bda19cda4257a4657580afa6c357913050

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\LICENSE.txt

Filesize
2KB

MD5
fc292eaec94367e0775fa0638880ebce

SHA1
fa5ff95ef7e8f5ad9cfc77738f5e6c0ca96572dd

SHA256
971f1733cb237ddd626e579954938c6fc0e925ccbf885074ad5fcf19b4efbe2e

SHA512
4f3ceb0d390f47fae7294db5399177a1128dd196cf58a45768984c1783ae4e0c0d0746aae716b2a08f7058df214494a7fb20c8bc982d0e3b8cb3d70ccef7917f

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Mono.Cecil.Mdb.dll

Filesize
42KB

MD5
a269c436d17634aecf2ac0e95c44728c

SHA1
3dae54046aa5edbcf58ff38acc1d12682e3442b5

SHA256
f02a2d8154ef002863702d6513c6773ebbb83e520834c2ac8e38c6a7f0174e27

SHA512
bbd1740bce3d1eecccaa560696cc5b0999a1e00c3d6747f3bb93ab44a5f9a2186f01048fa69e173b89c40b98bddf13c4de92564b13c0ec36eb96b69ec65dc157

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Qt5TextToSpeech.dll

Filesize
49KB

MD5
3cdb361b43a3ce45145df5bad519df63

SHA1
8f7cfe31068584151bf913171c82949fd7a945f2

SHA256
8f5a39d8e35d981a8200fb4a83b42b72ec71a9c5db16a09c5df69b001bfb2e13

SHA512
88722199a716dbe665204d9d192207594cd3819130d22c07133e8a229628f66e5eddab60dbb1759ba389cf42398c32eafca8b74e07b3dfce4c916fd8715d566c

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\README.txt

Filesize
8KB

MD5
7539e219a0d2331524b97605c4fe641d

SHA1
718d7c209915ff4944a81ef38701542d63ea30e2

SHA256
3f169438204953468391d382ca1813c54a0301b733c59bef9178c2d55e9e7e0b

SHA512
c8886ba4445e612bedb7c9f8b8b7044c016ea45ad5f80b1a9082707a2b7c5334bfe6b7ac8df4c2f603d0bfd1dbb727691d65e3a6c14acc78104b869c9bb97dca

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\System.Memory.dll

Filesize
137KB

MD5
6fb95a357a3f7e88ade5c1629e2801f8

SHA1
19bf79600b716523b5317b9a7b68760ae5d55741

SHA256
8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7

SHA512
293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\System.Numerics.Vectors.dll

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\TurboJpegWrapper.dll

Filesize
19KB

MD5
f5639d78d8c860df0176b1499695e8b3

SHA1
a70f699d75903ca2ae31098f4687add23245804d

SHA256
9c8de413bf48e680ded9db3b3a4c7773642b9d6c76973ae95d40eb0cba31d4e2

SHA512
2098dd214db72b7f9b70c58cd1fcb53dd4982e441c19b3571941f9026e0dde0ae9005bb084ecb2f21ee2e24776fc95d60cb50b11fc536a68ad153efc1dc8ef0c

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\WindowsInput.dll

Filesize
22KB

MD5
eda6dcf70b3423d40078e5440fad3704

SHA1
0ddee7bf081fa20e71683d9ab2029ce93a7ee1b3

SHA256
f44326a1a2e2fecb4029c19b7a5c0777821cd6bae9b415989d3f8007c15861d5

SHA512
0b0f3b889ebc1a88b0fff477256fa5b234e520c64f0a695f125c0226133f35c2d6f57c83de648fce19e30fbecf9ce401475221d8f761c896479cca4d4a96c3f8

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\adv2.msi

Filesize
2.1MB

MD5
4194f484a9eddbf061602ca3518109fa

SHA1
d0ce65bca7177b505c77b86133c926a6d59238bf

SHA256
518f0ee6728f89bca8d394aadfd77a0cba35308c25225eaffd2ed04daa6cfb71

SHA512
a4c1badbc35bb79f14595c83a3dee09aeab18891fd343dfe597e680e891c6a7b333b947d939933f4c0e441cd8645e78dafb042992a0b6a4820a5fc5a5d4ab093

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\basswma10.dll

Filesize
381KB

MD5
a1b72973bb9af880f8d90f15c45764d4

SHA1
25491e8d1bfea8212b21c3acfb4f3232522e2a8a

SHA256
9230e808b848f07d23f814b2401f6a11d9753338912361e10d0962b1bf603bb1

SHA512
9749ca312902cfc5aff12e41119e9a6a98c2a67d8c80d1793bb8f75e930158734f29e965e6215aa19a0fec437697a0c00e2f440c0c9839aac4200b9ebd0dd09e

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\cecilcore.exe

Filesize
3.1MB

MD5
fa13d6d888e69b5b795fcfed11b2492c

SHA1
e96008828cb3bc7f98208bb7e76e694e4f4b85cf

SHA256
f9c1794ea531bc185b1c1449b516a198c74075629d75569b710fbececa864298

SHA512
35c0b99db5fcae02f7309919802b7b4ff4a17d3c87cb6edc21891c7eefcbf2ba344eb4b3c213bff43e6b5b892a9f9a2db6fe8269c2a76376bb8d57d7f62f76cd

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\clock_common.dll

Filesize
64KB

MD5
85d02f053f1151ac4d3fdda5ea10adc6

SHA1
a134e20a33387a3bfe256b36585d9ccb6113a29f

SHA256
989354441731eafd1cd63285ab681176a43f08ea999362c5d792c9b2bcbd6564

SHA512
146233b07a3d81f7aa7c2a5e055935fb61307e20dc15b168c248f6d83f934d916184b568e39f7ad8c6ce28d26eb5b1605d6b2200b5ddc2b6cf0bc0dd114981c2

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\libEGL.dll

Filesize
150KB

MD5
89a6ab09dac37a28f2267c8b65ff55c5

SHA1
9ce53e0e5b904b6a94b4d4988096609636bd14e4

SHA256
5efc0aeb984eb7691305b362088406ab82d5b2d9fc7ad6332f0d6e0919762cd0

SHA512
0806db4d43b5841f76b773df37b2548bc2dbf968df59d4538181be31f0434eb098b9e229f7cbe524a31eb75cbabc50972236bb9eaf30b4f15e4f2cfede7fce14

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\locale\de\LC_MESSAGES\default.mo

Filesize
63KB

MD5
c41f0999d7326fbd354bbb86b0c1a8af

SHA1
590e72b3fc64f09ab4e4ea2e42285c09ad933b64

SHA256
eff1bb0c9e6c16989b09346f526c90d80e1a748a779856953ea3e69f92b68fea

SHA512
e7aa424b77f27e526922c5658555b56cf42f2b20b7b14a9c86ad136b521ac0195dcad04ee7a302d034153bea94f3e36695f6100ebebffda216a2f3692646d8cb

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\locale\es\LC_MESSAGES\default.mo

Filesize
64KB

MD5
943e56b4a41280e72db9c212e7469e1c

SHA1
9a0d7a277a923c6f6b8b8909310965f03d2143d5

SHA256
eed96f63a25ea4ff4b91e801d9bfd94c3249d975320e0fac5ef8b5e45a58985e

SHA512
e3fe207cf0f05dccb893124cfce136e7ec7ff81e6d20ee8bb2326f81a8f1cbef8031087f4addeb5bda96e7176c5d3b997c5357d5071867a7c5cd2223f63f81b9

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\plugin_core.dll

Filesize
133KB

MD5
b79d7159ba735958c18148dcdf543571

SHA1
d7d4d4aedf7897092665dfc573e9fe9c313c2fe4

SHA256
638aa5d39ae52d09317c001bb8163fbf1ffdea03e371ed61457d765ad35a5e52

SHA512
79b7ae9a722714c6d640f35b81e54fb9a0b8e6042b99705094d6e968736d1389ed0e2a90c5120955a458d158d9af8a485ff4b5dbc9227165c11dcf62fd180c71

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\postinstall_readme.txt

Filesize
1KB

MD5
24ac8ba156f8fbfd86a4292e4f44631b

SHA1
081d1ec03058bba9ff43b40f39891b82a3cb3b6e

SHA256
37c45cea617294e1aff68e83fdf0ff14ca454049f9896b5ccd2bdeb22140fa1e

SHA512
9874047be537596921ee8375e274499dce122f45257c714c0bcab5ba5e9a91540c37578b9f96e4a9a3376c3a311ef934b85758db1aa8d71329dce74ed17f6581

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\sig

Filesize
591KB

MD5
a96984d1c71c6799cbbf44c19adc046b

SHA1
b2fb68f027dd71184d8872d7ff8aa6deefc8bfb1

SHA256
a453bc91e3a825078753c667c22f606412d2a4cc995e975eafb1ae178afb6117

SHA512
920aaf54812a962c42f188fe1ea4c1cec77036bd72b27351b36aedb530fb517d9a9332ef132d16ee2d468c6087f7a1a11dd1090f51d1374eadb22b81961ec1c1

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\skin_draw.dll

Filesize
61KB

MD5
72ad6c45aaf461326f5a512afb4b33b0

SHA1
4b6791aa02c76e96256bf19ec9ff828303a308b8

SHA256
dcf318a760aeecca2496417d5111b059867471919d2721d766da7d29d29df305

SHA512
5c495d059aa51beb4be143a9beb496f380b84f28bc4090e2c21f942e5847dfb5c2cdfd759636eacf4b2820fb6f68cccd8b60ce336a721d03575f45f9496f6b99

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\decoder.dll

Filesize
202KB

MD5
454418ebd68a4e905dc2b9b2e5e1b28c

SHA1
a54cb6a80d9b95451e2224b6d95de809c12c9957

SHA256
73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

SHA512
171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_banner.html

Filesize
490B

MD5
5d1f7da1c3d95020a0708118145364d0

SHA1
02f630e7ac8b8d400af219bd8811aa3a22f7186e

SHA256
d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a

SHA512
6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_connect_to_data_no_mru.html

Filesize
1KB

MD5
20bbd307866f19a5af3ae9ebd5104018

SHA1
8e03c9b18b9d27e9292ee154b773553493df1157

SHA256
e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7

SHA512
420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_connect_to_data_with_mru.html

Filesize
1KB

MD5
e6bc0d078616dd5d5f72d46ab2216e89

SHA1
f70534bb999bcb8f1db0cf25a7279757e794499f

SHA256
e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54

SHA512
6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_landing.html

Filesize
720B

MD5
0a5b47256c14570b80ef77ecfd2129b7

SHA1
69210a7429c991909c70b6b6b75fe4bc606048ae

SHA256
1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d

SHA512
5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_topstrip_no_mru.html

Filesize
659B

MD5
eced86c9d5b8952ac5fb817c3ce2b8ba

SHA1
3ca24e69df7a4b81f799527a97282799fcd3f1e2

SHA256
3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d

SHA512
a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_topstrip_with_mru.html

Filesize
798B

MD5
cc4d8a787ab1950c4e3aac5751c9fcde

SHA1
d026a156723a52c34927b5a951a2bb7d23aa2c45

SHA256
13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee

SHA512
e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\stylesheets\start_page.css

Filesize
2KB

MD5
f2ab3e5fb61293ae8656413dbb6e5dc3

SHA1
53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5

SHA256
06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192

SHA512
2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

Download Submit
C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\stylesheets\start_page_landing.css

Filesize
282B

MD5
49617add7303a8fbd24e1ad16ba715d8

SHA1
31772218ccf51fe5955625346c12e00c0f2e539a

SHA256
b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907

SHA512
9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

Download Submit
C:\Windows\Installer\MSIE826.tmp

Filesize
573KB

MD5
2a6c81882b2db41f634b48416c8c8450

SHA1
f36f3a30a43d4b6ee4be4ea3760587056428cac6

SHA256
245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805

SHA512
e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

Download Submit
memory/1204-414-0x0000000000190000-0x00000000004B2000-memory.dmp

Filesize
3.1MB

Download
memory/1204-419-0x0000000000190000-0x00000000004B2000-memory.dmp

Filesize
3.1MB

Download